On Thu, 23 Jul 2020, Sam Vaughan wrote:
I’ve been very happy with OpenSMTPd on both OpenBSD and FreeBSD for a long
time now but have recently come unstuck with DKIM signing on FreeBSD. I
started out using dkimproxy successfully, then “filter dkim-sign” came
along and it was even better. But as of OpenSMTPd 6.6, the
opensmtpd-extras dkim filter has been deleted and its FreeBSD port has
gone too.
I'm running a local build of opensmtpd 6.7.1p1 on netbsd 9.0 (the netbsd
pkgsrc port is very much out of date). For dkim signing, I use proxsmtpd and
dkimsign, both built from pkgsrc, and messages I want dkim-signed are sent
through proxsmtpd before being relayed by opensmtpd. Proxsmtpd is setup to
listen on port 10028 and opensmtpd listens to it on port 10029. Relevant
excerpts from my smtpd.conf:
listen on lo0 inet4 port 10029 mask-src tag "dkim"
action _dkim relay host smtp://127.0.0.1:10028
action _relay relay
match from any auth tag "submit" for any action _dkim
match from local tag "dkim" for any action _relay
proxsmtpd.conf's FilterCommand:
/usr/pkg/bin/dkimsign dkim example.com /etc/mail/dkim.key
This has been working fine ever since I set it up.
I hope this helps !
Andi..
Word on the street seemed to be to use rspamd for DKIM signing, but that's a hell of
a big hammer. Resigned to my fate, I set up rspamd on FreeBSD 12.1 and got it
working with a few test messages. But I then found that the system’s automated
nightly emails were all coming up "dkim=fail”. No matter what I tried, I
couldn’t replicate it manually - sending as root, sending to the same gmail group,
whatever. All my test messages would still come up “dkim=pass”.
Before I got to the bottom of that issue, a bigger one showed up. A recent
minor pkg upgrade seems to have caused rspamd to regularly crash with
glib; rspamd_glib_printerr_function: **
ERROR:/wrkdirs/usr/ports/mail/rspamd/work/rspamd-2.4/src/libstat/tokenizers/tokenizers.c:397:rspamd_tokenize_text:
assertion failed: (U_SUCCESS (uc_err))
I’ve had no luck finding a fix for that yet, but I feel like I’m at a
crossroads. I understand that with their limited time, the OpenSMTPd
developers decided to leave as much as possible to rspamd, but what a shame
DKIM signing is in that category too. Does anyone really consider DKIM signing
an optional feature any more?
I see that everything’s good on OpenBSD thanks to Martijn’s dkim filter, but
there's no port of it on FreeBSD and my initial efforts to create one showed
that it’s not a job for a first-time porter. So I now don’t know whether to
try looking into milter support for OpenDKIM, or revert back to dkimproxy, or
maybe even compile and run an old OpenSMTPd version like the 6.1 port which
works flawlessly on FreeBSD 11.3.
It seems weird to me that so few OpenSMTPd users seem to have been affected by
this change. A lot of you must be on platforms other than OpenBSD. Perhaps
I’m unusual in wanting to only do outbound? Of course rspamd is just part of
the deal for inbound. Maybe outbound-only people are relaying straight to
Mailgun so they don’t need to worry about SPF/DKIM/DMARC? It is tempting.
Cheers,
Sam