Summary
When I installed Rspamd with on OpenBSD / OpenSMTPD the other day, DKIMProxy out (dkimproxy_out
daemon), which had been got via OpenBSD Ports package system, was used to add DKIM signatures to mails in order to improve security on emails.
Rspamd supports signing module since v1.5. Therefore, I decided to migrate from DKIMProxy to Rspamd as a DKIM signer.
Tutorial
First, set up Rspamd by creating dkim_signing.conf in local.d:
$ cd /etc/rspamd/local.d
$ printf "\
allow_username_mismatch = true;\n\
path = \"/etc/ssl/(...)/dkimproxy-out-key.pem\"\n\
selector=\"dkimout-selector1\"" |\
doas tee dkim_signing.conf
$ cat dkim_signing.conf
allow_username_mismatch = true;
path = "/etc/ssl/(...)/dkimproxy-out-key.pem\"
selector="dkimout-selector1"
Here, I reused TLS certificate. The key "path" and the "selector" name are up to env.
In my case, since it possibly happens that "username does not need to contain matching domain", I set true at "allow_username_mismatch".
Next, configure OpenSMTPD to disable DKIMProxy relay and add Rspamd filter on submission aka MSA.
$ doas nvim /etc/mail/smtpd.conf
smtpd.conf was changed like this:
- listen on lo0 port 10028 tag DKIM
(...)
listen on lo0 \
port submission \
received-auth mask-src \
+ filter { "rspamd" } \
tag MSA
listen on egress \
port submission \
tls-require \
pki (...) \
auth <passwd> \
received-auth mask-src \
+ filter { "rspamd" } \
tag MSA
(...)
action "relay" relay
(...)
- action "relay_dkim" relay host smtp://127.0.0.1:10027
(...)
- match tag DKIM for any action "relay"
- match tag MSA from any auth for any action "relay_dkim
+ match tag MSA from any auth for any action "relay"
Besides, filter format should be each of:
-
filter { "rspamd" }
(string array) -
filter rspamd
(name without quotations)
Configuration is done now.
Switch daemons in charge of DKIM signatures and then let OpenSMTPD recognize it:
$ doas rcctl stop dkimproxy_out
$ doas rcctl check dkimproxy_out
dkimproxy_out(failed)
$ doas rcctl restart {rspamd, smtpd}
rspamd(ok)
rspamd(ok)
smtpd(ok)
smtpd(ok)
Conclusion
I sent emails before the migration and after. The comparison test was successful.
Also, unexpectedly and happily, the hashing algorithm was changed: sha1 to sha256, as below :)
# dkimproxy_out
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=(domain); h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=(selector); bh= (...); b=(...)
# Rspamd dkim_signing
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=(domain); s=(selector); t=(...); h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding; bh=(...); b=(...)
Finally, say thank you and goodbye to DKIMProxy, if the test is successful.
$ doas pkg_delete dkimproxy
dkimproxy-1.4.1p1: ok
Read shared items: ok
--- -dkimproxy-1.4.1p1 -------------------
You should also remove /etc/dkimproxy_out.conf (which was modified)
You should also run /usr/sbin/userdel _dkimproxy
You should also run /usr/sbin/groupdel _dkimproxy
$ doas /usr/sbin/userdel _dkimproxy
$ doas /usr/sbin/groupdel _dkimproxy
$ doas rm /etc/dkimproxy_out.conf # or `doas cp -p /etc/dkimproxy_out.conf /etc/dkimproxy_out.conf.bak`