Hi all,

I’ve been very happy with OpenSMTPd on both OpenBSD and FreeBSD for a long time 
now but have recently come unstuck with DKIM signing on FreeBSD.  I started out 
using dkimproxy successfully, then “filter dkim-sign” came along and it was 
even better.  But as of OpenSMTPd 6.6, the opensmtpd-extras dkim filter has 
been deleted and its FreeBSD port has gone too.

Word on the street seemed to be to use rspamd for DKIM signing, but that's a 
hell of a big hammer.  Resigned to my fate, I set up rspamd on FreeBSD 12.1 and 
got it working with a few test messages.  But I then found that the system’s 
automated nightly emails were all coming up "dkim=fail”.  No matter what I 
tried, I couldn’t replicate it manually - sending as root, sending to the same 
gmail group, whatever.  All my test messages would still come up “dkim=pass”.

Before I got to the bottom of that issue, a bigger one showed up.  A recent 
minor pkg upgrade seems to have caused rspamd to regularly crash with

glib; rspamd_glib_printerr_function: **
 assertion failed: (U_SUCCESS (uc_err))

I’ve had no luck finding a fix for that yet, but I feel like I’m at a 
crossroads.  I understand that with their limited time, the OpenSMTPd 
developers decided to leave as much as possible to rspamd, but what a shame 
DKIM signing is in that category too.  Does anyone really consider DKIM signing 
an optional feature any more?

I see that everything’s good on OpenBSD thanks to Martijn’s dkim filter, but 
there's no port of it on FreeBSD and my initial efforts to create one showed 
that it’s not a job for a first-time porter.  So I now don’t know whether to 
try looking into milter support for OpenDKIM, or revert back to dkimproxy, or 
maybe even compile and run an old OpenSMTPd version like the 6.1 port which 
works flawlessly on FreeBSD 11.3.

It seems weird to me that so few OpenSMTPd users seem to have been affected by 
this change.  A lot of you must be on platforms other than OpenBSD.  Perhaps 
I’m unusual in wanting to only do outbound?  Of course rspamd is just part of 
the deal for inbound.  Maybe outbound-only people are relaying straight to 
Mailgun so they don’t need to worry about SPF/DKIM/DMARC?  It is tempting.



Reply via email to