Re: dkim signing integrated in opensmtpd?
On Mon, 2021-05-10 at 16:35 +0200, Harald Dunkel wrote: > On 5/10/21 3:14 PM, Martijn van Duren wrote: > > There's filter-dkimsign in packages, which is also mentioned in > > smtpd.conf. I don't think there's a more lightweight solution > > possible. > > > > I had found your web site https://palant.info/2020/11/09/adding-\ > dkim-support-to-opensmtpd-with-custom-filters/, but it mentioned > building opensmtpd-filter-dkimsign from "some Dutch web server". > I didn't expect a package. palant.info is not my website, but yes: I'm some dutch guy doing some self hosting for some of my code. I don't see the problem in that. Also, support for multiple domains landed in the my repository in august 2020 and got released in september, so the article was already outdated when published. > > Actually I am running my major MTA with sendmail, still. The > problem in this configuration is, the opendkim milter is called > before masquerading is done. opendkim signs a header that is > modified my sendmail later. (There are some workarounds, but they > are unreliable.) > > Is there a similar pitfall for opensmtpd-filter-dkimsign and > opensmtpd? Unfortunately the data goes through the filter before it goes through the masquerade, so you either need to write a masquerade filter and use that instead of smtpd's internal masquerade feature and you can put that filter before the filter-dkimsign via chaining, or you need to reroute the data over a loopback connection; similar to how dkim signing was previously suggested: https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/ Personally I'd like to see a more elaborate senders/masquerade functionality in filters at some point, but I haven't found the time and proper inspiration to do so myself yet. If you want to debug your dkim signatures you can add 1 or 2 -z flags to filter-dkimsign, so that the headers at the time of signing are placed inside the dkim header. Hope this helps. martijn@ > > > Regards > Harri >
Re: dkim signing integrated in opensmtpd?
On May 10, 2021 9:35 AM, Harald Dunkel wrote:On 5/10/21 3:14 PM, Martijn van Duren wrote: > There's filter-dkimsign in packages, which is also mentioned in > smtpd.conf. I don't think there's a more lightweight solution > possible. > I had found your web site https://palant.info/2020/11/09/adding-\ dkim-support-to-opensmtpd-with-custom-filters/, but it mentioned building opensmtpd-filter-dkimsign from "some Dutch web server". I didn't expect a package. Actually I am running my major MTA with sendmail, still. The problem in this configuration is, the opendkim milter is called before masquerading is done. opendkim signs a header that is modified my sendmail later. (There are some workarounds, but they are unreliable.) Is there a similar pitfall for opensmtpd-filter-dkimsign and opensmtpd? Regards Harri I'm not masquerading but I doubt you will have any issues.EdgarÂ
Re: smtp cert-check result - no certificate presented
> I can verify the connection using "openssl" as noted by Johannes K and > everything verifies OK with no errors. I am not sure what to think now. I managed to do a little testing on this. This message is not important if you're not checking client certificates. In my opinion it should only log if the tls verify option is set. It checks if the other MTA / MUA sent a client certificate and if it's valid. For this I've created a ca, signed a client certificate and included the ca in the ca cert option in smtpd. Then connecting with my generated client certificate the following messages are shown: 51c8762b8b73eeb0 smtp connected address=... host=... 51c8762b8b73eeb0 smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256 51c8762b8b73eeb0 smtp cert-check result="verified" fingerprint="SHA256:fe13baf0c9604a31b0b02ab768ca051ed6994e91c292d4de545f2a8cfb470ec2" 51c8762b8b73eeb0 smtp message msgid=d2cd8a2b size=811 nrcpt=1 proto=ESMTP 51c8762b8b73eeb0 smtp envelope evpid=d2cd8a2b6deec7a1 from= to= 51c8762c08e7e4e4 mda delivery evpid=d2cd8a2b6deec7a1 from= to= rcpt= user=vmail delay=1s result=Ok stat=Delivered51c8762b8b73eeb0 smtp disconnected reason=quit
Re: dkim signing integrated in opensmtpd?
On 5/10/21 3:14 PM, Martijn van Duren wrote: There's filter-dkimsign in packages, which is also mentioned in smtpd.conf. I don't think there's a more lightweight solution possible. I had found your web site https://palant.info/2020/11/09/adding-\ dkim-support-to-opensmtpd-with-custom-filters/, but it mentioned building opensmtpd-filter-dkimsign from "some Dutch web server". I didn't expect a package. Actually I am running my major MTA with sendmail, still. The problem in this configuration is, the opendkim milter is called before masquerading is done. opendkim signs a header that is modified my sendmail later. (There are some workarounds, but they are unreliable.) Is there a similar pitfall for opensmtpd-filter-dkimsign and opensmtpd? Regards Harri
Re: dkim signing integrated in opensmtpd?
On Mon, 2021-05-10 at 14:55 +0200, Harald Dunkel wrote: > Hi folks, > > Would it be possible to *integrate* dkim signatures in opensmtpd? > I saw rspamd, but this is not an option. I am looking for a > lightweight solution for signing EMail headers. > > > Regards > Harri > There's filter-dkimsign in packages, which is also mentioned in smtpd.conf. I don't think there's a more lightweight solution possible. martijn@
dkim signing integrated in opensmtpd?
Hi folks, Would it be possible to *integrate* dkim signatures in opensmtpd? I saw rspamd, but this is not an option. I am looking for a lightweight solution for signing EMail headers. Regards Harri