Greetings, I'd like to announce a two new filters for OpenSMTD which better to use together: auth and sign.
auth is a filter which verify DKMI, ARC and SPF, and iprev. It adds
Authentication-Results header or ARC-Authentication-Results.
sign is a filter which adds DKMI or ARC signature, or ARC seal.
For example, I run configuration:
filter "auth" proc-exec "filter-auth"
listen on egress port smtp ... filter { admdscrub, "auth", dnsbl }
filter sign_ed25519 proc-exec "filter-sign -a ed25519-sha256 -D
/etc/mail/domains \
-s 20240125ed25519 -k /etc/mail/dkim/20240125.ed25519.key" user
_dkimsign group _dkimsign
filter sign_rsa proc-exec "filter-sign -a rsa-sha256 -D /etc/mail/domains \
-s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign
group _dkimsign
filter arc_auth proc-exec "filter-auth -A"
filter arc_sign proc-exec "filter-sign -A -a rsa-sha256 -d mx.catap.net \
-s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign
group _dkimsign
filter arc_seal proc-exec "filter-sign -S -a rsa-sha256 -d mx.catap.net \
-s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign
group _dkimsign
filter sign chain { sign_ed25519 sign_rsa arc_auth arc_sign arc_seal }
listen on egress port submission ... filter sign
Here all incomming messages is autorised by adding Authentication-Results,
and all outcomming messages:
- signed by two DKMI signature with correct domain (list in /etc/mail/domains)
- signed by one ARC signature with domain mx.catap.net
- seal by one ARC seal with domain mx.catap.net
Yeah, it is possible to use different selectors for ARC signature and seal,
but I haven't tested it.
The code is based on Martijn van Duren's filter-dkimsign, filter-dkimverify
and filter-spf, and I also used some pices from spfwalk.c from OpenSMTPD.
Man pages for both filters are updated.
Thus, sign filter is drop-in replacment for filter-dkimsign.
Code available here:
- https://github.com/catap/opensmtpd-filter-auth
- https://github.com/catap/opensmtpd-filter-sign
I also attached ports for OpenBSD which I used to run it.
How stable it is? Well, enough to share and ask for feedback. It may
contains bugs, but it should be fine to use.
Produced signature was tested against gmail, yahoo, icloud.com and dkimpy
and it holds. Anyway, outlook.com fails on ARC signature with errors 35 or
47 (what does it mean?) and produced invalid signature as the next in ARC
chain (tested by dkimpy).
Thus, this email were sent via server which uses that filters, so, headers
from this email a good example.
--
wbr, Kirill
filters.tgz
Description: Binary data
