Adrift with DKIM Signing on FreeBSD
Hi all, I’ve been very happy with OpenSMTPd on both OpenBSD and FreeBSD for a long time now but have recently come unstuck with DKIM signing on FreeBSD. I started out using dkimproxy successfully, then “filter dkim-sign” came along and it was even better. But as of OpenSMTPd 6.6, the opensmtpd-extras dkim filter has been deleted and its FreeBSD port has gone too. Word on the street seemed to be to use rspamd for DKIM signing, but that's a hell of a big hammer. Resigned to my fate, I set up rspamd on FreeBSD 12.1 and got it working with a few test messages. But I then found that the system’s automated nightly emails were all coming up "dkim=fail”. No matter what I tried, I couldn’t replicate it manually - sending as root, sending to the same gmail group, whatever. All my test messages would still come up “dkim=pass”. Before I got to the bottom of that issue, a bigger one showed up. A recent minor pkg upgrade seems to have caused rspamd to regularly crash with glib; rspamd_glib_printerr_function: ** ERROR:/wrkdirs/usr/ports/mail/rspamd/work/rspamd-2.4/src/libstat/tokenizers/tokenizers.c:397:rspamd_tokenize_text: assertion failed: (U_SUCCESS (uc_err)) I’ve had no luck finding a fix for that yet, but I feel like I’m at a crossroads. I understand that with their limited time, the OpenSMTPd developers decided to leave as much as possible to rspamd, but what a shame DKIM signing is in that category too. Does anyone really consider DKIM signing an optional feature any more? I see that everything’s good on OpenBSD thanks to Martijn’s dkim filter, but there's no port of it on FreeBSD and my initial efforts to create one showed that it’s not a job for a first-time porter. So I now don’t know whether to try looking into milter support for OpenDKIM, or revert back to dkimproxy, or maybe even compile and run an old OpenSMTPd version like the 6.1 port which works flawlessly on FreeBSD 11.3. It seems weird to me that so few OpenSMTPd users seem to have been affected by this change. A lot of you must be on platforms other than OpenBSD. Perhaps I’m unusual in wanting to only do outbound? Of course rspamd is just part of the deal for inbound. Maybe outbound-only people are relaying straight to Mailgun so they don’t need to worry about SPF/DKIM/DMARC? It is tempting. Cheers, Sam
Re: smtp-out: Address family mismatch
Currently I have 100+ EMails queued with "Network error on destination MX". This is a severe regression since OpenBSD 6.6. Every insightful comment is highly appreciated Please show your complete config file. Maybe it has an error. My current (new-style) smtpd.conf has a line action "relay_external" relay src 192.168.1.1 helo "mail.example.com" Does your original config has a private IP-address too? Maybe you are behind a janky NAT router?
Re: opensmtpd appears to be IPv4-only
I do not have any issues with IPv6. It works for me. Ubuntu == opensmtpd 6.0.3p1-1ubuntu0.2 smtpd.conf lines: listen on 0.0.0.0 port 25 listen on ::0 port 25 $ netstat -lnt | grep ':25' tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp6 0 0 :::25 :::*LISTEN OpenBSD === version: OpenSMTPD 6.7.0 smtpd.conf lines: listen on all tls pki example.pki On Wed, 22 Jul 2020 16:34:25 +0200 Harald Dunkel wrote: > Hi folks, > > I've got a problem with IPv6 support for opensmtpd 6.7.1p1 on > Debian: Apparently opensmtpd seems to ignore IPv6 after a reboot. > > My smtpd.conf says > > : > xname = "mailhost.example.com" > pki $xname cert "/etc/mail/ssl/mailhost.example.com.cert" > pki $xname key"/etc/mail/ssl/mailhost.example.com.key" > > listen on lo tls pki $xname > listen on eth0tls pki $xname > : > > lsof -p shows that smtpd is listening only on the IPv4 address on > eth0. The IPv6 addresses bound to eth0 (link-local and global) are > ignored. > > If I *restart* smtpd, then it is listening on IPv6 as well, up to > the next prefix change propagated via router advertisement. The > IPv6 address with the new prefix is ignored. When the old prefix > expires, then opensmtpd is back to IPv4-only. I have to restart > it again. > > Can anybody reproduce this? > > > Every helpful comment is highly appreciated. > > Regards > Harri > -- with best regards, Slavik Svyrydiuk
Re: opensmtpd appears to be IPv4-only
On Wed, Jul 22, 2020 at 04:34:25PM +0200, Harald Dunkel wrote: > Hi folks, > > I've got a problem with IPv6 support for opensmtpd 6.7.1p1 on > Debian: Apparently opensmtpd seems to ignore IPv6 after a reboot. > > My smtpd.conf says > > : > xname = "mailhost.example.com" > pki $xname cert "/etc/mail/ssl/mailhost.example.com.cert" > pki $xname key"/etc/mail/ssl/mailhost.example.com.key" > > listen on lo tls pki $xname > listen on eth0tls pki $xname > : > > lsof -p shows that smtpd is listening only on the IPv4 address on > eth0. The IPv6 addresses bound to eth0 (link-local and global) are > ignored. > > If I *restart* smtpd, then it is listening on IPv6 as well, up to > the next prefix change propagated via router advertisement. The > IPv6 address with the new prefix is ignored. When the old prefix > expires, then opensmtpd is back to IPv4-only. I have to restart > it again. > > Can anybody reproduce this? > > > Every helpful comment is highly appreciated. > > Regards > Harri > > This is probably a useless comment, but check your ipv6 setting in /etc/hosts. Not having ipv6 available, I cannot attempt to reproduce your situation. But I recall previously that opensmtpd erred when /etc/hosts had generic debian ipv6 addresses and I lacked such addresses; pounding those out cleared the problem for me. Definitely a long shot for a possible obverse setting but it's something to check. ep.
opensmtpd appears to be IPv4-only
Hi folks, I've got a problem with IPv6 support for opensmtpd 6.7.1p1 on Debian: Apparently opensmtpd seems to ignore IPv6 after a reboot. My smtpd.conf says : xname = "mailhost.example.com" pki $xname cert "/etc/mail/ssl/mailhost.example.com.cert" pki $xname key "/etc/mail/ssl/mailhost.example.com.key" listen on lotls pki $xname listen on eth0 tls pki $xname : lsof -p shows that smtpd is listening only on the IPv4 address on eth0. The IPv6 addresses bound to eth0 (link-local and global) are ignored. If I *restart* smtpd, then it is listening on IPv6 as well, up to the next prefix change propagated via router advertisement. The IPv6 address with the new prefix is ignored. When the old prefix expires, then opensmtpd is back to IPv4-only. I have to restart it again. Can anybody reproduce this? Every helpful comment is highly appreciated. Regards Harri