Re: Multi-domain DKIM signature with OpenSMTPd
Le 20/03/2020 à 23:25, Stuart Henderson a écrit : On 2020-03-18, Matthieu wrote: Hi everybody I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? My first intention is to sign mails from different domains on a single mail server. So the OpenDKIM works with a socket and I don't know how and if it works with the smptd filter. I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify one domaine. Otherwise I'd be looking at the side of dkimproxy if it can do the job or not. Thx for any help. You should be able to do this with rspamd + opensmtpd-filter-rspamd .. Thx Stuart, It solved with dkimproxy finally.
Re: Multi-domain DKIM signature with OpenSMTPd
On 2020-03-18, Matthieu wrote: > Hi everybody > I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it > before ? > My first intention is to sign mails from different domains on a single > mail server. So the > > OpenDKIM works with a socket and I don't know how and if it works with > the smptd filter. > I've seen the «opensmptd-filter-dkimsign» packet, but we can only > specify one domaine. > > Otherwise I'd be looking at the side of dkimproxy if it can do the job > or not. > > Thx for any help. > > You should be able to do this with rspamd + opensmtpd-filter-rspamd ..
Re: Multi-domain DKIM signature with OpenSMTPd
On 3/19/20 9:21 PM, Matthieu wrote: > Le 19/03/2020 à 20:46, Martijn van Duren a écrit : >> On 3/19/20 8:24 PM, Matthieu wrote: >>> Thank you for your response. >>> My main reason is that, as a freelancer, I have a professional email >>> that I don't want to mix with my personal email. Moreover, a friend asks >>> me to host his emails and I don't want to mix it up either. >> >> Please be more concise. What do you mean "don't want to mix it up"? >> What would be mixed up? What would be the consequences of that? >> Based on what would it need to be separated? > I don't want the personal or professional domain name to appear in the > other's signature. I understand that nobody is going to look at it and > that it's a bit maniacal, but I find it cleaner. > Knowing that Gmail and others are quite strict about their spam filters, > I don't find it useless. > So basically the warm and fuzzies. :-) No problem, but in that case dkimsign is not for you and dkimproxy might be more suitable.
Re: Multi-domain DKIM signature with OpenSMTPd
Le 19/03/2020 à 20:46, Martijn van Duren a écrit : On 3/19/20 8:24 PM, Matthieu wrote: Thank you for your response. My main reason is that, as a freelancer, I have a professional email that I don't want to mix with my personal email. Moreover, a friend asks me to host his emails and I don't want to mix it up either. Please be more concise. What do you mean "don't want to mix it up"? What would be mixed up? What would be the consequences of that? Based on what would it need to be separated? I don't want the personal or professional domain name to appear in the other's signature. I understand that nobody is going to look at it and that it's a bit maniacal, but I find it cleaner. Knowing that Gmail and others are quite strict about their spam filters, I don't find it useless. And just to be clear, I'm not trying to be a pedantic asshole for its own sake. I honestly don't see where our interpretations diverge. No problem to discuss it. I'm not develloper C, but if I propose a patch for this feature, does it have a possibility to be integrated ? Any patch is welcome if properly motivated. If it's not up to par we can always polish it further. But I'd advise to first come to an understanding on the motivation. My motivations are those set out above. Otherwise I can always fall back on dkimproxy.
Re: Multi-domain DKIM signature with OpenSMTPd
On 3/19/20 8:24 PM, Matthieu wrote: > >> On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote: > >> Could you explain why you (think you) need to have multiple domain >> support? >> You (currently?) can't. If you want multiple conditions on different >> filters you would need to create multiple listening sockets (e.g. >> multiple ips or ports) and apply the correct match-rules based on the >> socket. >> >> martijn@ >> > Thank you for your response. > My main reason is that, as a freelancer, I have a professional email > that I don't want to mix with my personal email. Moreover, a friend asks > me to host his emails and I don't want to mix it up either. Please be more concise. What do you mean "don't want to mix it up"? What would be mixed up? What would be the consequences of that? Based on what would it need to be separated? And just to be clear, I'm not trying to be a pedantic asshole for its own sake. I honestly don't see where our interpretations diverge. > > I'm not develloper C, but if I propose a patch for this feature, does it > have a possibility to be integrated ? > Any patch is welcome if properly motivated. If it's not up to par we can always polish it further. But I'd advise to first come to an understanding on the motivation.
Re: Multi-domain DKIM signature with OpenSMTPd
On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote: Could you explain why you (think you) need to have multiple domain support? You (currently?) can't. If you want multiple conditions on different filters you would need to create multiple listening sockets (e.g. multiple ips or ports) and apply the correct match-rules based on the socket. martijn@ Thank you for your response. My main reason is that, as a freelancer, I have a professional email that I don't want to mix with my personal email. Moreover, a friend asks me to host his emails and I don't want to mix it up either. I'm not develloper C, but if I propose a patch for this feature, does it have a possibility to be integrated ?
Re: Multi-domain DKIM signature with OpenSMTPd
On 3/19/20 7:49 PM, Chris Bennett wrote: > On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote: >> That's because filter-dkimsign doesn't support multiple domains, and >> unless someone can give me a good reason to do so it probably is going >> to stay that way. >> >> I know that some mail providers add an additional positive score to >> your spam rating if you have DKIM, but I reckon this is BS, because >> DKIM is nothing more than a glorified debugging tool to tell you which >> server butchered the content of your mail if every server in the chain >> adds a DKIM signature. To be precise: it only tells you that a >> particular domain owner (d-option) knows what server(s) a particular key >> (s-option) belongs to, so that if a signature fails it it could only >> have happened before the last server which has a valid signature. >> >> Could you explain why you (think you) need to have multiple domain >> support? >> You (currently?) can't. If you want multiple conditions on different >> filters you would need to create multiple listening sockets (e.g. >> multiple ips or ports) and apply the correct match-rules based on the >> socket. >> >> martijn@ >> > > OK, thanks for clearing that up. I learned a lot using it. I would also > like to use multiple domains, but I don't see any reason to ask you to > do any more work than you want to. > Thanks for your work. I appreciate it. And trying to use multiple > domains was a good lesson in strange results. :-} > > Chris Bennett > I've had multiple people tell me that they want to have multiple domain support, but either they misunderstood the workings of DKIM, or it's a case of "but it gives me the warm and fuzzies". So please, be as clear as you can be on why you want to use it and how you want to use it; and either we can improve your understanding of the spec and your setup (and help people on the list at the same time) or you make a valid case (maybe I did miss something) and I might be motivated to add it. In other words, I'm not definitively saying no, but it will only complicate the code even further with all the additional risks; there must be a damn good reason to go down that path.
Re: Multi-domain DKIM signature with OpenSMTPd
On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote: > That's because filter-dkimsign doesn't support multiple domains, and > unless someone can give me a good reason to do so it probably is going > to stay that way. > > I know that some mail providers add an additional positive score to > your spam rating if you have DKIM, but I reckon this is BS, because > DKIM is nothing more than a glorified debugging tool to tell you which > server butchered the content of your mail if every server in the chain > adds a DKIM signature. To be precise: it only tells you that a > particular domain owner (d-option) knows what server(s) a particular key > (s-option) belongs to, so that if a signature fails it it could only > have happened before the last server which has a valid signature. > > Could you explain why you (think you) need to have multiple domain > support? > You (currently?) can't. If you want multiple conditions on different > filters you would need to create multiple listening sockets (e.g. > multiple ips or ports) and apply the correct match-rules based on the > socket. > > martijn@ > OK, thanks for clearing that up. I learned a lot using it. I would also like to use multiple domains, but I don't see any reason to ask you to do any more work than you want to. Thanks for your work. I appreciate it. And trying to use multiple domains was a good lesson in strange results. :-} Chris Bennett
Re: Multi-domain DKIM signature with OpenSMTPd
On 3/19/20 5:06 AM, Graeme Lee wrote: > > > On 19/03/2020 8:45 am, Martijn van Duren wrote: >> On 3/18/20 8:41 PM, Matthieu wrote: >>> Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: > Hi everybody > I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it > before ? > My first intention is to sign mails from different domains on a single > mail > server. So the > > OpenDKIM works with a socket and I don't know how and if it works with the > smptd filter. > I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify > one domaine. > > Otherwise I'd be looking at the side of dkimproxy if it can do the job or > not. > > Thx for any help. > Hi, Theres an example described in the smtpd.conf(5) man page. opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c It's relatively small and also privilege-separated. It has a parameter to set the domain name (-d). In smtpd.conf you can define multiple filters. See also the man page filter-dkimsign(8) for detailed information. I've replaced dkimproxy (Perl-based and complex) with opensmtpd-filter-dkimsign. It works well for my needs. >>> Hi Hiltjo, >>> Currently I already use opensmtpd-filter-dkimsign, but I didn't >>> understand how to use it for multiple domains at once. >>> >>> I've seen the example in the man page : >>> https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign >>> >>> I thought was to be replaced by only one domain to sign. Is a >>> domain a table like Alias? If so, what is the format of the file? But I >>> doubt it since in the filter code it doesn't look like a list. >>> >>> static char *domain = NULL; >>> […] >>> box 'd': >>> domain = optarg; >>> […] >>> if (!dkim_signature_printf(message, >>> "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", >>> cryptalg, hashalg, >>> canonheader == CANON_SIMPLE ? "simple": "relaxed." >>> canonbody == CANON_SIMPLE ? "simple": "relaxed." >>> domain, selector)) >>> >>> Finally in the example given in this presentation it is indeed a single >>> domain: >>> https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf >>> >> That's because filter-dkimsign doesn't support multiple domains, and >> unless someone can give me a good reason to do so it probably is going >> to stay that way. > I'm using dkimproxy for this. I host multiple domain names. dkimproxy > is pretty easy to configure to sign outbound on a per domain basis. > > /etc/dkimproxy_out.conf > listen 127.0.0.1: > relay 127.0.0.1: > sender_map /etc/mail/dkim/sender_map > > /etc/dmail/dkim/sender_map > example.com > dkim(key=/etc/mail/dkim/example.com.key,d=example.com,c=relaxed,s=selector1) > example.org > dkim(key=/etc/mail/dkim/example.org.key,d=example.org,c=simple,s=selector1) > ... > > I can send the smtpdconf through if you're stuck. > > If the domain being relayed is not in the map, it isn't signed. > dkimproxy is not doing any inbound processing. It would be awesome to > pull this from a pgsql db source, which is how I manage what smtpd can > and cannot relay. > >> >> I know that some mail providers add an additional positive score to >> your spam rating if you have DKIM, but I reckon this is BS, because >> DKIM is nothing more than a glorified debugging tool to tell you which >> server butchered the content of your mail if every server in the chain >> adds a DKIM signature. To be precise: it only tells you that a >> particular domain owner (d-option) knows what server(s) a particular key >> (s-option) belongs to, so that if a signature fails it it could only >> have happened before the last server which has a valid signature. >> >> Could you explain why you (think you) need to have multiple domain >> support? > I own (and manage) multiple domains. Why would I not take advantage of > virtual domains on 1 host? I do to, but as far as I'm aware there's nothing in the spec that states that a mail domain should be signed with a key in its own domain; and I'd to think that I've be pretty thorough while reading it multiple times. If I want I can sign a mail with an @gmail.com sender on it with my personal imperialat.at DKIM key and recipients will properly validate it. So yes, I have multiple virtual hosts and only one key (domain+selector) per server. And if you were to look through your mailbox you'd find multiple vendors who also sign their mail with a different domain in their DKIM signature than is in the domain component of their from header; including office365. > > Graeme > >
Re: Multi-domain DKIM signature with OpenSMTPd
On 19/03/2020 8:45 am, Martijn van Duren wrote: On 3/18/20 8:41 PM, Matthieu wrote: Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: Hi everybody I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? My first intention is to sign mails from different domains on a single mail server. So the OpenDKIM works with a socket and I don't know how and if it works with the smptd filter. I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify one domaine. Otherwise I'd be looking at the side of dkimproxy if it can do the job or not. Thx for any help. Hi, Theres an example described in the smtpd.conf(5) man page. opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c It's relatively small and also privilege-separated. It has a parameter to set the domain name (-d). In smtpd.conf you can define multiple filters. See also the man page filter-dkimsign(8) for detailed information. I've replaced dkimproxy (Perl-based and complex) with opensmtpd-filter-dkimsign. It works well for my needs. Hi Hiltjo, Currently I already use opensmtpd-filter-dkimsign, but I didn't understand how to use it for multiple domains at once. I've seen the example in the man page : https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign I thought was to be replaced by only one domain to sign. Is a domain a table like Alias? If so, what is the format of the file? But I doubt it since in the filter code it doesn't look like a list. static char *domain = NULL; […] box 'd': domain = optarg; […] if (!dkim_signature_printf(message, "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", cryptalg, hashalg, canonheader == CANON_SIMPLE ? "simple": "relaxed." canonbody == CANON_SIMPLE ? "simple": "relaxed." domain, selector)) Finally in the example given in this presentation it is indeed a single domain: https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf That's because filter-dkimsign doesn't support multiple domains, and unless someone can give me a good reason to do so it probably is going to stay that way. I'm using dkimproxy for this. I host multiple domain names. dkimproxy is pretty easy to configure to sign outbound on a per domain basis. /etc/dkimproxy_out.conf listen 127.0.0.1: relay 127.0.0.1: sender_map /etc/mail/dkim/sender_map /etc/dmail/dkim/sender_map example.com dkim(key=/etc/mail/dkim/example.com.key,d=example.com,c=relaxed,s=selector1) example.org dkim(key=/etc/mail/dkim/example.org.key,d=example.org,c=simple,s=selector1) ... I can send the smtpdconf through if you're stuck. If the domain being relayed is not in the map, it isn't signed. dkimproxy is not doing any inbound processing. It would be awesome to pull this from a pgsql db source, which is how I manage what smtpd can and cannot relay. I know that some mail providers add an additional positive score to your spam rating if you have DKIM, but I reckon this is BS, because DKIM is nothing more than a glorified debugging tool to tell you which server butchered the content of your mail if every server in the chain adds a DKIM signature. To be precise: it only tells you that a particular domain owner (d-option) knows what server(s) a particular key (s-option) belongs to, so that if a signature fails it it could only have happened before the last server which has a valid signature. Could you explain why you (think you) need to have multiple domain support? I own (and manage) multiple domains. Why would I not take advantage of virtual domains on 1 host? Graeme
Re: Multi-domain DKIM signature with OpenSMTPd
On 3/18/20 8:41 PM, Matthieu wrote: > Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : >> On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: >>> Hi everybody >>> I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? >>> My first intention is to sign mails from different domains on a single mail >>> server. So the >>> >>> OpenDKIM works with a socket and I don't know how and if it works with the >>> smptd filter. >>> I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify >>> one domaine. >>> >>> Otherwise I'd be looking at the side of dkimproxy if it can do the job or >>> not. >>> >>> Thx for any help. >>> >> >> Hi, >> >> Theres an example described in the smtpd.conf(5) man page. >> >> opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign >> >> The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c >> It's relatively small and also privilege-separated. >> >> It has a parameter to set the domain name (-d). In smtpd.conf you can define >> multiple filters. See also the man page filter-dkimsign(8) for detailed >> information. >> >> I've replaced dkimproxy (Perl-based and complex) with >> opensmtpd-filter-dkimsign. It works well for my needs. >> > > Hi Hiltjo, > Currently I already use opensmtpd-filter-dkimsign, but I didn't > understand how to use it for multiple domains at once. > > I've seen the example in the man page : > https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign > > I thought was to be replaced by only one domain to sign. Is a > domain a table like Alias? If so, what is the format of the file? But I > doubt it since in the filter code it doesn't look like a list. > > static char *domain = NULL; > […] > box 'd': > domain = optarg; > […] > if (!dkim_signature_printf(message, > "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", > cryptalg, hashalg, > canonheader == CANON_SIMPLE ? "simple": "relaxed." > canonbody == CANON_SIMPLE ? "simple": "relaxed." > domain, selector)) > > Finally in the example given in this presentation it is indeed a single > domain: > https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf > > That's because filter-dkimsign doesn't support multiple domains, and unless someone can give me a good reason to do so it probably is going to stay that way. I know that some mail providers add an additional positive score to your spam rating if you have DKIM, but I reckon this is BS, because DKIM is nothing more than a glorified debugging tool to tell you which server butchered the content of your mail if every server in the chain adds a DKIM signature. To be precise: it only tells you that a particular domain owner (d-option) knows what server(s) a particular key (s-option) belongs to, so that if a signature fails it it could only have happened before the last server which has a valid signature. Could you explain why you (think you) need to have multiple domain support? > > Besides, I can't find the man page you're talking about: > https://man.openbsd.org/filter-dkimsign man.openbsd.org doesn't contain manpages for packages. But it should be installed with the package (man filter-dkimsign) > > Finally, I understand how to write multiple filters, but not how to > modify the "listen" directive to choose the right filter. > You (currently?) can't. If you want multiple conditions on different filters you would need to create multiple listening sockets (e.g. multiple ips or ports) and apply the correct match-rules based on the socket. martijn@
Re: Multi-domain DKIM signature with OpenSMTPd
Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: Hi everybody I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? My first intention is to sign mails from different domains on a single mail server. So the OpenDKIM works with a socket and I don't know how and if it works with the smptd filter. I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify one domaine. Otherwise I'd be looking at the side of dkimproxy if it can do the job or not. Thx for any help. Hi, Theres an example described in the smtpd.conf(5) man page. opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c It's relatively small and also privilege-separated. It has a parameter to set the domain name (-d). In smtpd.conf you can define multiple filters. See also the man page filter-dkimsign(8) for detailed information. I've replaced dkimproxy (Perl-based and complex) with opensmtpd-filter-dkimsign. It works well for my needs. Hi Hiltjo, Currently I already use opensmtpd-filter-dkimsign, but I didn't understand how to use it for multiple domains at once. I've seen the example in the man page : https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign I thought was to be replaced by only one domain to sign. Is a domain a table like Alias? If so, what is the format of the file? But I doubt it since in the filter code it doesn't look like a list. static char *domain = NULL; […] box 'd': domain = optarg; […] if (!dkim_signature_printf(message, "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", cryptalg, hashalg, canonheader == CANON_SIMPLE ? "simple": "relaxed." canonbody == CANON_SIMPLE ? "simple": "relaxed." domain, selector)) Finally in the example given in this presentation it is indeed a single domain: https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf Besides, I can't find the man page you're talking about: https://man.openbsd.org/filter-dkimsign Finally, I understand how to write multiple filters, but not how to modify the "listen" directive to choose the right filter.
Re: Multi-domain DKIM signature with OpenSMTPd
On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: > Hi everybody > I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? > My first intention is to sign mails from different domains on a single mail > server. So the > > OpenDKIM works with a socket and I don't know how and if it works with the > smptd filter. > I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify > one domaine. > > Otherwise I'd be looking at the side of dkimproxy if it can do the job or > not. > > Thx for any help. > Hi, Theres an example described in the smtpd.conf(5) man page. opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c It's relatively small and also privilege-separated. It has a parameter to set the domain name (-d). In smtpd.conf you can define multiple filters. See also the man page filter-dkimsign(8) for detailed information. I've replaced dkimproxy (Perl-based and complex) with opensmtpd-filter-dkimsign. It works well for my needs. -- Kind regards, Hiltjo