[Rspamd-Users] Disabling DKIM signing for selected recipient domains (using sign_condition)

Ganael Laplanche ganael.laplanche at centralesupelec.fr
Fri Mar 3 08:02:17 UTC 2023 

Hello @list,

We've set up DKIM signing using rspamd and it has been running successfully 
for several months now.

Unfortunately, a really small subset of our mails are refused by external MTAs 
with the following reasons:

  550 5.7.1 Policy reason (in reply to end of DATA command))
  550 5.7.1 Policy reason;bad content (dkim) (in reply to end of DATA command)

What is weird is that most of the time, other mails sent to the same MTAs are 
accepted without problem. I should also add that we are *not* using DMARC.

We started to dig into this and found that the target MTAs refusing our mails 
are all using VadeSecure solutions. Contacting the support team of a 
destination site, we've been told that, under certain conditions, VadeSecure 
failed to verify DKIM signatures and that they had to perform an upgrade to 
fix this (scheduled, but later...).

Right, the problem is on their side, but as we would like to be able to send 
them mails before the upgrade gets done, we started to look if it was possible 
to disable DKIM signing on a per-destination-site basis in rspamd. There is no 
straight option to do that but using the sign_condition option, we got 
something that seems to work. I'll paste it here as the option is not well-
documented (that configuration is for a quite old version of rspamd (1.8.1) 
and should probably be migrated to dkim_signing.conf for rspamd >= 2.0).

Just:

1) Add the following to /etc/rspamd/local.d/dkim.conf:

#----
# Disable DKIM signing for a list of *recipient* domains
#
# Resources:
# 3bdd175 [Feature] Implement dkim signing in dkim check plugin
# 5b1a384 [Rework] Dkim: Remove signing code
# d4f9fc6 [Rework] Dkim_signing: Move sign condition to dkim_signing
# 935e791 [Minor] Compat: Allow to use old style sign_condition

sign_condition =<<EOD
return function(task)
  local rspamd_logger = require "rspamd_logger"

  -- Recipient domains for which we want to disable DKIM
  local skip_domain = {
    ["rcpt-domain1.com"]=true,
    ["rcpt-domain2.com"]=true
  }

  -- Get mail destination domain
  local eto = task:get_recipients(0)
  local tdom = eto[1].domain
  rspamd_logger.errx(task, 'dkim/sign_condition: checking domain %s', tdom)

  -- Ignore listed domains
  if tdom and skip_domain[tdom] then
    rspamd_logger.errx(task, 'dkim/sign_condition: NOT signing mail for domain 
%s', tdom)
    return
  end

  -- Fallback to a default signing configuration for other domains
  rspamd_logger.errx(task, 'dkim/sign_condition: signing mail for domain %s', 
tdom)
  return {
    key = "/path/to/your/domain.com.dkim.key",
    domain = "domain.com",
    selector = "dkim"
  }
end
EOD;
#----

2) Invalidate the default key in /etc/rspamd/local.d/dkim_signing.conf:

path = "" ;

I would be happy to get feedback on this as it seems to work as we want, but 
is not in production yet.

Best regards,

-- 
Ganael Laplanche <ganael.laplanche at centralesupelec.fr>
Unix Systems Engineer @CentraleSupelec Rennes - DISI

More information about the Users mailing list