Need help setting up outgoing mail DKIM signing

[Simon Szustkowski]

Hi,

i could use some help with setting up outgoing mail DKIM signing. Previously i used rmilter with opendkim, which was fine. Now, i try to use rspamd's included milter functionality and rspamd's dkim signing ability itself. 

My MTA is postfix. It has the following entries in the /etc/postfix/main.cf for connecting to the milter:

# rspamd stuff

#smtpd_milters = unix:/var/lib/rspamd/milter.sock

smtpd_milters = inet:localhost:11332

milter_protocol = 6

milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}

# skip mail without checks if something goes wrong

milter_default_action = accept

I have the following milter config for rspamd in the /etc/rspamd/local.d/worker-proxy.inc

# local.d/worker-proxy.inc

milter = yes; # Enable milter mode

timeout = 120s; # Needed for Milter usually

strict_auth = yes; strict scan for mails from authenticated users, needed for outgoing dkim signing

upstream "local" {

  default = yes; # Self-scan upstreams are always default

  self_scan = yes; # Enable self-scan

}

Please note that i have tested it with strict_auth = yes and also with strict_auth = true (the dkim documentation says "true" is needed, however, the proxy documentation states that the default value is "no", so maybe the enable-value is "yes"?)

This is the main rspamd configuration in /etc/rspamd/options.inc

# Included from top-level .conf file

filters = "chartable,dkim,spf,surbl,regexp,fuzzy_check";

raw_mode = false;

one_shot = false;

cache_file = "$DBDIR/symbols.cache";

# How often maps are checked (

map_watch_interval = 5min;

dynamic_conf = "$DBDIR/rspamd_dynamic";

history_file = "$DBDIR/rspamd.history";

check_all_filters = false;

dns {

    timeout = 1s;

    sockets = 16;

    retransmits = 5;

}

tempdir = "/tmp";

url_tld = "${PLUGINSDIR}/effective_tld_names.dat";

classify_headers = [

        "User-Agent",

        "X-Mailer",

        "Content-Type",

        "X-MimeOLE",

];

control_socket = "$DBDIR/rspamd.sock mode=0600";

history_rows = 200;

explicit_modules = ["settings"];

# Scan messages even if they are not MIME

allow_raw_input = true;

# Start ignore words when reaching the following limit, so the total

# amount of words processed will not be *LIKELY more than the twice of that limit

words_decay = 200;

# Write statistics about rspamd usage to the round-robin database

rrd = "${DBDIR}/rspamd.rrd";

# Local networks

local_addrs = "192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, fd00::/8, 169.254.0.0/16, fe80::/10";

hs_cache_dir = "${DBDIR}/";

I am not sure if i should explicitly enable the DKIM lua module, since i understood the documentation as "not to", but this seems strange to me. 

And last but not least the dkim_signing.conf

# local.d/dkim_signing.conf

# If false, messages with empty envelope from are not signed

allow_envfrom_empty = true;

# If true, envelope/header domain mismatch is ignored

allow_hdrfrom_mismatch = false;

# If true, multiple from headers are allowed (but only first is used)

allow_hdrfrom_multiple = false;

# If true, username does not need to contain matching domain

allow_username_mismatch = false;

# If false, messages from authenticated users are not selected for signing

auth_only = true;

# Default path to key, can include '$domain' and '$selector' variables

path = "/var/lib/rspamd/dkim/$domain.$selector.key";

# Default selector to use

selector = "default";

# If false, messages from local networks are not selected for signing

sign_local = true;

# Symbol to add when message is signed

symbol = "DKIM_SIGNED";

# Whether to fallback to global config

try_fallback = true;

# Domain to use for DKIM signing: can be "header" or "envelope"

use_domain = "header";

# Whether to normalise domains to eSLD

use_esld = true;

# Whether to get keys from Redis

use_redis = false;

# Hash for DKIM keys in Redis

key_prefix = "DKIM_KEYS";

# map of domains -> names of selectors (since rspamd 1.5.3)

#selector_map = "/etc/rspamd/dkim_selectors.map";

# map of domains -> paths to keys (since rspamd 1.5.3)

#path_map = "/etc/rspamd/dkim_paths.map";

# Domain specific settings

domain {

  simonszu.de {

    # Private key path

    path = "/etc/opendkim/keys/$domain.$selector.key";

    # Selector

    selector = "default";

  }

}

Please note that the key exists and could be used with rmilter and opendkim. 

This is the result when sending an email via this host:

2017-09-27 13:37:59 #20956(rspamd_proxy) <c5fca5>; milter; rspamd_milter_process_command: got connection from 209.85.214.44:56584

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; proxy; rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; proxy; rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; proxy; rspamd_message_parse: loaded message; id: <CAFcEvYH0WAmEBQLtc_j+rYgV...@mail.gmail.com>; queue-id: <DB5F3170004F>; size: 1393; checksum: <cca042cd53654e5d199c9d74b3ed72fa>

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; proxy; spf_symbol_callback: skip SPF checks for local networks and authorized users

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; proxy; fuzzy_generate_commands: <CAFcEvYH0WAmEBQLtc_j+rYgV...@mail.gmail.com>, part is shorter than 1000 bytes: 152 (76 * 2.00 bytes), skip fuzzy check

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; proxy; fuzzy_generate_commands: <CAFcEvYH0WAmEBQLtc_j+rYgV...@mail.gmail.com>, part is shorter than 1000 bytes: 144 (72 * 2.00 bytes), skip fuzzy check

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; lua; once_received.lua:82: Skipping once_received for authenticated user or local network

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; surbl; surbl_test_url: disable surbl multi.uribl.com as it is reported to be offline

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; lua; dmarc.lua:241: skip DMARC checks for local networks and authorized users

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; proxy; rspamd_task_write_log: id: <CAFcEvYH0WAmEBQLtc_j+rYgV...@mail.gmail.com>, qid: <DB5F3170004F>, ip: 209.85.214.44, user: simonszu@myhostname, from: <ma...@simonszu.de>, (default: F (no action): [-0.10/15.00] [MIME_GOOD(-0.10){multipart/alternative;text/plain;},ARC_NA(0.00){},ASN(0.00){asn:15169, ipnet:209.85.128.0/17, country:US;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},PREVIOUSLY_DELIVERED(0.00){test-a...@appmaildev.com;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_NO_TLS_LAST(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 1393, time: 64.000ms real, 21.522ms virtual, dns req: 0, digest: <cca042cd53654e5d199c9d74b3ed72fa>, rcpts: <test-a...@appmaildev.com>, mime_rcpt: <test-a...@appmaildev.com>

2017-09-27 13:38:00 #20956(rspamd_proxy) <c5fca5>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 163 regexps total, 78 regexps cached, 0B bytes scanned using pcre, 1.22k bytes scanned total

2017-09-27 13:38:00 #20956(rspamd_proxy) <75377f>; proxy; proxy_milter_finish_handler: finished milter connection

As a result, the mail has no dkim signatures attached. So i am kindly asking for some help in setting up DKIM properly. Maybe there is just a small value i have to change and everything works. :D 

[Andrew Lewis]

Hi,

You can get more useful logging for DKIM signing module by setting:
debug_modules = ["dkim_signing"]
in local.d/logging.inc

> user: simonszu@myhostname, from: <ma...@simonszu.de>

Default policy of DKIM signing module wants domain part in username to
match domain part in MIME/SMTP From so that may be the issue. You can
set `allow_username_mismatch = true;` if that's undesirable.

Best,
-AL.

[Simon Szustkowski]

Thanks for the hint with the logging options. It revealed a simple filesystem access rights error. I removed opendkim completeley and will use plain openssl for key creation from now on. 

Also, as you stated the @myhostname, i noticed a small typo in my postfix's main.cf where i forgot a $. So, a double "Thank you very much" from me :)