On 19/03/2020 8:45 am, Martijn van Duren wrote:
On 3/18/20 8:41 PM, Matthieu wrote:
Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit :
On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote:
Hi everybody
I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ?
My first intention is to sign mails from different domains on a single mail
server. So the
OpenDKIM works with a socket and I don't know how and if it works with the
smptd filter.
I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify
one domaine.
Otherwise I'd be looking at the side of dkimproxy if it can do the job or
not.
Thx for any help.
Hi,
Theres an example described in the smtpd.conf(5) man page.
opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign
The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c
It's relatively small and also privilege-separated.
It has a parameter to set the domain name (-d). In smtpd.conf you can define
multiple filters. See also the man page filter-dkimsign(8) for detailed
information.
I've replaced dkimproxy (Perl-based and complex) with
opensmtpd-filter-dkimsign. It works well for my needs.
Hi Hiltjo,
Currently I already use opensmtpd-filter-dkimsign, but I didn't
understand how to use it for multiple domains at once.
I've seen the example in the man page :
https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign
I thought <domain> was to be replaced by only one domain to sign. Is a
domain a table like Alias? If so, what is the format of the file? But I
doubt it since in the filter code it doesn't look like a list.
static char *domain = NULL;
[…]
box 'd':
domain = optarg;
[…]
if (!dkim_signature_printf(message,
"DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1",
cryptalg, hashalg,
canonheader == CANON_SIMPLE ? "simple": "relaxed."
canonbody == CANON_SIMPLE ? "simple": "relaxed."
domain, selector))
Finally in the example given in this presentation it is indeed a single
domain:
https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf
That's because filter-dkimsign doesn't support multiple domains, and
unless someone can give me a good reason to do so it probably is going
to stay that way.
I'm using dkimproxy for this. I host multiple domain names. dkimproxy
is pretty easy to configure to sign outbound on a per domain basis.
/etc/dkimproxy_out.conf
listen 127.0.0.1:<port1>
relay 127.0.0.1:<smtpd port>
sender_map /etc/mail/dkim/sender_map
/etc/dmail/dkim/sender_map
example.com
dkim(key=/etc/mail/dkim/example.com.key,d=example.com,c=relaxed,s=selector1)
example.org
dkim(key=/etc/mail/dkim/example.org.key,d=example.org,c=simple,s=selector1)
...<blah blah blah>
I can send the smtpdconf through if you're stuck.
If the domain being relayed is not in the map, it isn't signed.
dkimproxy is not doing any inbound processing. It would be awesome to
pull this from a pgsql db source, which is how I manage what smtpd can
and cannot relay.
I know that some mail providers add an additional positive score to
your spam rating if you have DKIM, but I reckon this is BS, because
DKIM is nothing more than a glorified debugging tool to tell you which
server butchered the content of your mail if every server in the chain
adds a DKIM signature. To be precise: it only tells you that a
particular domain owner (d-option) knows what server(s) a particular key
(s-option) belongs to, so that if a signature fails it it could only
have happened before the last server which has a valid signature.
Could you explain why you (think you) need to have multiple domain
support?
I own (and manage) multiple domains. Why would I not take advantage of
virtual domains on 1 host?
Graeme
