[Rspamd-Users] First Time: DKIM Signing Only
Gerald Galster
list+rspamd at gcore.biz
Mon Jan 22 23:12:20 UTC 2024
> Guess why? I've been putting DKIM signing off for too long.
>
> I've spent the past couple days poring over the rspamd documentation (and the DKIM, ARC, DMARC, and Google doc). I just threw together my best guess at the configuration I think would work, including:
>
> * /etc/rspamd/local.d/arc.conf: closely following the example here
> <https://rspamd.com/doc/modules/arc.html>
If you're using rspamd for "DKIM signing only" then you're all about sending email, not receiving and filtering spam.
https://en.wikipedia.org/wiki/Authenticated_Received_Chain
"Authenticated Received Chain (ARC) is an email authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing."
If you don't receive email, there are no signatures to verify by ARC.
If you don't forward received DKIM-signed email, there is no point in ARC signing.
[...]
> I will be integrating with postfix, but I'd like to test rspamd separately first if possible.
You won't see "action: dkim-signed" because that's not an action like "reject".
It's better to test with postfix integration (smtpd_milters/non_smtpd_milters).
Then you can send emails to yourself and have a look at the headers added by rspamd.
> I do have a question about the settings module. I see two different suggestions that seem similar:
>
> * The one from the FAQ
> <https://rspamd.com/doc/faq.html#can-i-just-sign-messages-using-dkim>
> * The one from the DKIM signing
> <https://rspamd.com/doc/modules/dkim_signing.html#optimize-signing-only-mode>
>
> These differ in what keywords are involved, and it isn't clear to me how those are selected. In the FAQ the settings are 'sign_id', 'sign_authenticated' and 'sign_networks', but under DKIM signing, it's just 'dkim_signing'. Do I perhaps need both?
"dkim_signing", "sign_networks", ... are just names you can choose:
settings {
foobar {
authenticated = true;
apply {
symbols_enabled = ["DKIM_SIGNED"];
flags = ["skip_process"];
}
}
}
Here "foobar" is the name for a user setting that matches authenticated connections (sasl_username in postfix).
Then it enables DKIM_SIGNED only and skips spam processing.
If you replace "authenticated = true;" with "ip = ["10.0.0.0/8"];" then "foobar" will DKIM sign an email delivered by e.g. 10.0.0.1, no sasl auth needed.
So it's just a name for a user setting that defines which emails are to be dkim signed.
Best regards,
Gerald
More information about the Users
mailing list