On 3/19/20 5:06 AM, Graeme Lee wrote: > > > On 19/03/2020 8:45 am, Martijn van Duren wrote: >> On 3/18/20 8:41 PM, Matthieu wrote: >>> Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : >>>> On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: >>>>> Hi everybody >>>>> I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it >>>>> before ? >>>>> My first intention is to sign mails from different domains on a single >>>>> mail >>>>> server. So the >>>>> >>>>> OpenDKIM works with a socket and I don't know how and if it works with the >>>>> smptd filter. >>>>> I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify >>>>> one domaine. >>>>> >>>>> Otherwise I'd be looking at the side of dkimproxy if it can do the job or >>>>> not. >>>>> >>>>> Thx for any help. >>>>> >>>> Hi, >>>> >>>> Theres an example described in the smtpd.conf(5) man page. >>>> >>>> opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign >>>> >>>> The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c >>>> It's relatively small and also privilege-separated. >>>> >>>> It has a parameter to set the domain name (-d). In smtpd.conf you can >>>> define >>>> multiple filters. See also the man page filter-dkimsign(8) for detailed >>>> information. >>>> >>>> I've replaced dkimproxy (Perl-based and complex) with >>>> opensmtpd-filter-dkimsign. It works well for my needs. >>>> >>> Hi Hiltjo, >>> Currently I already use opensmtpd-filter-dkimsign, but I didn't >>> understand how to use it for multiple domains at once. >>> >>> I've seen the example in the man page : >>> https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign >>> >>> I thought <domain> was to be replaced by only one domain to sign. Is a >>> domain a table like Alias? If so, what is the format of the file? But I >>> doubt it since in the filter code it doesn't look like a list. >>> >>> static char *domain = NULL; >>> […] >>> box 'd': >>> domain = optarg; >>> […] >>> if (!dkim_signature_printf(message, >>> "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", >>> cryptalg, hashalg, >>> canonheader == CANON_SIMPLE ? "simple": "relaxed." >>> canonbody == CANON_SIMPLE ? "simple": "relaxed." >>> domain, selector)) >>> >>> Finally in the example given in this presentation it is indeed a single >>> domain: >>> https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf >>> >> That's because filter-dkimsign doesn't support multiple domains, and >> unless someone can give me a good reason to do so it probably is going >> to stay that way. > I'm using dkimproxy for this. I host multiple domain names. dkimproxy > is pretty easy to configure to sign outbound on a per domain basis. > > /etc/dkimproxy_out.conf > listen 127.0.0.1:<port1> > relay 127.0.0.1:<smtpd port> > sender_map /etc/mail/dkim/sender_map > > /etc/dmail/dkim/sender_map > example.com > dkim(key=/etc/mail/dkim/example.com.key,d=example.com,c=relaxed,s=selector1) > example.org > dkim(key=/etc/mail/dkim/example.org.key,d=example.org,c=simple,s=selector1) > ...<blah blah blah> > > I can send the smtpdconf through if you're stuck. > > If the domain being relayed is not in the map, it isn't signed. > dkimproxy is not doing any inbound processing. It would be awesome to > pull this from a pgsql db source, which is how I manage what smtpd can > and cannot relay. > >> >> I know that some mail providers add an additional positive score to >> your spam rating if you have DKIM, but I reckon this is BS, because >> DKIM is nothing more than a glorified debugging tool to tell you which >> server butchered the content of your mail if every server in the chain >> adds a DKIM signature. To be precise: it only tells you that a >> particular domain owner (d-option) knows what server(s) a particular key >> (s-option) belongs to, so that if a signature fails it it could only >> have happened before the last server which has a valid signature. >> >> Could you explain why you (think you) need to have multiple domain >> support? > I own (and manage) multiple domains. Why would I not take advantage of > virtual domains on 1 host?
I do to, but as far as I'm aware there's nothing in the spec that states that a mail domain should be signed with a key in its own domain; and I'd to think that I've be pretty thorough while reading it multiple times. If I want I can sign a mail with an @gmail.com sender on it with my personal imperialat.at DKIM key and recipients will properly validate it. So yes, I have multiple virtual hosts and only one key (domain+selector) per server. And if you were to look through your mailbox you'd find multiple vendors who also sign their mail with a different domain in their DKIM signature than is in the domain component of their from header; including office365. > > Graeme > >
