> In addition to Stuart's comment, you could checkout pkg readme:
>
> */usr/local/share/doc/pkg-readmes/opensmtpd-filter-dkimsign*
>
Hello
Could you please show me where is the answer to my question?
"+-----------------------------------------------------------------------
| Running opensmtpd-filter-dkimsign on OpenBSD
+-----------------------------------------------------------------------
To use filter-dkimsign, you must first generate a private key:
doas -u _dkimsign openssl genrsa -out /etc/mail/dkim/private.rsa.key 2048
To generate the public key ready for dns:
openssl rsa -in /etc/mail/dkim/private.rsa.key -pubout | \
sed '1s/.*/v=DKIM1;p=/;:nl;${s/-----.*//;q;};N;s/\n//g;b nl;'
This value needs to be placed in a DNS txt record with the following syntax:
<selector>._domainkey.<domain>
Edit the /etc/mail/smtpd.conf file to declare the filter:
filter dkimsign_rsa proc-exec "filter-dkimsign -d <domain> -s <selector>
-k /etc/mail/dkim/private.rsa.key" user _dkimsign group _dkimsign
Then add the filter to each listener that should be signed:
listen on all filter dkimsign_rsa
To use Ed25519 similar steps must be taken.
Make sure the ed25519 flavor of opensmtpd-filter-dkimsign is installed.
To generate the private key:
doas -u _dkimsign eopenssl11 genpkey -algorithm ed25519 -outform PEM
-out /etc/mail/dkim/private.ed25519.key
To generate the public key ready for dns:
printf "v=DKIM1;k=ed25519;p=%s" "$(eopenssl11 pkey -outform DER -pubout
-in /etc/mail/dkim/private.ed25519.key | tail -c +13 | openssl base64)"
Edit the /etc/mail/smtpd.conf file to declare the filter:
filter dkimsign_ed25519 proc-exec "filter-dkimsign -a ed25519-sha256 -d
<domain> -s <selector> -k /etc/mail/dkim/private.ed25519.key" user
_dkimsign group _dkimsign
To add both filters to each listener that should be signed:
filter dkimsign chain { dkimsign_rsa, dkimsign_ed25519 }
listen on all filter dkimsign
For a full list of options see filter-dkimsign(8).
Let me show you an error:
This command, only works with "doas"! It does not work directly as root!
I do not use doas.
"doas -u _dkimsign openssl genrsa -out /etc/mail/dkim/private.rsa.key 2048"
Thanks
