dkim signing integrated in opensmtpd?
Hi folks, Would it be possible to *integrate* dkim signatures in opensmtpd? I saw rspamd, but this is not an option. I am looking for a lightweight solution for signing EMail headers. Regards Harri
Re: dkim signing integrated in opensmtpd?
On Mon, 2021-05-10 at 14:55 +0200, Harald Dunkel wrote: > Hi folks, > > Would it be possible to *integrate* dkim signatures in opensmtpd? > I saw rspamd, but this is not an option. I am looking for a > lightweight solution for signing EMail headers. > > > Regards > Harri > There's filter-dkimsign in packages, which is also mentioned in smtpd.conf. I don't think there's a more lightweight solution possible. martijn@
Re: dkim signing integrated in opensmtpd?
On 5/10/21 3:14 PM, Martijn van Duren wrote: There's filter-dkimsign in packages, which is also mentioned in smtpd.conf. I don't think there's a more lightweight solution possible. I had found your web site https://palant.info/2020/11/09/adding-\ dkim-support-to-opensmtpd-with-custom-filters/, but it mentioned building opensmtpd-filter-dkimsign from "some Dutch web server". I didn't expect a package. Actually I am running my major MTA with sendmail, still. The problem in this configuration is, the opendkim milter is called before masquerading is done. opendkim signs a header that is modified my sendmail later. (There are some workarounds, but they are unreliable.) Is there a similar pitfall for opensmtpd-filter-dkimsign and opensmtpd? Regards Harri
Re: dkim signing integrated in opensmtpd?
On May 10, 2021 9:35 AM, Harald Dunkel wrote:On 5/10/21 3:14 PM, Martijn van Duren wrote: > There's filter-dkimsign in packages, which is also mentioned in > smtpd.conf. I don't think there's a more lightweight solution > possible. > I had found your web site https://palant.info/2020/11/09/adding-\ dkim-support-to-opensmtpd-with-custom-filters/, but it mentioned building opensmtpd-filter-dkimsign from "some Dutch web server". I didn't expect a package. Actually I am running my major MTA with sendmail, still. The problem in this configuration is, the opendkim milter is called before masquerading is done. opendkim signs a header that is modified my sendmail later. (There are some workarounds, but they are unreliable.) Is there a similar pitfall for opensmtpd-filter-dkimsign and opensmtpd? Regards Harri I'm not masquerading but I doubt you will have any issues.EdgarÂ
Re: dkim signing integrated in opensmtpd?
On Mon, 2021-05-10 at 16:35 +0200, Harald Dunkel wrote: > On 5/10/21 3:14 PM, Martijn van Duren wrote: > > There's filter-dkimsign in packages, which is also mentioned in > > smtpd.conf. I don't think there's a more lightweight solution > > possible. > > > > I had found your web site https://palant.info/2020/11/09/adding-\ > dkim-support-to-opensmtpd-with-custom-filters/, but it mentioned > building opensmtpd-filter-dkimsign from "some Dutch web server". > I didn't expect a package. palant.info is not my website, but yes: I'm some dutch guy doing some self hosting for some of my code. I don't see the problem in that. Also, support for multiple domains landed in the my repository in august 2020 and got released in september, so the article was already outdated when published. > > Actually I am running my major MTA with sendmail, still. The > problem in this configuration is, the opendkim milter is called > before masquerading is done. opendkim signs a header that is > modified my sendmail later. (There are some workarounds, but they > are unreliable.) > > Is there a similar pitfall for opensmtpd-filter-dkimsign and > opensmtpd? Unfortunately the data goes through the filter before it goes through the masquerade, so you either need to write a masquerade filter and use that instead of smtpd's internal masquerade feature and you can put that filter before the filter-dkimsign via chaining, or you need to reroute the data over a loopback connection; similar to how dkim signing was previously suggested: https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/ Personally I'd like to see a more elaborate senders/masquerade functionality in filters at some point, but I haven't found the time and proper inspiration to do so myself yet. If you want to debug your dkim signatures you can add 1 or 2 -z flags to filter-dkimsign, so that the headers at the time of signing are placed inside the dkim header. Hope this helps. martijn@ > > > Regards > Harri >