rspamd does not sign emails with DKIM after upgrade to 12.1.0 #3481

regisb · 2023-08-14T11:33:33Z

regisb
Aug 14, 2023

Greetings ya'll! I've been running DMS for a few years now and have been very impressed with the project, both in terms of reliability, reactivity from the maintainers and quality of documentation. Thank you for all the hard work!

Now I'm facing an issue which I am unable to resolve on my own. I just upgraded from v11.3.1 to v12.1.0. Since I was so frustrated with spamassassin, I decided to replace it with rspamd. The upgrade went smoothly (again: kudos) but I'm now facing an issue with DKIM: emails I send are no longer signed.

The initial diagnosis was provided by https://www.mail-tester.com/ The only issue it reported was that my email was not signed with DKIM. I verified that by sending test emails to a Gmail address: the received email does not include any DKIM-related header.

The DMS container has the following settings: (among others)

ENABLE_OPENDKIM=0
ENABLE_OPENDMARC=0
ENABLE_POLICYD_SPF=0
ENABLE_RSPAMD=1
ENABLE_CLAMAV=0
RSPAMD_LEARN=1
RSPAMD_GREYLISTING=0
RSPAMD_HFILTER=1
RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE=6
ENABLE_AMAVIS=0
ENABLE_RSPAMD_REDIS=1

Here's my /etc/rspamd/override.d/dkim_signing.conf configuration:

# documentation: https://rspamd.com/doc/modules/dkim_signing.html

enabled = true;

sign_authenticated = true;
sign_local = true;

use_domain = "header";
use_redis = false;   # don't change unless Redis also provides the DKIM keys
use_esld = true;

check_pubkey = true; # you wan't to use this in the beginning

domain {
    mydomain1.com {
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-1024-mail-mydomain1.com.private.txt";
        selector = "mail";
    }
    mydomain2.com {
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-1024-mail-mydomain2.com.private.txt";
        selector = "mail";
    }
}

1024 bit keys were generated with:

setup config dkim keysize 1024 domain mydomain1.com
setup config dkim keysize 1024 domain mydomain2.com

I updated the corresponding DNS records, and they seem to match, as shown by:

$ opendkim-testkey -d mydomain1.com -s mail -k /tmp/docker-mailserver/rspamd/dkim/rsa-1024-mail-mydomain1.com.private.txt 
opendkim-testkey: /tmp/docker-mailserver/rspamd/dkim/rsa-1024-mail-mydomain1.com.private.txt: WARNING: unsafe permissions

Also, I verified the DKIM records with https://mxtoolbox.com and https://easydmarc.com/tools/dkim-lookup

User _rspamd does have read access to all these files, as shown by:

$ su -s /bin/bash _rspamd -c sh -c "cat /tmp/docker-mailserver/rspamd/dkim/rsa-1024-mail-mydomain1.com.private.txt"
...
$ su -s /bin/bash _rspamd -c sh -c "cat /etc/rspamd/override.d/dkim_signing.conf"
...

Here are some of the recent logs from /var/log/supervisor/rspamd.log:

2023-08-14 10:49:49 #4213(main) <azpcyg>; cfg; dkim_module_config: init internal dkim module
2023-08-14 10:49:49 #4213(main) <azpcyg>; cfg; rspamd_init_lua_filters: init lua module dkim_signing from /usr/share/rspamd/plugins/dkim_signing.lua; digest: ef1e58a0f6
2023-08-14 10:49:49 #4213(main) <azpcyg>; lua; rbl.lua:1086: added rbl rule SURBL_MULTI: checks: alive,helo,dkim,emails,replyto,urls,rdns
2023-08-14 10:49:49 #4213(main) <azpcyg>; lua; rbl.lua:1086: added rbl rule URIBL_MULTI: checks: alive,helo,dkim,emails,replyto,urls,rdns
2023-08-14 10:49:49 #4213(main) <azpcyg>; lua; rbl.lua:1086: added rbl rule SEM_URIBL_UNKNOWN: checks: alive,dkim,emails,urls
2023-08-14 10:49:49 #4213(main) <azpcyg>; lua; rbl.lua:1086: added rbl rule RSPAMD_URIBL: checks: alive,dkim,emails,urls
2023-08-14 10:49:49 #4213(main) <azpcyg>; lua; rbl.lua:1086: added rbl rule SEM_URIBL_FRESH15_UNKNOWN: checks: alive,dkim,emails,urls
2023-08-14 10:49:49 #4213(main) <azpcyg>; lua; rbl.lua:1086: added rbl rule DWL_DNSWL: checks: alive,user,local,dkim
2023-08-14 10:49:49 #4213(main) <azpcyg>; lua; rbl.lua:1086: added rbl rule DBL: checks: alive,helo,dkim,emails,replyto,urls,rdns
2023-08-14 10:49:49 #4213(main) <azpcyg>; cfg; rspamd_map_parse_backend: map '/etc/rspamd/local.d/maps.d/dkim_whitelist.inc.local' is not found, but it can be loaded automatically later
2023-08-14 10:49:49 #4213(main) <azpcyg>; cfg; rspamd_map_parse_backend: map '/var/lib/rspamd/dkim_whitelist.inc.local' is not found, but it can be loaded automatically later
2023-08-14 10:49:49 #4213(main) <azpcyg>; cfg; rspamd_map_parse_backend: map '/etc/rspamd/maps.d/dkim_whitelist.inc' is not found, but it can be loaded automatically later
2023-08-14 10:49:49 #4213(main) <azpcyg>; cfg; rspamd_map_parse_backend: map '/etc/rspamd/local.d/maps.d/spf_dkim_whitelist.inc.local' is not found, but it can be loaded automatically later
2023-08-14 10:49:49 #4213(main) <azpcyg>; cfg; rspamd_map_parse_backend: map '/var/lib/rspamd/spf_dkim_whitelist.inc.local' is not found, but it can be loaded automatically later
2023-08-14 10:49:49 #4213(main) <dyatkr>; map; rspamd_map_read_http_cached_file: read cached data for https://maps.rspamd.com/rspamd/spf_dkim_whitelist.inc.zst from /var/lib/rspamd/2368c73b937d98513ed72c4b04f4247bda43fdb5.map, 2871 bytes; next check at: 2023-08-14 12:08:58; last modified on: 2021-10-11 22:00:04; etag: (NULL)
2023-08-14 10:49:49 #4213(main) <dyatkr>; map; read_map_file: /etc/rspamd/local.d/maps.d/spf_dkim_whitelist.inc.local: map file is not found; it will be read automatically if created
2023-08-14 10:49:49 #4213(main) <dyatkr>; map; read_map_file: /var/lib/rspamd/spf_dkim_whitelist.inc.local: map file is not found; it will be read automatically if created
2023-08-14 10:49:49 #4213(main) <dyatkr>; map; rspamd_kv_list_fin: read hash of 237 elements from https://maps.rspamd.com/rspamd/spf_dkim_whitelist.inc.zst
2023-08-14 10:49:49 #4213(main) <8m79ek>; map; read_map_file: /etc/rspamd/local.d/maps.d/dkim_whitelist.inc.local: map file is not found; it will be read automatically if created
2023-08-14 10:49:49 #4213(main) <8m79ek>; map; read_map_file: /var/lib/rspamd/dkim_whitelist.inc.local: map file is not found; it will be read automatically if created

Nothing looks out of the ordinary there.

When I modify dkim_signing.conf to use an incorrect DKIM private key file, I do see a warning in the logs:

2023-08-14 10:11:19 #3650(rspamd_proxy) <55d0a6>; proxy; lua_dkim_sign_handler: public key for mydomain1.com/mail does not match private key: pubkey does not match private key

So this seems to indicate that the configuration and DKIM private key files are properly loaded.

I also added symbol = "DKIM_SIGNED"; to dkim_signing.conf. But when I access the rspamd web UI, the symbol is not added to any email that I send.

Here's the relevant section from rspamadm configdump:

dkim_signing {                                                                                                                                                                                                     
    sign_networks [                                                                                                                                                                                                
        "127.2.4.7",                                                                                                                                                                                               
    ]                                                                                                                                                                                                              
    symbol = "DKIM_SIGNED";                                                                                                                                                                                        
    sign_authenticated = true;                                                                                                                                                                                     
    use_esld = true;                                                                                                                                                                                               
    selector = "dkim";                                                                                                                                                                                             
    allow_envfrom_empty = true;                                                                                                                                                                                    
    allow_hdrfrom_multiple = false;                                                                                                                                                                                
    sign_local = true;                                                                                                                                                                                             
    try_fallback = true;                                                                                                                                                                                           
    use_redis = false;                                                                                                                                                                                             
    key_prefix = "DKIM_KEYS";                                                                                                                                                                                      
    domain {                                                                                                                                                                                                       
        mydomain1.com {                                                                                                                                                                                                
            path = "/tmp/docker-mailserver/rspamd/dkim/rsa-1024-mail-mydomain1.com.private.txt";                                                                                                                       
            selector = "mail";                                                                                                                                                                                     
        }                                                                                                                                                                                                          
        mydomain2.com {                                                                                                                                                                                                
            path = "/tmp/docker-mailserver/rspamd/dkim/rsa-1024-mail-mydomain2.com.private.txt";                                                                                                                       
            selector = "mail";                                                                           
        }                             
    }                    
    use_domain = "header";
    allow_hdrfrom_mismatch = false;
    allow_username_mismatch = false;
    check_pubkey = true;
    enabled = true;
}

I also read (and followed the advice) from the following conversations:
#3220
#3343

Any other ideas?

Answered by regisb

Aug 14, 2023

Found it!!! The authenticated username does not contain "mydomain1.com", because that domain was added as an alias. In such a case, the following needs to be added to dkim_signing.conf:

allow_username_mismatch = true;

I suggest to add this line to the default generated config file, or at least to add a note about it.

View full answer

regisb · 2023-08-14T13:22:32Z

regisb
Aug 14, 2023
Author

Found it!!! The authenticated username does not contain "mydomain1.com", because that domain was added as an alias. In such a case, the following needs to be added to dkim_signing.conf:

allow_username_mismatch = true;

I suggest to add this line to the default generated config file, or at least to add a note about it.

1 reply

polarathene Aug 14, 2023
Maintainer

This has been found and already queued up for v13 release: #3453

I'm not sure when that release will be out, but in the meantime using edge may be an option.

regisb · 2023-08-14T13:24:32Z

regisb
Aug 14, 2023
Author

Not 100% related, but during my research I stumbled upon the following line in /etc/postfix/main.cf:

smtpd_milters = $rspamd_milter $rspamd_milter

I'm wondering if the duplicated $rspamd_milter is on purpose, or is it a sed mistake?

1 reply

polarathene Aug 14, 2023
Maintainer

Yes that's a mistake. The author of the code related to that fixed the same bug for $dkim_milter (upcoming v13 release) but looks like they've missed this one for $rspamd_milter which had the same approach.

I raised a bug report about it, so it'll be resolved for v13.

This kind of bug though is semi-expected.

As the bug report notes, we are aware of the DMS startup scripts not playing well when the container is restarted (carrying internal state over), instead of recreated (scripts work with expected internal scripts baked into the image, not already modified).

A proper blanket fix would likely involve keeping the original configs we expect stored elsewhere and copying them over. Although if users have mounted files over the proper locations (not something DMS officially supports AFAIK, due to the problem itself), this would overwrite their configs accidentally.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Docker Mailserver

rspamd does not sign emails with DKIM after upgrade to 12.1.0 #3481

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Docker Mailserver

rspamd does not sign emails with DKIM after upgrade to 12.1.0 #3481

Uh oh!

regisb Aug 14, 2023

Replies: 2 comments · 2 replies

Uh oh!

regisb Aug 14, 2023 Author

Uh oh!

polarathene Aug 14, 2023 Maintainer

Uh oh!

regisb Aug 14, 2023 Author

Uh oh!

polarathene Aug 14, 2023 Maintainer

regisb
Aug 14, 2023

Replies: 2 comments 2 replies

regisb
Aug 14, 2023
Author

polarathene Aug 14, 2023
Maintainer

regisb
Aug 14, 2023
Author

polarathene Aug 14, 2023
Maintainer