rspamd - "setup config dkim" only generated DKIM for the main domain, but not the others

[ghnp5]

Hey

I enabled Rspamd, and then ran:

docker exec -it mailserver setup config dkim

However, unlike what happened with the old system (OpenDKIM), I only got the DKIM generated for the main domain, but not the other domains.

Am I doing it right, or do I need to provide an extra parameter for the domain I want to generate, or so?

Thanks!

[tchapi]

It kinda looks like very related to #3321 if I'm not mistaken?

[ghnp5]

I'm not sure if that's related.

Just that after running docker exec -it mailserver setup config dkim, and then going on the server and check what is under rspamd/dkim, I only have the keys for the main domain (e.g. "domain1.com"), but not for "domain2.com".

And the output of the command only told me to set up DNS for that "domain1.com".

Shouldn't it create DKIM keys for ALL domains on the server? Like it did for OpenDKIM.

Thanks!

[ghnp5]

Ok - looks like I need to run it like this for each domain:

docker exec -it mailserver setup config dkim domain <domain>

Fair enough. But probably it should be more explicit here :)

https://docker-mailserver.github.io/docker-mailserver/latest/config/best-practices/dkim_dmarc_spf/#dkim
rspamd -> Creating DKIM Keys

[georglauterbach]

It kinda looks like very related to #3321 if I'm not mistaken?

Not really :)

---

Shouldn't it create DKIM keys for ALL domains on the server? Like it did for OpenDKIM.

No, this is expected (for now). You will need to run the script for each domain separately as of now, and then adjust dkim_signing.conf manually. In the future, I may be able to extend the script to use all domains that can be found. Or someone else implements this.

[ghnp5]

Thanks @georglauterbach

I've just run it for each of the domains. I get all the files in rspamd/dkim, but seems that dkim_signing.conf was NOT updated with the rest of the domains.

I wonder if the reason it wasn't updated is because it's not mounted, as per the logs in #3327

[georglauterbach]

Ok - looks like I need to run it like this for each domain:

docker exec -it mailserver setup config dkim domain <domain>

Fair enough. But probably it should be more explicit here :)

Haha, nice timing :D Yes, this could be improved. I'll provide a PR.

[georglauterbach]

I wonder if the reason it wasn't updated is because it's not mounted, as per the logs in #3327

The default configuration only takes into account a single domain; the script is not capable of more. Please mount a custom configuration that uses all domains, as shown in our docs.

[ghnp5]

Thanks!

I see the example here - https://docker-mailserver.github.io/docker-mailserver/latest/config/best-practices/dkim_dmarc_spf/#dkim

But it shows a completely different syntax/structure:

domain {
    example.com {
        selectors [
            {
                path = "/tmp/docker-mailserver/rspamd/dkim/example.com/rsa.private";
                selector = "dkim-rsa";
            },
            {
                path = /tmp/docker-mailserver/rspamd/example.com/ed25519.private";
                selector = "dkim-ed25519";
            }
        ]
    }
    example.org {
        selectors [
            {
                path = "/tmp/docker-mailserver/rspamd/dkim/example.org/rsa.private";
                selector = "dkim-rsa";
            },
            {
                path = "/tmp/docker-mailserver/rspamd/dkim/example.org/ed25519.private";
                selector = "dkim-ed25519";
            }
        ]
    }
}

This is what I have as default:

domain {
    domain1.com {
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-domain1.com.private.txt";
        selector = "mail";
    }
}

Can I just duplicate this into something like this?

domain {
    domain1.com {
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-domain1.com.private.txt";
        selector = "mail";
    }
    domain2.com {
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-domain2.com.private.txt";
        selector = "mail";
    }
}

(and couldn't this be easily automated by the setup config dkim domain <domain> program?)

Thanks very much!!!

[georglauterbach]

This is what I have as default:

domain {
    domain1.com {
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-domain1.com.private.txt";
        selector = "mail";
    }
}

Yes, this is DMS' default.

Can I just duplicate this into something like this?

domain {
    domain1.com {
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-domain1.com.private.txt";
        selector = "mail";
    }
    domain2.com {
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-domain2.com.private.txt";
        selector = "mail";
    }
}

Looks good and should be working!

(and couldn't this be easily automated by the setup config dkim domain <domain> program?)

You are free to provide a PR :) I'm curious how you'd manage multiple domains that could have multiple selectors though. IMO, writing the file (with the help of our documentation) is easier :)

[ghnp5]

Ah ok - I understand.

Thank you for all your help today.

It's just that in the "user's side" (my side), every time there is a big upgrade with the mailserver, I always struggle to understand what's going on, and I also never heard of rspamd before, so it's hard to know what I should be doing, or what I should be "relying on DMS to do" :)

Your documentation is great, but for someone that just comes in after an upgrade, it's hard to know what should I focus on 😊👍🏼

(not a bad criticism - I think you are doing as much as you can!!)

[georglauterbach]

#3329 should improve the docs - you are indeed right, our docs assume the users know that we do not take care of multiple domains. This will first be visible on the edge docs and later on v13.0.0. You may use the edge docs for Rspamd right now to view the improved documentation. Here is an interim link to what it will look like: https://pullrequest-3329--dms-doc-previews.netlify.app/.

[ghnp5]

Perfect - that looks great. Thanks!!!

[polarathene]

It's just that in the "user's side" (my side), every time there is a big upgrade with the mailserver, I always struggle to understand what's going on

That should start to slow down. Many of the bigger breaking changes have been addressed. There is still a few more disruptive ones expected, but those should be more clearly communicated in the changelog / release notes at the time.

[some-user123]

@ghnp5 Did you get this to work?

I cannot get emails from another domain signed :-/

My override.d/dkim_signing.conf looks like this:

enabled = true;

sign_authenticated = true;
sign_local = true;

use_domain = "header";
use_redis = false; # don't change unless Redis also provides the DKIM keys
use_esld = true;

check_pubkey = true; # you want to use this in the beginning

domain {
    example.com {
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-dkim202305-example.com.private.txt";
        selector = "dkim202305";
    }
    second-domain.com {
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-dkim202305-second-domain.com.private.txt";
        selector = "dkim202305";
    }
}

It will only sign emails from example.com, not second-domain.com. I've made sure the config is in place for rspamd in the container.

Any other ideas how to debug that? rspamd.log does not show any relevant warning...

[ghnp5]

Hey

It seems to be working for me, yes, for the extra domains.

Did you also run this, for each domain?

docker exec -it mailserver setup config dkim domain <domain>

and do you confirm the file rspamd/dkim/rsa-2048-dkim202305-second-domain.com.private.txt exists?

Note that, for me, the selector is just "mail".
You also need to add the DNS records accordingly to that selector.

[some-user123]

I've run ... setup config dkim domain second-domain.com selector dkim202305.
The file is in place and DNS record is there as well...

Mmh, strange.

[ghnp5]

Did you try restarting mailserver, by destroying the container and recreating it?

[georglauterbach]

@some-user123 what does rspamadm configdump dkim_signing yield? Do the permissions on the files look good, i.e. can the user _rspamd access them?

Docs about container restarts: https://docker-mailserver.github.io/docker-mailserver/latest/usage/#get-up-and-running

[some-user123]

Yes, I re-created the container. Before that my override.d/dkim_signing.conf was not used.

rspamadm configdump dkim_signing yields:

*** Section dkim_signing ***
sign_networks [
    "127.2.4.7",
]
symbol = "DKIM_SIGNED";
sign_authenticated = true;
use_esld = true;
selector = "dkim";
domain {
    example.com{
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-dkim202305-example.com.private.txt";
        selector = "dkim202305";
    }
    second-domain.com{
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-dkim202305-second-domain.com.private.txt";
        selector = "dkim202305";
    }
}
allow_envfrom_empty = true;
allow_hdrfrom_multiple = false;
use_domain = "header";
allow_hdrfrom_mismatch = false;
enabled = true;
allow_username_mismatch = false;
try_fallback = true;
use_redis = false;
key_prefix = "DKIM_KEYS";
check_pubkey = true;
sign_local = true;

*** End of section dkim_signing ***

Permissions are identical to the first domain:

root@mail:/tmp/docker-mailserver/rspamd/dkim# ls -al
total 32
drwxr-xr-x 2 _rspamd _rspamd 4096 May 16 08:53 .
drwxr-xr-x 4 root    root    4096 May 16 09:09 ..
-rw-r----- 1 _rspamd _rspamd 1708 May 10 11:40 rsa-2048-dkim202305-example.com.private.txt
-rw-r--r-- 1 root    root     411 May 10 11:40 rsa-2048-dkim202305-example.com.public.dns.txt
-rw-r--r-- 1 root    root     457 May 10 11:40 rsa-2048-dkim202305-example.com.public.txt
-rw-r----- 1 _rspamd _rspamd 1704 May 16 08:53 rsa-2048-dkim202305-second-domain.com.private.txt
-rw-r--r-- 1 root    root     411 May 16 08:53 rsa-2048-dkim202305-second-domain.com.public.dns.txt
-rw-r--r-- 1 root    root     457 May 16 08:53 rsa-2048-dkim202305-second-domain.com.public.txt

[ghnp5]

Seems good.. (btw - looks like you missed the replacement of your domains in the first output)

[some-user123]

I've added a third domain, that does not have a dash in its name and used selector mail. Same issue.

I found it strange though, that there was no error/warning in the log even though I did not propagate the public key in DNS.

[ghnp5]

Can you switch the domains (the 2nd into 1st, and 1st into 2nd), and see if it works for that other domain? That should "prove" if it only works for the first or not.

[some-user123]

I think, I found it.

user@example.com sending mails from localpart@second-domain.com will not be signed.
user@second-domain.com sending mails from localpart@second-domain.com will be signed.

Is that intentional?

[georglauterbach]

Seems very reasonable to me. Why would you sign an email with DKIM for domain A when the sender actually is using domain B?

[some-user123]

I guess the answer is two steps:

If the mail server sends this mail, it should sign it. If it refuses the sign it (because the user isn't authorized to send it), it should not send it - because the user isn't authorized 😉.
It's inconsistent that the mail server signs some mails it sends with a certain sender domain but not all of them. Whether a particular user is allowed to send a certain email is an internal affair that the mail server has to take care of with the user. In the relation to other mail server it is a valid email coming from a valid mail server and thus should be signed (or not sent at all).

Why should the mail server send mails across domains? (As it currently does.)

Users can also receive mails across domains. Mails to both firstname.lastname@example.com and firstname.lastname@second-domain.com end up in the same mailbox. Why should the user use a different account to send mails for the second address?

[ghnp5]

To me, that looks like a custom setup that doesn't seem to be usual.

If the email is to be sent using "...@second-domain.com", it should authenticate as that user instead, I believe.

Regardless, this seems to be something that wouldn't be fixable by the Docker Mail Server developers :)
This is just how rspamd/postfix works, I assume.

[georglauterbach]

Because, when it comes to DKIM, there is a difference between sending and receiving (in the end, DKIM is asymmetric!). We're talking about signing an email when sending it. This has nothing to do with receiving.

Have you tried different settings for use_domain = "header"; inside Rspamd's configuration?

[some-user123]

Obviously, there is a different between sending and receiving. But why should there be a difference between MTA and DKIM in sending? Either the mail is legit, then sign it and send it. Or it isn't, then refuse to send it.

Phrased differently:
Why can user1@domainA.com send signed emails with sender user2@domainA.com but not with sender user1@domainB.com?

use_domain doesn't help here. allow_username_mismatch does 🙂

[georglauterbach]

Why can user1@domainA.com send signed emails with sender user2@domainA.com but not with sender user1@domainB.com?

Because this is what we call spoofing. Have you set SPOOF_PROTECTION=0 in your environment? We enable it by default (1) so the bahavior you want is disallowed for security reasons. You may be using DMS only yourself; others have multiple users though and you don't want user A to be able to send as user B.

use_domain doesn't help here. allow_username_mismatch does 🙂

Perfect 👌🏽

[polarathene]

We enable it by default (1) so the bahavior you want is disallowed for security reasons.

docker-mailserver/target/scripts/startup/variables-stack.sh

Line 67 in da8d365

VARS[SPOOF_PROTECTION]="${SPOOF_PROTECTION:=0}"

We don't, and there is a blocker issue / discussion as to why when it was last attempted to default that.

Besides, the user1@domainA.com and user2@domainA.com would also be considered spoofing by default, unless an account was configured to permit the other as well (which I don't think we have any support for configuring via setup, nor docs to guide users how to do it manually).

---

I haven't read the discussion in full, so I'm probably missing some context. I can understand @some-user123 expectation for a single user account that manages multiple domains, especially with the same local part of the address (eg: user1).

DMS creates accounts in Dovecot with the full address IIRC, but that's technically not required for login. An account could be agnostic to addresses it receives mail for and can send as. A more common scenario might be an alias marketing@example.com that goes to multiple recipients in the marketing department, each sending mail out as a different user @example.com 🤷‍♂️

Perhaps in that case, you have several domains, each with their own marketing alias address. If DMS isn't where the mailbox is for the recipients, then it sends mail out to recipients that may be at a different domain. I am not familiar enough with DKIM, but assume that requires signing (probably not the same as what was discussed above).

What about a use-case where several services send mail for password resets and the like through DMS. DMS may likewise be configured to go through a relay host like SendGrid, where you have a single account with credentials. The same can be done with DMS, where your services authenticate on port 587/465 with a single SASL account, but use different sender addresses / domains. Even with SPOOF_PROTECTION=1 you could specifically allow those to all go through the same SASL login managed by Dovecot.