Re: mail/opensmtpd-filter-sign: request for testing

Thu, 12 Dec 2024 17:19:30 -0800 

On Thu, 12 Dec 2024 18:57:48 +0100,
Kirill A. Korinsky <kir...@korins.ky> wrote:
> 
> ports@,
> 
> I'd like to share with you a port of mail/opensmtpd-filter-sign.
> 
> This filter is a fork of mail/opensmtpd-filter-dkimsign, which introduced
> support for both ACR sign and seal.
> 
> It can be used as an in-place replacement for filter-dkimsign.
> 
> New ACR-related options:
>  -A is a switch to create ACR signature;
>  -S is a switch to create ACR seal.
> 
> Additionally, it supports -D file where you can keep one line per domain
> instead of -d domain1 -d domain2 -d domain3.
> 
> The code is available here: https://github.com/catap/opensmtpd-filter-sign
> 
> I have been using it for more than 6 months on my servers, and the last fix
> was made about 6 months ago, and I think this code is ready to be tested by
> anyone who is interested.
> 

Sorry for the noice, but I just realized that I haven't sent everything.

ARC requires also ARC-Authentication-Results header which can be added via
mail/opensmtpd-filter-auth.

Here an updated tgz with two filters.

I use it like this:

    # DKIM, use both signatures: ED25519 and RSA
    filter sign_ed25519 proc-exec "filter-sign -a ed25519-sha256 -D 
/etc/mail/domains \
           -s 20240125ed25519 -k /etc/mail/dkim/20240125.ed25519.key" user 
_dkimsign group _dkimsign
    filter sign_rsa proc-exec "filter-sign -a rsa-sha256 -D /etc/mail/domains \
           -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign 
group _dkimsign

    # ARC has only one signature, use RSA as the most supported
    filter arc_auth proc-exec "filter-auth -A"
    filter arc_sign proc-exec "filter-sign -A -a rsa-sha256 -d mx.catap.net \
           -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign 
group _dkimsign
    filter arc_seal proc-exec "filter-sign -S -a rsa-sha256 -d mx.catap.net \
           -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign 
group _dkimsign

    # Build the sign chain, RFC8617 Section 4.1.2 requires that DKIM included 
into ARC
    filter sign chain { sign_ed25519 sign_rsa arc_auth arc_sign arc_seal }

    listen on egress port submission \
           tls-require pki mx.catap.net auth <credentials> \
           mask-src \
           filter sign

-- 
wbr, Kirill

Attachment: opensmtpd-filter-auth-and-sign.tgz
Description: Binary data

Reply via email to