Hi, all!
Thanks for the great work with OpenSMTPD - I've been using it for a
while to handle my personal email and I can't be more satisfied with it.
What I'm about to describe is by no means urgent or problematic, but
more of a question to satisfy my curiosity - so stop reading if you're
in a hurry.
I basically have 2 hosts to handle my personal email:
mail: backup server in MX, relays locally generated email to primary
server (mail2 below), sits "near" Dovecot to handle local delivery.
mail2: primary server in MX, receives world emails, relays to backup
(mail) for local delivery.
After yet more anti-spam features (DMARC, DKIM, TLSSMTP, rspamd), I came
across a workflow that triggers a DSN without a DKIM signature,
resulting in spam in the recipient's mailbox.
The normal workflow works flawlessly: if I create an email locally and
that email isn't deliverable, I get a properly signed DSN from my
primary (mail2) server. However, if my backup (mail) server is down and
I send myself an email from a test account, said email will get queued
up in my primary (mail2) server. After a while, mail2 will generate a
DSN for that test account advising a delay, except that this time the
message will be marked as spam since it won't have a DKIM signature and
will fail the DMARC test - or so the test account provider claims. For
what it's worth, the DKIM signature isn't there.
I have implemented DKIM signing with rspamd, roughly in this way:
---smtpd.conf excerpt---
filter "rspamd" proc-exec "filter-rspamd"
listen on $ext_if tls pki <...> filter { "rdns", "fcrdns", "rspamd" }
listen on $ext_if smtps pki <...> auth <s...> filter { "rspamd" }
listen on $ext_if port submission tls-require pki <...> auth filter {
"rspamd" }
---
The above is done in both the primary and backup (mail2, mail) servers.
This behaviour is the same if I try to email a non existent account in
my local domain - a delivery failure will be sent, albeit not DKIM
signed, thus considered to be spam by the sender.
I could, of course, relax my DMARC policies, but I'm wondering whether I
could just sign those DSN somehow. Additionally, I tried to add
"no-dsn" to the 3 "listen" lines above, without any change in behaviour
- this wouldn't be my preferred approach though.
The relevant rules in the primary (mail2) server are:
---smtpd.conf excerpt---
action "local" maildir alias <aliases>
# Local users only
action "relay" relay srs
# Outgoing email
action "relay-backup" relay host smtps://<...> auth <s...> srs
---
If I'm doing/assuming anything wrongly, please shout; otherwise I would
appreciate it if anybody has a clue as to why those DSN don't get signed.
Thanks!
Gabriel