35
loading...
DKIM Migration: Rpamd instead of DKIMproxy out on OpenBSD / OpenSMTPD
Rspamd supports signing module since v1.5. Therefore, I decided to migrate from DKIMProxy to Rspamd as a DKIM signer.
First, set up Rspamd by creating dkim_signing.conf in local.d:
$ cd /etc/rspamd/local.d
$ printf "\
allow_username_mismatch = true;\n\
path = \"/etc/ssl/(...)/dkimproxy-out-key.pem\"\n\
selector=\"dkimout-selector1\"" |\
doas tee dkim_signing.conf
$ cat dkim_signing.conf
allow_username_mismatch = true;
path = "/etc/ssl/(...)/dkimproxy-out-key.pem\"
selector="dkimout-selector1"Here, I reused TLS certificate. The key "path" and the "selector" name are up to env.
In my case, since it possibly happens that "username does not need to contain matching domain", I set true at "allow_username_mismatch".
In my case, since it possibly happens that "username does not need to contain matching domain", I set true at "allow_username_mismatch".
Next, configure OpenSMTPD to disable DKIMProxy relay and add Rspamd filter on submission aka MSA.
$ doas nvim /etc/mail/smtpd.confsmtpd.conf was changed like this:
- listen on lo0 port 10028 tag DKIM
(...)
listen on lo0 \
port submission \
received-auth mask-src \
+ filter { "rspamd" } \
tag MSA
listen on egress \
port submission \
tls-require \
pki (...) \
auth <passwd> \
received-auth mask-src \
+ filter { "rspamd" } \
tag MSA
(...)
action "relay" relay
(...)
- action "relay_dkim" relay host smtp://127.0.0.1:10027
(...)
- match tag DKIM for any action "relay"
- match tag MSA from any auth for any action "relay_dkim
+ match tag MSA from any auth for any action "relay"Besides, filter format should be each of:
filter { "rspamd" } (string array)filter rspamd (name without quotations)Configuration is done now.
Switch daemons in charge of DKIM signatures and then let OpenSMTPD recognize it:
Switch daemons in charge of DKIM signatures and then let OpenSMTPD recognize it:
$ doas rcctl stop dkimproxy_out
$ doas rcctl check dkimproxy_out
dkimproxy_out(failed)
$ doas rcctl restart {rspamd, smtpd}
rspamd(ok)
rspamd(ok)
smtpd(ok)
smtpd(ok)I sent emails before the migration and after. The comparison test was successful.
Also, unexpectedly and happily, the hashing algorithm was changed: sha1 to sha256, as below :)
Also, unexpectedly and happily, the hashing algorithm was changed: sha1 to sha256, as below :)
# dkimproxy_out
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=(domain); h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=(selector); bh= (...); b=(...)
# Rspamd dkim_signing
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=(domain); s=(selector); t=(...); h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding; bh=(...); b=(...)Finally, say thank you and goodbye to DKIMProxy, if the test is successful.
$ doas pkg_delete dkimproxy
dkimproxy-1.4.1p1: ok
Read shared items: ok
--- -dkimproxy-1.4.1p1 -------------------
You should also remove /etc/dkimproxy_out.conf (which was modified)
You should also run /usr/sbin/userdel _dkimproxy
You should also run /usr/sbin/groupdel _dkimproxy
$ doas /usr/sbin/userdel _dkimproxy
$ doas /usr/sbin/groupdel _dkimproxy
$ doas rm /etc/dkimproxy_out.conf # or `doas cp -p /etc/dkimproxy_out.conf /etc/dkimproxy_out.conf.bak`35