Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TODO]: Consider rspamd DKIM config to use selector_map #3778

Open
polarathene opened this issue Jan 14, 2024 · 0 comments
Open

[TODO]: Consider rspamd DKIM config to use selector_map #3778

polarathene opened this issue Jan 14, 2024 · 0 comments
Labels
area/configuration (file) area/scripts kind/improvement Improve an existing feature, configuration file or the documentation meta/help wanted The OP requests help from others - chime in! :D service/security/dkim-dmarc-spf service/security/rspamd stale-bot/ignore Indicates that this issue / PR shall not be closed by our stale-checking CI

Comments

@polarathene
Copy link
Member

polarathene commented Jan 14, 2024
edited

Description

Referencing my review comment here, selector_map might be a good approach for automating generation of multiple DKIM selectors when necessary. It's unlikely our path convention would change, and as per the PR contribution, a standard path convention / template can use variables for the selector (with a default fallback) and domain.

# local.d/dkim_signing.conf
try_fallback = true;
path = "/tmp/docker-mailserver/dkim/keys/$domain/$selector.private";
selector_map = "/etc/rspamd/dkim_selectors.map";
selector = "mail";

  • try_fallback = true; AFAIK is to permit fallback to that default selector variable.

  • path is the template used, where $domain is the domain being handled (defaults to MIME From (message header), not SMTP From mail header (envelope sender) although you can configure for that), and $selector will either be mail from above, or changed to a matching selector if found in selector_map.

  • A selector_map is just a key/value pair per line delimiting key/values by white-space. If a domain matches, it'll use that selector:

    example.com dkim-example
another-domain.com another-selector

Additional Notes

I'm not 100% sure how that works for domains with multiple selectors available. Such as to support both RSA and ECC DKIM keys.

The path example uses the Docker config volume directly, but would probably be an internal location that the files are copied to. It's ideally unified with OpenDKIM config to share a common location for keys as these should technically be no different. It's a question raised by users several times about migrating to rspamd if they need to generate keys again or can use the same ones created for OpenDKIM without much friction.

$domain is additionally derived from use_domain (what part of the mail to source the domain from, or a fixed domain) and use_esld = true (normalize domains to eSLD (effective second-level domain), ignores any subdomains).

The unified DKIM path and generation is related to #3630
@polarathene polarathene added meta/help wanted The OP requests help from others - chime in! :D area/scripts kind/improvement Improve an existing feature, configuration file or the documentation area/configuration (file) stale-bot/ignore Indicates that this issue / PR shall not be closed by our stale-checking CI service/security/dkim-dmarc-spf service/security/rspamd labels Jan 14, 2024
This was referenced Jan 14, 2024
Open
Merged
@georglauterbach georglauterbach mentioned this issue Jan 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/configuration (file) area/scripts kind/improvement Improve an existing feature, configuration file or the documentation meta/help wanted The OP requests help from others - chime in! :D service/security/dkim-dmarc-spf service/security/rspamd stale-bot/ignore Indicates that this issue / PR shall not be closed by our stale-checking CI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@polarathene