[Rspamd-Users] First Time: DKIM Signing Only

Gerald Galster list+rspamd at gcore.biz
Thu Jan 25 22:06:08 UTC 2024 

> On 1/24/2024 6:21 PM, Gerald Galster wrote:
>> while others will be sent out. The ARC and DKIM Signing modules'
>>>   docs list a number of conditions they consider before signing,
>>>   although they don't explicitly mention that the message must be
>>>   heading outbound. Is it possible these already provide most of the
>>>   filtering required?
>> Yes.
>> 
>>>     o [I will definitely be using settings to limit what is signed
>>>       during testing!]
>>> * If it is up to me, is there a standard recipe to identify outbound mail?
>> For dkim-signing replace outbound with authenticated. The direction does
>> not matter but usually only authenticated users can send emails, so
>> dkim-signed mails are usually outbound.
> 
> DKIM signing authenticated email is certainly something we'll need, so thanks for that. The mailing lists are more complicated. Incoming mail comes in via SMTP, so not authenticated, and is delivered via local(8) to the mailing list software. The message is then resubmitted after minor modifications via sendmail(1). If I understand correctly, I will need to identify the two cases separately. Since the messages will be modified, they need to be ARC-signed when they first arrive, then they need to be DKIM-signed after resubmission. Presumably something like this should work for the first case:
> 
>   inbound_list_email { rcpt = my-internal-incoming-mail-alias1; rcpt =
>   my-internal-incoming-mail-alias2; apply { symbols_enabled =
>   ["ARC_SIGNED"]; } }
> 
> For the second case, is there some way I can pass in an argument via sendmail that I can use to identify outbound mailing list messages? If so, I could use that to enable DKIM signing and ideally DMARC munging as well.

There are several options depending on your software stack.

For example, mailman could run in its own virtual machine/container and accept mails via lmtp.
Then it has a dedicated (internal) ip which you could authorize for dkim signing in rspamd.

Or you could add an additional smtp service in postfix master.cf: copy smtpd to smtpd2 and bind that to an additional ip.
Via postfix' sender dependent transport you could overwrite the nexthop target for mails coming from @mailinglist_domains to smtpd2.
https://www.postfix.org/postconf.5.html#default_transport

This way you could also set a tag that is provided to rspamd:
https://www.postfix.org/postconf.5.html#milter_macro_daemon_name

master.cf:
smtpd2 ...
  -o milter_macro_daemon_name=mymailinglist

https://rspamd.com/doc/configuration/settings.html#settings-structure

rspamd settings conf:

mailinglist {
	...
	request_header {
		"MTA-Tag" = "mymailinglist";
	}
	apply {
		symbols_enabled = ["DKIM_SIGNED"];
		flags = ["skip_process"];
	}
}

I'm not sure but I don't think you can add this kind of parameters when calling /usr/sbin/sendmail.

It's also possible to run multiple postfix instances on the same server:
https://www.postfix.org/MULTI_INSTANCE_README.html

Mailman knows about dkim/arc and could sign mails independently of rspamd and has options for dmarc mitigation.

You could also reject invalid dkim-signed mails before delivering to the mailinglist software.
Then only valid mails are accepted, all existing dkim-headers can be removed and the mails that are delivered to subscribers will be signed with the mailinglist key only (= no arc). I know some people disagree, but I do not see additional benefits with adding arc to mailinglists.

Best regards,
Gerald

More information about the Users mailing list