Wilhelm Schuster <wilhelm@...> writes:
>
> Hi,
>
> I'm trying to replace dkimproxy with dkim-signer from opensmtpd-extras
> (mainly to get rid of perl), however I'm having some trouble.
>
> My dkimproxy setup basically is the same as is described in
> smtpd.conf(5), that means all mail from local is sent to port 10027,
> signed by dkimproxy, relayed to port 10028, tagged as DKIM, and finally
> relayed by smtpd.
>
> My dkimproxy_out.conf:
>
> listen 127.0.0.1:10027
> relay 127.0.0.1:10028
> domain wilhelm.re
> signature dkim(c=relaxed)
> keyfile /etc/ssl/private/dkim1.key
> selector dkim1
>
> Switching to filter-dkim-signer, here's an excerpt from my smtpd.conf:
>
> filter sign dkim-signer "-dwilhelm.re" "-sdkim1"
> "-p/etc/ssl/private/dkim1.key"
> listen on ens3 port submission tls-require pki wilhelm.re hostname
> wilhelm.re auth mask-source filter sign
>
> The key I'm using is RSA 2048bit and is the same for both setups.
>
> Now, when I'm trying to send mail through opensmtpd using
> filter-dkim-signer, the filter exits with:
>
> fatal: dkim_signer: on_eom: RSA_sign
>
> Looking at the source, this message is generated by the following code,
> unfortunately, I'm unfamiliar with the OpenSSL API, and I'm not sure why
> exactly it fails.
>
> if (RSA_sign(NID_sha256, s->hdr_hash, sizeof(s->hdr_hash),
> rsa_sig, &rsa_sig_len, rsa) == 0)
> fatalx("dkim_signer: on_eom: RSA_sign");
>
> What could be the problem here?
>
> Cheers, Wilhelm Schuster.
>
Hi,
I just encountered the same error.
After investigating a bit, I could find that the actual OpenSSL error
was "PRNG not seeded". It's because the OpenSMTPD filters are run
individually in a chroot and if OpenSSL PRNG is not seeded before
chrooting, '/dev/urandom' does not exist in the chroot and fails with
this reason.
Here's a hack for OpenSMTPD-extras I wrote in order to force OpenSSL
PRNG seeding before the chroot. This fixed the problem on my side.
diff --git a/api/filter_api.c b/api/filter_api.c
index d1aa5a2..7e29a58 100644
--- a/api/filter_api.c
+++ b/api/filter_api.c
@@ -34,6 +34,7 @@
#include <string.h>
#include <unistd.h>
#include <grp.h>
+#include <openssl/rand.h>
#include "smtpd-defines.h"
#include "smtpd-api.h"
@@ -934,6 +935,8 @@ filter_api_loop(void)
mproc_enable(&fi.p);
if (fi.rootpath) {
+ RAND_status();
+
if (chroot(fi.rootpath) == -1) {
log_warn("warn: filter-api:%s chroot", filter_name);
fatalx("filter-api: exiting");
Anyone have an idea what a proper fix for this could be?
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
