[Rspamd-Users] First Time: DKIM Signing Only

Allen, Norton T. allen at huarp.harvard.edu
Wed Jan 24 15:57:05 UTC 2024 

On 1/22/2024 6:12 PM, Gerald Galster wrote:
>> Guess why? I've been putting DKIM signing off for too long.
>>
>> I've spent the past couple days poring over the rspamd documentation (and the DKIM, ARC, DMARC,  and Google doc). I just threw together my best guess at the configuration I think would work, including:
>>
>> * /etc/rspamd/local.d/arc.conf: closely following the example here
>>    <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2frspamd.com%2fdoc%2fmodules%2farc.html&c=E,1,5NAXs5n6GMsVaR_cghIJrUElBd12lbC7IoX7Qwc1iOX8Dl6IGHLSaSDP6RyKywDJ2a70jBCumvz2wJ_QjxaW8P2ojxnCl77GCoFouwxkifXu&typo=1>
> If you're using rspamd for "DKIM signing only" then you're all about sending email, not receiving and filtering spam.
>
> https://en.wikipedia.org/wiki/Authenticated_Received_Chain
>
> "Authenticated Received Chain (ARC) is an email authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing."
>
> If you don't receive email, there are no signatures to verify by ARC.
> If you don't forward received DKIM-signed email, there is no point in ARC signing.

Correct. We do receive mail, we forward mail and we have a number of 
mailing lists. We have upstream spam and anti-virus, which is why we are 
looking to skip that here.


>
> [...]
>
>> I will be integrating with postfix, but I'd like to test rspamd separately first if possible.
> You won't see "action: dkim-signed" because that's not an action like "reject".
>
> It's better to test with postfix integration (smtpd_milters/non_smtpd_milters).
> Then you can send emails to yourself and have a look at the headers added by rspamd.

Fair enough


>
>> I do have a question about the settings module. I see two different suggestions that seem similar:
>>
>> * The one from the FAQ
>>    <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2frspamd.com%2fdoc%2ffaq.html%23can-i-just-sign-messages-using-dkim&c=E,1,GkQuD8QL05W-fiZ6OwD53V7K1VyuNUhmSQbfGy9OgbDbtMKvVMbiYsCSD2rWubqdKkN_qwg0Su7aYeo7VVRXxIHt5x27On_bKEVoM7bXoHuqxWJcZtyqozFH&typo=1>
>> * The one from the DKIM signing
>>    <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2frspamd.com%2fdoc%2fmodules%2fdkim_signing.html%23optimize-signing-only-mode&c=E,1,c77dMR5Qrmd8KcVDoEUGuOTBpj3tpL3pY0ytnyyNkfioN9dDG3A1aFJpRlTkZA0qzmwGh_yJ4JtpJKXKi4lpp9UePfZg2Qdim9g4sVgEM7PpbgqZJlUmzLA,&typo=1>
>>
>> These differ in what keywords are involved, and it isn't clear to me how those are selected. In the FAQ the settings are 'sign_id', 'sign_authenticated' and 'sign_networks', but under DKIM signing, it's just 'dkim_signing'. Do I perhaps need both?
> "dkim_signing", "sign_networks", ... are just names you can choose:
>
> settings {
>    foobar {
>      authenticated = true;
>      apply {
>        symbols_enabled = ["DKIM_SIGNED"];
>        flags = ["skip_process"];
>      }
>    }
> }
>
> Here "foobar" is the name for a user setting that matches authenticated connections (sasl_username in postfix).
> Then it enables DKIM_SIGNED only and skips spam processing.
>
> If you replace "authenticated = true;" with "ip = ["10.0.0.0/8"];" then "foobar" will DKIM sign an email delivered by e.g. 10.0.0.1, no sasl auth needed.
>
> So it's just a name for a user setting that defines which emails are to be dkim signed.

That is definitely helpful. A few things I am still unclear on.

  * Is it up to me to figure out through settings which messages are
    outbound and hence need to be DKIM signed? In order to process
    outbound messages, the doc says to specify rspamd in both
    smtpd_milters and non_smtpd_milters, which IIUC means all messages
    go through rpsamd. Some of those ultimately go to local delivery,
    while others will be sent out. The ARC and DKIM Signing modules'
    docs list a number of conditions they consider before signing,
    although they don't explicitly mention that the message must be
    heading outbound. Is it possible these already provide most of the
    filtering required?
      o [I will definitely be using settings to limit what is signed
        during testing!]
  * If it is up to me, is there a standard recipe to identify outbound mail?
  * Since I am not currently interested in spam filtering or anti-virus,
    I would like to disable just about everything on any messages that
    are not outbound. If there is a recipe to identify what does need
    signing, is there a way to match every other condition in order to
    specify 'symbols_enabled = [];' say?
      o I could imagine there could be a low priority group that matches
        everything (somehow) with higher priority groups to identify
        mail for signing. The settings doc is unclear whether it
        supports a section with an empty match list or whether it would
        interpret that as a match or not. (I will just try to test that,
        but it would be good to know whether the behavior is supported.)
      o Is there a better way?

Thanks for you help!

More information about the Users mailing list