Using DMS image with custom entrypoint and keeping rspamd DKIM enabled? #3803

MohammedNoureldin · 2024-01-21T23:18:02Z

MohammedNoureldin
Jan 21, 2024

Hi,

I created an init container in K8s that will do some work that I do not want to do in the main container. Basically DKIM initialization using Rspamd.

This container runs the same DMS image as the normal container but with simplified settings:

it has a shell script as custom entrypoint to run setup config dkim with some other work.
it has the required env variables loaded, mainly that RSPAMD is enabled.
mount rspamd DKIM config and the generation path.

Though, the command setup config dkim generates the DKIM using OpenDKIM instead of RSPAMD.

Is that because I am not using the official entrypoint? I checked the code but could not really figure out why is that happening.

What is the easiest way to get the DKIM generated using RSPAMD (using setup script for simplicity) in this custom container?

polarathene · 2024-01-22T06:44:21Z

polarathene
Jan 22, 2024
Maintainer

Though, the command setup config dkim generates the DKIM using OpenDKIM instead of RSPAMD.

Is that because I am not using the official entrypoint? I checked the code but could not really figure out why is that happening.

This is due to implementation to add the rspamd support not being how I would have approached it.

docker-mailserver/target/bin/open-dkim

Lines 3 to 13 in 3cbcdb2

    
           # shellcheck source=../scripts/helpers/index.sh 
        
           source /usr/local/bin/helpers/index.sh 
        
           if [[ -f /etc/dms-settings ]] && [[ $(_get_dms_env_value 'ENABLE_RSPAMD') -eq 1 ]]; then 
        
             if [[ $(_get_dms_env_value 'ENABLE_OPENDKIM') -eq 1 ]]; then 
        
               log 'error' "You enabled Rspamd and OpenDKIM - OpenDKIM will be implicitly used for DKIM keys" 
        
             else 
        
               /usr/local/bin/rspamd-dkim "${@}" 
        
               exit 
        
             fi 
        
           fi

The original setup config dkim command is called, and is still named open-dkim. Right at the start after importing the necessary helper scripts, it checks if /etc/dms-settings exists, and then queries that file for the ENV. Why this decision has been handled that way I am not entirely sure.

As that logic is required to pass to run the alternative rspamd generation script, it relies upon DMS to have been started and to have run it's initial setup scripts which involves a step (variables.sh) to read ENV we support, set any defaults as fallback values and write this to /etc/dms-settings since not everything has ENV awareness IIRC 🤷‍♂️ (you'd have to track the history of /etc/dms-settings being introduced and notably the related helper method, to get the reasoning for relying on it that way)

You could instead have the entrypoint run the rspamd script directly, ignoring the convenience of setup config dkim CLI:

https://github.com/docker-mailserver/docker-mailserver/blob/3cbcdb2d6517b6c61818afb49c0eb58ee82b6202/target/bin/rspamd-dkim

Look at the help content there and just ignore the setup config dkim portion and call the script bash /path/to/script instead. The script file is relocated at build to /usr/local/bin/:

docker-mailserver/Dockerfile

Lines 297 to 301 in 3cbcdb2

    
           COPY \ 
        
             target/bin/* \ 
        
             target/scripts/*.sh \ 
        
             target/scripts/startup/*.sh \ 
        
             /usr/local/bin/

What is the easiest way to get the DKIM generated using RSPAMD (using setup script for simplicity) in this custom container?

I'll cover this in a guide below (eventually it'll be integrated into DMS), feel free to skip to the TLDR section and for any further understanding check through the more verbose step-by-step guide above that 👍

If you want to run the current rspamd DKIM CLI script, follow advice above with /usr/local/bin/rspamd-dkim args-here where args-here would be those from the rspamd-dkim help output (which setup dkim config would delegate to if you had an existing rspamd DMS setup to docker exec into).

Below advice ignores OpenDKIM/Rspamd in favor of generic generation of DKIM keypair. Follow-up post has the rspamd specific dkim_signing.conf advice / insights.

Generating DKIM keypair

If you only need to generate the DKIM key itself, none of the additional features related to that script, this has nothing to do with OpenDKIM or Rspamd and can be done as I'd rather see it implemented (OpenDKIM / Rspamd agnostic): #3630

That issue also links to earlier feedback from me where I was suggesting how we should approach it in more detail to be generic.

I'm not sure why you'd want to generate DKIM keys at the entrypoint considering this would need to update DNS records and really shouldn't be part of the container startup process (I guess you can have an entrypoint script that only creates the key based on some condition like the files not existing yet though?). You could have a side-car container that provides the same support / functionality?

Let's use step-cli crypto keypair:

# `--user "$(id -u):$(id -g)"` assigns ownership of generated DKIM key files to your running user.
# NOTE: If the local volume path is not created, it may be created as root,
# in which case you'd need `--user "0:0"` instead to have write permissions.
# `--workdir` sets the location the command is run at, which is where the files will be generated.
#
# `step crypto keypair` command options:
# `--insecure --no-password` opts-out of requiring a password to use the keypair (like you might for SSH).
# `--kty RSA --size 2048` generates a RSA 2048-bit keypair which is appropriately secure.
# `mail.public mail.private` the pubic and private key file names
# NOTE: `mail` here is the DKIM selector (it is useful to have the selector as the file name for rspamd config to reference)
docker run --rm -it \
  --user "0:0" \
  --volume "${PWD}/docker-data/dms/config/:/tmp/step-cli/" \
  --workdir "/tmp/step-cli/" \
  smallstep/step-cli \
  step crypto keypair \
    --insecure --no-password \
    --kty RSA --size 2048 \
    mail.public mail.private

Extract out the public key to use with DNS TXT record value:

# This is to handle the part covered by of our DKIM DNS docs (expand the collapsed admonition on `<selector>.txt` formatting):
# https://docker-mailserver.github.io/docker-mailserver/v13.3/config/best-practices/dkim_dmarc_spf/#dkim-dns

# The public key can be derived from the private key:
# https://smallstep.com/docs/step-cli/reference/crypto/key/
$ step crypto key public mail.private | awk 'NR>2 { sub(/\r/, ""); printf "%s",last} { last=$0 }'
# But since we already have the private key, you could also just feed that through to awk instead:
$ cat mail.public | awk 'NR>2 { sub(/\r/, ""); printf "%s",last} { last=$0 }'


# From this mail.public:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxU5Knu4K6WVxI5oMLNmw
STXkv9lxD2tdfhX/+J14RmW2cdG85vyvQTvn8Togmbwy7khkBZShw1wS/0zen4sK
Ea2eFNUMPhbfrZ001sEvOpUhqHmmjb7DV3+tsOVLRXxWBZG027ZGYO0eELJaaJWq
3rZ4DJOBagdg2E1Hwpik0sOyPJDGV4clDDFgyXZ5vW5cQFI3AUEXahrST2Kz6va8
Uo389Oa2npYOCGFhyq95kKtwbbq9gKPOhAdoM4EUHcXT0d6wfA4tTBKJ3lfT17Gn
fOkN8US/dot+XsgAHl76ADULmqqJfO583MK+DyHlvpQEdd/jr6o4jwxd/itJkX3E
uQIDAQAB
-----END PUBLIC KEY-----

# To this (single line):
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxU5Knu4K6WVxI5oMLNmwSTXkv9lxD2tdfhX/+J14RmW2cdG85vyvQTvn8Togmbwy7khkBZShw1wS/0zen4sKEa2eFNUMPhbfrZ001sEvOpUhqHmmjb7DV3+tsOVLRXxWBZG027ZGYO0eELJaaJWq3rZ4DJOBagdg2E1Hwpik0sOyPJDGV4clDDFgyXZ5vW5cQFI3AUEXahrST2Kz6va8Uo389Oa2npYOCGFhyq95kKtwbbq9gKPOhAdoM4EUHcXT0d6wfA4tTBKJ3lfT17GnfOkN8US/dot+XsgAHl76ADULmqqJfO583MK+DyHlvpQEdd/jr6o4jwxd/itJkX3EuQIDAQAB

However an RSA 2048-bit public key is large, which some DNS services expect you to split into multiple 255-byte lengths/chunks (if you don't have a service that transparently handles that for you). No worries, that's the next part I documented:

# Here we've got the initial `cat` + `awk`, followed by another series of commands to format the value into chunks:
# My original suggestion for this differed a little bit, notably `fold` in Alpine Linux is the BusyBox version which
# doesn't have `--width`, only `-w`. It also lacks redirection support `<<<` unless using bash.
$ cat mail.public \
  | awk 'NR>2 { sub(/\r/, ""); printf "%s",last} { last=$0 }' \
  | awk '{print "p="$1}' | fold -w 255 | sed -E 's#(.*)#        "\1"#'

# The final line of the above command:
# 1. The 2nd `awk` => Prepends `p=` to the start of the public key value
# 2. `fold` splits to lines of max width 255 characters
# 3. `sed` takes each line and indents it with 8 spaces, followed by wrapping the value in double quotes.
        "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxU5Knu4K6WVxI5oMLNmwSTXkv9lxD2tdfhX/+J14RmW2cdG85vyvQTvn8Togmbwy7khkBZShw1wS/0zen4sKEa2eFNUMPhbfrZ001sEvOpUhqHmmjb7DV3+tsOVLRXxWBZG027ZGYO0eELJaaJWq3rZ4DJOBagdg2E1Hwpik0sOyPJDGV4clDDFgyXZ5vW5cQFI3AUEXahrST2Kz6"
        "va8Uo389Oa2npYOCGFhyq95kKtwbbq9gKPOhAdoM4EUHcXT0d6wfA4tTBKJ3lfT17GnfOkN8US/dot+XsgAHl76ADULmqqJfO583MK+DyHlvpQEdd/jr6o4jwxd/itJkX3EuQIDAQAB"

You'd then provide whichever value format above is relevant to your DNS service, unless you're managing the DNS zone file yourself, you'd have something like:

# NOTE: This is the same zone file format generated by rspamd.
#
# Variables:
# SELECTOR=mail
# PUBLIC_KEY_SPLIT=<multi-line value output from above>
cat <<EOF
${SELECTOR}._domainkey IN TXT ( "v=DKIM1; k=rsa; "
${PUBLIC_KEY_SPLIT}
) ;
EOF

Giving us:

mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
        "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxU5Knu4K6WVxI5oMLNmwSTXkv9lxD2tdfhX/+J14RmW2cdG85vyvQTvn8Togmbwy7khkBZShw1wS/0zen4sKEa2eFNUMPhbfrZ001sEvOpUhqHmmjb7DV3+tsOVLRXxWBZG027ZGYO0eELJaaJWq3rZ4DJOBagdg2E1Hwpik0sOyPJDGV4clDDFgyXZ5vW5cQFI3AUEXahrST2Kz6"
        "va8Uo389Oa2npYOCGFhyq95kKtwbbq9gKPOhAdoM4EUHcXT0d6wfA4tTBKJ3lfT17GnfOkN8US/dot+XsgAHl76ADULmqqJfO583MK+DyHlvpQEdd/jr6o4jwxd/itJkX3EuQIDAQAB"
) ;

TLDR

For good measure, ignoring the step-cli container (you could use Alpine and install the step-cli package, or have it available on a host system), here's the commands to generate the above without all the documentation noise:

# Create an RSA 2048-bit keypair for DKIM usage:
step crypto keypair mail.public mail.private --kty RSA --size 2048 --no-password --insecure

# Format multi-line split public key for DNS record:
cat mail.public \
  | awk 'NR>2 { sub(/\r/, ""); printf "%s",last} { last=$0 }' \
  | awk '{print "p="$1}' | fold -w 255 | sed -E 's#(.*)#        "\1"#'

And now as a script you can mount and call with your preferred selector / keysize if you don't like those defaults:

#!/bin/bash

# Args:
SELECTOR=${1:-mail}
KEYSIZE=${2:-2048}

# Create your own keypair instead of via `opendkim-genkey` or `rspamadm dkim_keygen`:
step crypto keypair "${SELECTOR}.public" "${SELECTOR}.private" --kty RSA --size "${KEYSIZE}" --no-password --insecure

# Extract public key contents into single line prepended with `p=`
PUBLIC_KEY=$(cat "${SELECTOR}.public" | awk 'NR>2 { sub(/\r/, ""); printf "%s",last} { last=$0 }' | awk '{print "p="$1}')

# Split into quote wrapped lines 255 chars wide, then indent (8 spaces)
PUBLIC_KEY_MULTILINE=$(fold -w 255 <(cat "${PUBLIC_KEY}") | sed -E 's#(.*)#        "\1"#')

# Create a complimentary DNS zone file record (like rspamd does):
cat << EOF > "${SELECTOR}.dns.txt"
${SELECTOR}._domainkey IN TXT ( "v=DKIM1; k=rsa; "
${PUBLIC_KEY_MULTILINE}
) ;
EOF

Example of usage:

$ chmod +x ./create_dkim_keypair.sh
$ ./create_dkim_keypair.sh dms 3072
Your public key has been saved in dms.public.
Your private key has been saved in dms.private.

# Files created locally:
$ ls -l
create_dkim_keypair.sh
dms.dns.txt
dms.private
dms.public

# RSA 3072-bit with custom selector like requested:
# https://smallstep.com/docs/step-cli/reference/crypto/key/inspect
$ step crypto key inspect dms.private | grep bit
RSA Private-Key: (3072 bit)

4 replies

polarathene Jan 22, 2024
Maintainer

Probably skip to the TLDR one on this, prior was a bit adhoc as I tried to navigate my way around the rspamd support scripts logic for DKIM.

NOTE: I've not verified/tested this advice.

Rspamd DKIM config

I am not too experienced with the rspamd support, but I did look at a way to support dynamic configuration for DKIM config here.

Let's ignore that for now and just focus on the current DMS v13.3 rspamd DKIM config docs. We can create a dkim_signing.conf as suggested there (here is the current equivalent that the setup config dkim rspamd support command generates, along with it's own function to take the rspamd zone file and display that to the user):

# documentation: https://rspamd.com/doc/modules/dkim_signing.html
enabled = true;

sign_authenticated = true;
sign_local = true;

use_domain = "header";
use_redis = false; # don't change unless Redis also provides the DKIM keys
use_esld = true;
check_pubkey = true; # you want to use this in the beginning

selector = "mail";
# The path location is searched for a DKIM key with these variables:
# - `$domain` is sourced from the MIME mail message `From` header
# - `$selector` is configured for `mail` (as a default fallback)
path = "/tmp/docker-mailserver/rspamd/dkim/keys/$domain/$selector.private";

You want to set selector to whatever you're using (if not mail).
And change that path to the location you want to place your DKIM keys if you don't like the one shown there (here is the current rspamd setup config dkim logic for paths it uses, those rspamd path variables are defined here).
If you do have multiple selectors that you need to support (such as for both RSA and ECC DKIM keys), consider the selector_map config setting that DMS should integrate at some point 👍

You probably have to adjust the keypair permissions to match the _rspamd user/group (along with the folder they're stored in).

There's a currently bug report about this ownership shifting during the v13.2 to v13.3 image release upgrade.
This is why I generally encourage not configuring services to use files from users data/config volume directly, but have DMS support making an internal copy.

I can see that RSPAMD_DMS_DKIM_D is the DKIM path used only by this rspamd-dkim CLI support, and rough support added for check-for-changes.sh (just logs a notification of change detection). So the improvement to make an internal copy during startup hasn't landed yet. When it does, updating the DKIM keys from the DMS config volume should update the internal copy (that doesn't exist in DMS yet) and there will be no ownership issues then :)

So to clarify, right now rspamd DKIM support appears to have no hard-coded path in DMS.

You provide them via your config volume at /tmp/docker-mailserver or anywhere else
You're also currently meant to provide your own dkim_signing.conf config to point to those files (our current DKIM DNS docs for rspamd looks a bit out of sync / confusing).

Ah, the dkim_signing.conf file is checked at startup and makes some assumptions on path setting(s) in that file to lookup the DKIM files. That won't work with my suggestion to use the dynamic path support rspamd offers, and was something I was not aware of when I approved the PR for the docs contribution, whoops.

In that case you'll need to provide a hard-coded path to the single .private file or as the docs show for multi-key support (which is where my earlier yq approach was intended to help before I knew about selector_map):

domain {
    example.com {
        path = /tmp/docker-mailserver/rspamd/example.com/ed25519.private";
        selector = "dkim-ed25519";
    }
    example.org {
        selectors [
            {
                path = "/tmp/docker-mailserver/rspamd/dkim/example.org/rsa.private";
                selector = "dkim-rsa";
            },
            {
                path = "/tmp/docker-mailserver/rspamd/dkim/example.org/ed25519.private";
                selector = "dkim-ed25519";
            }
        ]
    }
}

TLDR

AFAIK you only need to provide a dkim_signing.conf file (setup config dkim rspamd support can generate this).

Create a dkim_signing.conf file (inside DMS the expected location is the DMS config volume with the file at /tmp/docker-mailserver/rspamd/override.d/dkim_signing.conf):

# documentation: https://rspamd.com/doc/modules/dkim_signing.html
enabled = true;

sign_authenticated = true;
sign_local = true;

use_domain = "header";
use_redis = false; # don't change unless Redis also provides the DKIM keys
use_esld = true;
check_pubkey = true; # you want to use this in the beginning

# Hard-coded `path` for supporting a single DKIM key + domain:
# NOTE: Hard-coding may be required due to current rspamd DKIM verification script logic
path = "/tmp/docker-mailserver/rspamd/dkim/keys/example.com/mail.private";

# Otherwise this is better:
# selector = "mail";
# path = "/tmp/docker-mailserver/rspamd/dkim/keys/$domain/$selector.private";

For rspamd DKIM keys appear to be expected at /tmp/docker-mailserver/rspamd/dkim/ (startup scripts will parse path from dkim_signing.conf to check DKIM keys for correct ownership):

docker-mailserver/target/scripts/helpers/rspamd.sh

Lines 18 to 23 in 3cbcdb2

    
           readonly RSPAMD_LOCAL_D='/etc/rspamd/local.d' 
        
           readonly RSPAMD_OVERRIDE_D='/etc/rspamd/override.d' 
        
           readonly RSPAMD_DMS_D='/tmp/docker-mailserver/rspamd' 
        
           readonly RSPAMD_DMS_DKIM_D="${RSPAMD_DMS_D}/dkim" 
        
           readonly RSPAMD_DMS_OVERRIDE_D="${RSPAMD_DMS_D}/override.d"

docker-mailserver/target/scripts/startup/setup.d/security/rspamd.sh

Lines 310 to 313 in 3cbcdb2

    
           function __rspamd__check_dkim_permissions() { 
        
             local DKIM_CONF_FILES DKIM_KEY_FILES 
        
             [[ -f ${RSPAMD_LOCAL_D}/dkim_signing.conf ]] && DKIM_CONF_FILES+=("${RSPAMD_LOCAL_D}/dkim_signing.conf") 
        
             [[ -f ${RSPAMD_OVERRIDE_D}/dkim_signing.conf ]] && DKIM_CONF_FILES+=("${RSPAMD_OVERRIDE_D}/dkim_signing.conf")

During startup (or change detection - which is not presently available when using LDAP), /tmp/docker-mailserver/rspamd/override.d/ is copied to an internal location (but the sibling DKIM folder is not):

docker-mailserver/target/scripts/startup/setup.d/security/rspamd.sh

Lines 78 to 80 in 3cbcdb2

    
           if [[ -d ${RSPAMD_DMS_OVERRIDE_D} ]]; then 
        
             cp "${RSPAMD_DMS_OVERRIDE_D}"/* "${RSPAMD_OVERRIDE_D}" 
        
           fi

docker-mailserver/target/scripts/check-for-changes.sh

Lines 182 to 207 in 3cbcdb2

    
           function _rspamd_changes() { 
        
             # RSPAMD_DMS_D='/tmp/docker-mailserver/rspamd' 
        
             if [[ ${CHANGED} =~ ${RSPAMD_DMS_D}/.* ]]; then 
        
               # "${RSPAMD_DMS_D}/override.d" 
        
               if [[ ${CHANGED} =~ ${RSPAMD_DMS_OVERRIDE_D}/.* ]]; then 
        
                 _log_with_date 'trace' 'Rspamd - Copying configuration overrides' 
        
                 rm "${RSPAMD_OVERRIDE_D}"/* 
        
                 cp "${RSPAMD_DMS_OVERRIDE_D}"/* "${RSPAMD_OVERRIDE_D}" 
        
               fi 
        
               # "${RSPAMD_DMS_D}/custom-commands.conf" 
        
               if [[ ${CHANGED} =~ ${RSPAMD_DMS_CUSTOM_COMMANDS_F} ]]; then 
        
                 _log_with_date 'trace' 'Rspamd - Generating new configuration from custom commands' 
        
                 _rspamd_handle_user_modules_adjustments 
        
               fi 
        
               # "${RSPAMD_DMS_D}/dkim" 
        
               if [[ ${CHANGED} =~ ${RSPAMD_DMS_DKIM_D} ]]; then 
        
                 _log_with_date 'trace' 'Rspamd - DKIM files updated' 
        
               fi 
        
               _log_with_date 'debug' 'Rspamd configuration has changed - restarting service' 
        
               supervisorctl restart rspamd 
        
             fi 
        
           }

MohammedNoureldin Jan 22, 2024
Author

Thanks for the great explanation and for showing how to do it completely standalone without the need to do it inside the container. Actually this is much better, as the generation can be generated earlier and stored as K8s secret, which is cleaner. I will give that a try and let you know.

Regarding the second part:

AFAIK you only need to provide a dkim_signing.conf file (setup config dkim rspamd support can generate this).

I tried that, I tried even to start Rspamd before calling setup config dkim, but still it kept generating the keys using opendkim. I am not sure why. But if it can be simply generated outside the container itself, it is a cleaner approach and I will go with it.

polarathene Jan 22, 2024
Maintainer

Actually this is much better, as the generation can be generated earlier and stored as K8s secret, which is cleaner

When I have the time to, setup config dkim would generate the DKIM keypair as demonstrated above, and the OpenDKIM/Rspamd related configs would be either generated alongside it, via complimentary command or created at runtime for keys found if no explicit config was provided I think.

That should still be usable for running via the container (where /etc/dms-settings shouldn't be relied upon), and you could store it the same way you've mentioned here 👍

I tried that, I tried even to start Rspamd before calling setup config dkim, but still it kept generating the keys using opendkim. I am not sure why.

I wrote a lot above, you probably missed it but the implementation for setup config dkim to switch to the rspamd script is a bit quirky.

It is reliant upon being run when DMS is already setup and running due to /etc/dms-settings reliance, it fetches the ENV for checking if rspamd is enabled via that rather than checking the ENV directly.

There's nothing special to generate with dkim_signing.conf, other than a hard-coded path value to avoid some warning logs that would be omitted presently I think.

polarathene Jan 23, 2024
Maintainer

For reference, the advice provided here was revised and added to: #3630 (comment)

Docker Mailserver

Using DMS image with custom entrypoint and keeping rspamd DKIM enabled? #3803

Uh oh!

Uh oh!

MohammedNoureldin Jan 21, 2024

Replies: 1 comment · 4 replies

Uh oh!

Uh oh!

polarathene Jan 22, 2024 Maintainer

Generating DKIM keypair

TLDR

Uh oh!

Uh oh!

polarathene Jan 22, 2024 Maintainer

Rspamd DKIM config

TLDR

Uh oh!

Uh oh!

MohammedNoureldin Jan 22, 2024 Author

Uh oh!

polarathene Jan 22, 2024 Maintainer

Uh oh!

polarathene Jan 23, 2024 Maintainer

MohammedNoureldin
Jan 21, 2024

Replies: 1 comment 4 replies

polarathene
Jan 22, 2024
Maintainer

polarathene Jan 22, 2024
Maintainer

MohammedNoureldin Jan 22, 2024
Author

polarathene Jan 22, 2024
Maintainer

polarathene Jan 23, 2024
Maintainer