DKIM Migration: Rpamd instead of DKIMproxy out on OpenBSD / OpenSMTPD

nabbisen - Jul 18 '21 - - Dev Community

Summary

When I installed Rspamd with on OpenBSD / OpenSMTPD the other day, DKIMProxy out (dkimproxy_out daemon), which had been got via OpenBSD Ports package system, was used to add DKIM signatures to mails in order to improve security on emails.

Rspamd supports signing module since v1.5. Therefore, I decided to migrate from DKIMProxy to Rspamd as a DKIM signer.

Tutorial

First, set up Rspamd by creating dkim_signing.conf in local.d:

$ cd /etc/rspamd/local.d

$ printf "\
allow_username_mismatch = true;\n\
path = \"/etc/ssl/(...)/dkimproxy-out-key.pem\"\n\
selector=\"dkimout-selector1\"" |\
    doas tee dkim_signing.conf

$ cat dkim_signing.conf
allow_username_mismatch = true;
path = "/etc/ssl/(...)/dkimproxy-out-key.pem\"
selector="dkimout-selector1"
Enter fullscreen mode Exit fullscreen mode

Here, I reused TLS certificate. The key "path" and the "selector" name are up to env.
In my case, since it possibly happens that "username does not need to contain matching domain", I set true at "allow_username_mismatch".

Next, configure OpenSMTPD to disable DKIMProxy relay and add Rspamd filter on submission aka MSA.

$ doas nvim /etc/mail/smtpd.conf
Enter fullscreen mode Exit fullscreen mode

smtpd.conf was changed like this:

- listen on lo0 port 10028 tag DKIM
  (...)
  listen on lo0 \
          port submission \
          received-auth mask-src \
+         filter { "rspamd" } \
          tag MSA

  listen on egress \
          port submission \
          tls-require \
          pki (...) \
          auth <passwd> \
          received-auth mask-src \
+         filter { "rspamd" } \
          tag MSA  
  (...)
  action "relay"      relay
  (...)
- action "relay_dkim" relay host smtp://127.0.0.1:10027
  (...)
- match tag DKIM                          for any                         action "relay"
- match tag MSA   from any auth           for any                         action "relay_dkim
+ match tag MSA   from any auth           for any                         action "relay"
Enter fullscreen mode Exit fullscreen mode

Besides, filter format should be each of:

  • filter { "rspamd" } (string array)
  • filter rspamd (name without quotations)

Configuration is done now.
Switch daemons in charge of DKIM signatures and then let OpenSMTPD recognize it:

$ doas rcctl stop dkimproxy_out
$ doas rcctl check dkimproxy_out
dkimproxy_out(failed)

$ doas rcctl restart {rspamd, smtpd}
rspamd(ok)
rspamd(ok)
smtpd(ok)
smtpd(ok)
Enter fullscreen mode Exit fullscreen mode

Conclusion

I sent emails before the migration and after. The comparison test was successful.
Also, unexpectedly and happily, the hashing algorithm was changed: sha1 to sha256, as below :)

# dkimproxy_out
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=(domain); h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=(selector); bh= (...); b=(...)

# Rspamd dkim_signing
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=(domain); s=(selector); t=(...); h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
     to:to:cc:mime-version:mime-version:content-type:content-type:
     content-transfer-encoding:content-transfer-encoding; bh=(...); b=(...)
Enter fullscreen mode Exit fullscreen mode

Finally, say thank you and goodbye to DKIMProxy, if the test is successful.

$ doas pkg_delete dkimproxy
dkimproxy-1.4.1p1: ok
Read shared items: ok
--- -dkimproxy-1.4.1p1 -------------------
You should also remove /etc/dkimproxy_out.conf (which was modified)
You should also run /usr/sbin/userdel _dkimproxy
You should also run /usr/sbin/groupdel _dkimproxy

$ doas /usr/sbin/userdel _dkimproxy
$ doas /usr/sbin/groupdel _dkimproxy
$ doas rm /etc/dkimproxy_out.conf # or `doas cp -p /etc/dkimproxy_out.conf /etc/dkimproxy_out.conf.bak`
Enter fullscreen mode Exit fullscreen mode
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .