[Rspamd-Users] First Time: DKIM Signing Only

Gerald Galster list+rspamd at gcore.biz
Wed Jan 24 23:21:28 UTC 2024 

>> "dkim_signing", "sign_networks", ... are just names you can choose:
>> 
>> settings {
>>   foobar {
>>     authenticated = true;
>>     apply {
>>       symbols_enabled = ["DKIM_SIGNED"];
>>       flags = ["skip_process"];
>>     }
>>   }
>> }
>> 
>> Here "foobar" is the name for a user setting that matches authenticated connections (sasl_username in postfix).
>> Then it enables DKIM_SIGNED only and skips spam processing.
>> 
>> If you replace "authenticated = true;" with "ip = ["10.0.0.0/8"];" then "foobar" will DKIM sign an email delivered by e.g. 10.0.0.1, no sasl auth needed.
>> 
>> So it's just a name for a user setting that defines which emails are to be dkim signed.
> 
> That is definitely helpful. A few things I am still unclear on.
> 
> * Is it up to me to figure out through settings which messages are
>   outbound and hence need to be DKIM signed? In order to process

The example above is primarily to enable dkim signing and disabling
*all other* spamchecks.

See: https://rspamd.com/doc/modules/dkim_signing.html#principles-of-operation
"In order to be eligible for signing, an email must either be received from an
authenticated user, a reserved (local) IP address, ..."

If rspamd receives an email via milter from postfix that a user sent after
sasl authentification, then rspamd will see that information on the milter
connection and consider the mail eligible for dkim signing if
"sign_authenticated = true;" in dkim_signing.conf.

An email received from e.g. amazon is not sasl_authenticated and is not
received from a local ip and will therefore not be signed.

>   outbound messages, the doc says to specify rspamd in both
>   smtpd_milters and non_smtpd_milters, which IIUC means all messages
>   go through rpsamd. Some of those ultimately go to local delivery,

smtpd_milters is for emails received via smtp connections, that means
sockets on port 25, 587 ...

non_smtpd_milters is for emails received by calling the /usr/sbin/sendmail
binary or from a queue file (pickup)

Cron-Mails or PHP-scripts using the mail() function are typically using
/usr/sbin/sendmail and won't be dkim-signed if non_smtpd_milters is unset. 

>   while others will be sent out. The ARC and DKIM Signing modules'
>   docs list a number of conditions they consider before signing,
>   although they don't explicitly mention that the message must be
>   heading outbound. Is it possible these already provide most of the
>   filtering required?

Yes. 

>     o [I will definitely be using settings to limit what is signed
>       during testing!]
> * If it is up to me, is there a standard recipe to identify outbound mail?

For dkim-signing replace outbound with authenticated. The direction does
not matter but usually only authenticated users can send emails, so
dkim-signed mails are usually outbound.

> * Since I am not currently interested in spam filtering or anti-virus,
>   I would like to disable just about everything on any messages that
>   are not outbound. If there is a recipe to identify what does need
>   signing

I can't tell, this depends on your setup. You could set sign_authenticated
to false and sign_local to false in dkim_signing.conf and enable it
for select ip addresses only (sign_networks ...).

Best regards,
Gerald

More information about the Users mailing list