Re: Adrift with DKIM Signing on FreeBSD
On Fri, 24 Jul 2020 at 03:00, Sam Vaughan wrote: > > On 24 Jul 2020, at 7:52 am, William Carson wrote: > > > >> On Jul 22, 2020, at 9:43 PM, Sam Vaughan wrote: > >> > >> > >> > >> I see that everything’s good on OpenBSD thanks to Martijn’s dkim > filter, but there's no port of it on FreeBSD and my initial efforts to > create one showed that it’s not a job for a first-time porter. So I now > don’t know whether to try looking into milter support for OpenDKIM, or > revert back to dkimproxy, or maybe even compile and run an old OpenSMTPd > version like the 6.1 port which works flawlessly on FreeBSD 11.3. > > > > I use mail/dkimproxy on FreeBSD and it works great. I followed the > config template on > https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/ and > it was very simple and straightforward. > > Thanks William, you’re quite right. I dusted off my old notes for setting > up dkimproxy and it still works just fine with OpenSMTPd 6.7.1p1 on FreeBSD > 12.1. The updated syntax in that link was helpful thank you. > > Of course it still means running a pool of separate proxy processes just > for DKIM signing which is a step backwards from having a dedicated filter, > but it’s a much leaner alternative to using rspamd, and in my experience > much more reliable too. > > When I get some time I’ll have another look at trying to port Martijn’s > filter from OpenBSD. > With the help of Martijn I managed to port filter-dkimsign for Arch Linux. To Martijns credit, it was very little effort. It basically meant writing a Makefile and disabling `pledge` since Linux doesn't have it. I still need to do more testing, but I'm already much happier without rspamd or other external daemons doing the signing :-) The result is available on the AUR [1]. This doesn't directly help for FreeBSD of course, but it may be useful to look at. For now I compiled libopensmtpd (including openbsd-compat) and filter-dkimsign into a single executable for simplicity, but I will probably split that back into a separate library if/when I port other filters too. [1] https://aur.archlinux.org/packages/opensmtpd-filter-dkimsign -- Maarten
Re: Adrift with DKIM Signing on FreeBSD
On Thu, 23 Jul 2020, Sam Vaughan wrote: I’ve been very happy with OpenSMTPd on both OpenBSD and FreeBSD for a long time now but have recently come unstuck with DKIM signing on FreeBSD. I started out using dkimproxy successfully, then “filter dkim-sign” came along and it was even better. But as of OpenSMTPd 6.6, the opensmtpd-extras dkim filter has been deleted and its FreeBSD port has gone too. I'm running a local build of opensmtpd 6.7.1p1 on netbsd 9.0 (the netbsd pkgsrc port is very much out of date). For dkim signing, I use proxsmtpd and dkimsign, both built from pkgsrc, and messages I want dkim-signed are sent through proxsmtpd before being relayed by opensmtpd. Proxsmtpd is setup to listen on port 10028 and opensmtpd listens to it on port 10029. Relevant excerpts from my smtpd.conf: listen on lo0 inet4 port 10029 mask-src tag "dkim" action _dkim relay host smtp://127.0.0.1:10028 action _relay relay match from any auth tag "submit" for any action _dkim match from local tag "dkim" for any action _relay proxsmtpd.conf's FilterCommand: /usr/pkg/bin/dkimsign dkim example.com /etc/mail/dkim.key This has been working fine ever since I set it up. I hope this helps ! Andi.. Word on the street seemed to be to use rspamd for DKIM signing, but that's a hell of a big hammer. Resigned to my fate, I set up rspamd on FreeBSD 12.1 and got it working with a few test messages. But I then found that the system’s automated nightly emails were all coming up "dkim=fail”. No matter what I tried, I couldn’t replicate it manually - sending as root, sending to the same gmail group, whatever. All my test messages would still come up “dkim=pass”. Before I got to the bottom of that issue, a bigger one showed up. A recent minor pkg upgrade seems to have caused rspamd to regularly crash with glib; rspamd_glib_printerr_function: ** ERROR:/wrkdirs/usr/ports/mail/rspamd/work/rspamd-2.4/src/libstat/tokenizers/tokenizers.c:397:rspamd_tokenize_text: assertion failed: (U_SUCCESS (uc_err)) I’ve had no luck finding a fix for that yet, but I feel like I’m at a crossroads. I understand that with their limited time, the OpenSMTPd developers decided to leave as much as possible to rspamd, but what a shame DKIM signing is in that category too. Does anyone really consider DKIM signing an optional feature any more? I see that everything’s good on OpenBSD thanks to Martijn’s dkim filter, but there's no port of it on FreeBSD and my initial efforts to create one showed that it’s not a job for a first-time porter. So I now don’t know whether to try looking into milter support for OpenDKIM, or revert back to dkimproxy, or maybe even compile and run an old OpenSMTPd version like the 6.1 port which works flawlessly on FreeBSD 11.3. It seems weird to me that so few OpenSMTPd users seem to have been affected by this change. A lot of you must be on platforms other than OpenBSD. Perhaps I’m unusual in wanting to only do outbound? Of course rspamd is just part of the deal for inbound. Maybe outbound-only people are relaying straight to Mailgun so they don’t need to worry about SPF/DKIM/DMARC? It is tempting. Cheers, Sam
Re: Adrift with DKIM Signing on FreeBSD
> On Jul 22, 2020, at 9:43 PM, Sam Vaughan wrote: > > > > I see that everything’s good on OpenBSD thanks to Martijn’s dkim filter, but > there's no port of it on FreeBSD and my initial efforts to create one showed > that it’s not a job for a first-time porter. So I now don’t know whether to > try looking into milter support for OpenDKIM, or revert back to dkimproxy, or > maybe even compile and run an old OpenSMTPd version like the 6.1 port which > works flawlessly on FreeBSD 11.3. I use mail/dkimproxy on FreeBSD and it works great. I followed the config template on https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/ and it was very simple and straightforward. > It seems weird to me that so few OpenSMTPd users seem to have been affected > by this change. A lot of you must be on platforms other than OpenBSD. > Perhaps I’m unusual in wanting to only do outbound? Of course rspamd is just > part of the deal for inbound. Maybe outbound-only people are relaying > straight to Mailgun so they don’t need to worry about SPF/DKIM/DMARC? It is > tempting. > > Cheers, > > Sam
Re: Adrift with DKIM Signing on FreeBSD
> On 24 Jul 2020, at 7:52 am, William Carson wrote: > >> On Jul 22, 2020, at 9:43 PM, Sam Vaughan wrote: >> >> >> >> I see that everything’s good on OpenBSD thanks to Martijn’s dkim filter, but >> there's no port of it on FreeBSD and my initial efforts to create one showed >> that it’s not a job for a first-time porter. So I now don’t know whether to >> try looking into milter support for OpenDKIM, or revert back to dkimproxy, >> or maybe even compile and run an old OpenSMTPd version like the 6.1 port >> which works flawlessly on FreeBSD 11.3. > > I use mail/dkimproxy on FreeBSD and it works great. I followed the config > template on > https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/ and it > was very simple and straightforward. Thanks William, you’re quite right. I dusted off my old notes for setting up dkimproxy and it still works just fine with OpenSMTPd 6.7.1p1 on FreeBSD 12.1. The updated syntax in that link was helpful thank you. Of course it still means running a pool of separate proxy processes just for DKIM signing which is a step backwards from having a dedicated filter, but it’s a much leaner alternative to using rspamd, and in my experience much more reliable too. When I get some time I’ll have another look at trying to port Martijn’s filter from OpenBSD. Cheers, Sam
Re: Adrift with DKIM Signing on FreeBSD
Just so you know, you're not alone on this. I deal with both inbound and outbound mail, and I still think rspamd is a sledgehammer. I'd much prefer to use a separate dkim-sign and even dkim-verify filter. -- Maarten On Thu, 23 Jul 2020 at 05:00, Sam Vaughan wrote: > Hi all, > > I’ve been very happy with OpenSMTPd on both OpenBSD and FreeBSD for a long > time now but have recently come unstuck with DKIM signing on FreeBSD. I > started out using dkimproxy successfully, then “filter dkim-sign” came > along and it was even better. But as of OpenSMTPd 6.6, the > opensmtpd-extras dkim filter has been deleted and its FreeBSD port has gone > too. > > Word on the street seemed to be to use rspamd for DKIM signing, but that's > a hell of a big hammer. Resigned to my fate, I set up rspamd on FreeBSD > 12.1 and got it working with a few test messages. But I then found that > the system’s automated nightly emails were all coming up "dkim=fail”. No > matter what I tried, I couldn’t replicate it manually - sending as root, > sending to the same gmail group, whatever. All my test messages would > still come up “dkim=pass”. > > Before I got to the bottom of that issue, a bigger one showed up. A > recent minor pkg upgrade seems to have caused rspamd to regularly crash with > > glib; rspamd_glib_printerr_function: ** > ERROR:/wrkdirs/usr/ports/mail/rspamd/work/rspamd-2.4/src/libstat/tokenizers/tokenizers.c:397:rspamd_tokenize_text: > assertion failed: (U_SUCCESS (uc_err)) > > I’ve had no luck finding a fix for that yet, but I feel like I’m at a > crossroads. I understand that with their limited time, the OpenSMTPd > developers decided to leave as much as possible to rspamd, but what a shame > DKIM signing is in that category too. Does anyone really consider DKIM > signing an optional feature any more? > > I see that everything’s good on OpenBSD thanks to Martijn’s dkim filter, > but there's no port of it on FreeBSD and my initial efforts to create one > showed that it’s not a job for a first-time porter. So I now don’t know > whether to try looking into milter support for OpenDKIM, or revert back to > dkimproxy, or maybe even compile and run an old OpenSMTPd version like the > 6.1 port which works flawlessly on FreeBSD 11.3. > > It seems weird to me that so few OpenSMTPd users seem to have been > affected by this change. A lot of you must be on platforms other than > OpenBSD. Perhaps I’m unusual in wanting to only do outbound? Of course > rspamd is just part of the deal for inbound. Maybe outbound-only people > are relaying straight to Mailgun so they don’t need to worry about > SPF/DKIM/DMARC? It is tempting. > > Cheers, > > Sam >
Adrift with DKIM Signing on FreeBSD
Hi all, I’ve been very happy with OpenSMTPd on both OpenBSD and FreeBSD for a long time now but have recently come unstuck with DKIM signing on FreeBSD. I started out using dkimproxy successfully, then “filter dkim-sign” came along and it was even better. But as of OpenSMTPd 6.6, the opensmtpd-extras dkim filter has been deleted and its FreeBSD port has gone too. Word on the street seemed to be to use rspamd for DKIM signing, but that's a hell of a big hammer. Resigned to my fate, I set up rspamd on FreeBSD 12.1 and got it working with a few test messages. But I then found that the system’s automated nightly emails were all coming up "dkim=fail”. No matter what I tried, I couldn’t replicate it manually - sending as root, sending to the same gmail group, whatever. All my test messages would still come up “dkim=pass”. Before I got to the bottom of that issue, a bigger one showed up. A recent minor pkg upgrade seems to have caused rspamd to regularly crash with glib; rspamd_glib_printerr_function: ** ERROR:/wrkdirs/usr/ports/mail/rspamd/work/rspamd-2.4/src/libstat/tokenizers/tokenizers.c:397:rspamd_tokenize_text: assertion failed: (U_SUCCESS (uc_err)) I’ve had no luck finding a fix for that yet, but I feel like I’m at a crossroads. I understand that with their limited time, the OpenSMTPd developers decided to leave as much as possible to rspamd, but what a shame DKIM signing is in that category too. Does anyone really consider DKIM signing an optional feature any more? I see that everything’s good on OpenBSD thanks to Martijn’s dkim filter, but there's no port of it on FreeBSD and my initial efforts to create one showed that it’s not a job for a first-time porter. So I now don’t know whether to try looking into milter support for OpenDKIM, or revert back to dkimproxy, or maybe even compile and run an old OpenSMTPd version like the 6.1 port which works flawlessly on FreeBSD 11.3. It seems weird to me that so few OpenSMTPd users seem to have been affected by this change. A lot of you must be on platforms other than OpenBSD. Perhaps I’m unusual in wanting to only do outbound? Of course rspamd is just part of the deal for inbound. Maybe outbound-only people are relaying straight to Mailgun so they don’t need to worry about SPF/DKIM/DMARC? It is tempting. Cheers, Sam