On 3/18/20 8:41 PM, Matthieu wrote: > Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : >> On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: >>> Hi everybody >>> I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? >>> My first intention is to sign mails from different domains on a single mail >>> server. So the >>> >>> OpenDKIM works with a socket and I don't know how and if it works with the >>> smptd filter. >>> I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify >>> one domaine. >>> >>> Otherwise I'd be looking at the side of dkimproxy if it can do the job or >>> not. >>> >>> Thx for any help. >>> >> >> Hi, >> >> Theres an example described in the smtpd.conf(5) man page. >> >> opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign >> >> The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c >> It's relatively small and also privilege-separated. >> >> It has a parameter to set the domain name (-d). In smtpd.conf you can define >> multiple filters. See also the man page filter-dkimsign(8) for detailed >> information. >> >> I've replaced dkimproxy (Perl-based and complex) with >> opensmtpd-filter-dkimsign. It works well for my needs. >> > > Hi Hiltjo, > Currently I already use opensmtpd-filter-dkimsign, but I didn't > understand how to use it for multiple domains at once. > > I've seen the example in the man page : > https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign > > I thought <domain> was to be replaced by only one domain to sign. Is a > domain a table like Alias? If so, what is the format of the file? But I > doubt it since in the filter code it doesn't look like a list. > > static char *domain = NULL; > […] > box 'd': > domain = optarg; > […] > if (!dkim_signature_printf(message, > "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", > cryptalg, hashalg, > canonheader == CANON_SIMPLE ? "simple": "relaxed." > canonbody == CANON_SIMPLE ? "simple": "relaxed." > domain, selector)) > > Finally in the example given in this presentation it is indeed a single > domain: > https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf > > That's because filter-dkimsign doesn't support multiple domains, and unless someone can give me a good reason to do so it probably is going to stay that way.
I know that some mail providers add an additional positive score to your spam rating if you have DKIM, but I reckon this is BS, because DKIM is nothing more than a glorified debugging tool to tell you which server butchered the content of your mail if every server in the chain adds a DKIM signature. To be precise: it only tells you that a particular domain owner (d-option) knows what server(s) a particular key (s-option) belongs to, so that if a signature fails it it could only have happened before the last server which has a valid signature. Could you explain why you (think you) need to have multiple domain support? > > Besides, I can't find the man page you're talking about: > https://man.openbsd.org/filter-dkimsign man.openbsd.org doesn't contain manpages for packages. But it should be installed with the package (man filter-dkimsign) > > Finally, I understand how to write multiple filters, but not how to > modify the "listen" directive to choose the right filter. > You (currently?) can't. If you want multiple conditions on different filters you would need to create multiple listening sockets (e.g. multiple ips or ports) and apply the correct match-rules based on the socket. martijn@
