bug report: Rspamd dkim_signing module should have try_fallback = false ?

[Codelica]

📝 Preliminary Checks

• I tried searching for an existing issue and followed the debugging docs advice, but still need assistance.

👀 What Happened?

I'm not an rspamd expert by any means, but was noticing that rspamd seemed to be trying to sign (DKIM) every message -- not just outbound email from local domains. For example if an inbound email from Gmail came, I'd something like this would be logged:

7/19/2023, 11:35:42 AM	rspamd_proxy	1295	proxy	b2bf53	cannot load dkim key /var/lib/rspamd/dkim/gmail.com.dkim.key: cannot stat key file: '/var/lib/rspamd/dkim/gmail.com.dkim.key' No such file or directory

After some Googling, I came across this issue which basically says that's the expected result if try_fallback = true which seems to be the default currently:

rspamd/rspamd#2832

Perhaps that should be set to false ? I did so in my override.d/dikim_signing.conf and the issue seems to have dissapeared without any repercussions that I can tell.

👟 Reproduction Steps

• Enable rspamd
• Send inbound email from external domains
• Check history/error log for spamd

🐋 DMS Version

v12.1.0

💻 Operating System and Architecture

Debian 11

⚙️ Container configuration files

N/A but can provided if needed

📜 Relevant log output

7/19/2023, 11:35:42 AM	rspamd_proxy	1295	proxy	b2bf53	cannot load dkim key /var/lib/rspamd/dkim/gmail.com.dkim.key: cannot stat key file: '/var/lib/rspamd/dkim/gmail.com.dkim.key' No such file or directory
7/19/2023, 11:26:55 AM	rspamd_proxy	1294	proxy	d6988d	cannot load dkim key /var/lib/rspamd/dkim/linkedin.com.dkim.key: cannot stat key file: '/var/lib/rspamd/dkim/linkedin.com.dkim.key' No such file or directory
... ETC ...

[williamdes]

I had to add this config in the file you mentioned.

path = "/etc/opendkim/keys/$domain/$selector.private";
selector = "mail";

And it started to sign internal emails. It validated when I checked with https://www.appmaildev.com/en/dkimfile

[Codelica]

I think we may be talking about two different things. :)

I'm coming into DMS fresh, so I never setup keys via OpenDKIM. Rather I just created them via setup config dkim domain xxxxxx.com for each domain and then added entried for them to my rspamd/override.d/dkim_signing.conf I've verified things are signed for my domains when outbound mail is sent.

What I was seeing is that inbound mail (from say gmail.com, linkedin.com, etc) that gets run through rspamd for filtering was also trying to be signed by rspamd (in addition to being verified). That's where the log entries about not being able to find keys for gmail.com, linkedin.com, etc were coming from. Apparently that's because the current conf has try_fallback = true set for the dkim signing module. Setting that to false did stop all of that inbound signing log activity, and my local outbound email are still signed before heading out.

So I'm thinking that's just not the default that's wanted ? i'm still very new to DMS and rspamd though, so I could be confused. :)

[williamdes]

Well, yeah jumped in since you reported the errors I have the fix for. So apply my fix and it will fix the errors.
Rspamd is quite new here at dms, spamassasin works out of the box.

That said I might be out of topic, but at least here is the fix. But DMS should fix this out of the box

[Codelica]

Well, I think the fix you mention would be for people who are/were using OpenDKIM to create their local keys and just want rspamd to know where those keys are located for signing outbound mail from local domains -- which would be a different issue.

What I'm saying is that rspamd currently seems to be trying to sign all mail -- not just outbound mail from local domains you have keys for.

For example, if an email comes in to your server from someone@gmail.com, rspamd will currently try to sign it using a key for gmail.com, which obviously you won't have :) , and will log that it can't find the key.

Give this a shot on your Docker host some time and see what comes up:

docker exec mailserver cat /var/log/supervisor/rspamd.log |grep 'cannot load dkim key'

I'm thinking you will see results from that and they will likely be from inbound email from remote domains which it shouldn't be trying to sign -- because try_fallback=true currently.

[williamdes]

Hmm, that's not what I concluded. The error happens when I try to write to some local user.
I am struggling disabling rspamd on outbound emails, it should not do spam check and header re write for outbound emails. IMO.

Bur that's definitely interesting, until now I can not confirm I tries for other domains.
Let's let's some DMS people search about all this ^^

[polarathene]

You're probably going to have to wait on @georglauterbach when he has time to spare, as he's helming the rspamd feature integration.

In the meantime, this can probably be reproduced offline with two DMS instances and a local DNS (eg: CoreDNS container) + certs (eg: Smallstep container/CLI) if it's helpful to simulate a third-party like gmail.

---

The issue you linked seems to be convincing with the last comment though: rspamd/rspamd#2832 (comment)

As does this section of the Rspamd DKIM docs. So defaulting to try_fallback=false sounds good 👍 I'll leave that decision to @georglauterbach

[williamdes]

Thanks

For clarification @Codelica you are sending @gmail emails from your dms setup with some kind of email relay setup?

[Codelica]

@williamdes I think you hit on the right clue ! :)

Basically I have DMS setup on the side to test before swapping out my current mail server. So I have my current mail server configured to also relay all incoming email to DMS for testing. However, apparently because that mail host is on the local network (mynetworks?), rspamd is trying to add DKIM signing on the mail even though it's "from" remote domains. As a quick test I changed port forwarding to DMS directly and send a couple from Gmail which didn't trigger the dkim key not found warning.

I hope that's not too confusing! But basically once I move DMS into production I shouldn't see those signing issues as remote mail will all be from remote host connections.

However that does seem to mean try_fallback=true will try to DKIM sign any email accepted from "local" network hosts, regardless if the from address is a local domain or not.

So I'm still not sure if that's what is wanted in the end? Obviously if there is a local relay feeding external email it will hit the situation I was seeing. And really a fall back doesn't seem necessary if all the local domains have their DKIM key info in dkim_signing.conf explicitly. I'm not sure. That's probably for your rspam guru to contemplate.

Sorry for the confusion though, the situation is different than I originally thought.

EDIT: FWIW sign_local = true; seems to be involved here also, basically telling rspamd to DKIM sign all email accepted by local connections. sign_authenticated=true; is also set which I think(?) is what most people would want/expect -- basically sign everything originating from local authenticated users.

[georglauterbach]

After reading through all of this, and looking at the docs etc. I agree that try_fallback = false; should be the default. I will provide a PR.

---

Moreover, we can discuss using sign_local = false; instead of our current default. Rspamd does not know about Postfix's configuration at all, so mynetworks from Postfix is not involved here - after all, you can use Rspamd without Postfix perfectly fine. It is Rspamd's local_networks (also see this part of the Rspamd docs). We do not set a default because we cannot confidently guess which networks our users are using. The only setting would be 127.0.0.1/8; we should add this to our default configuration. So, arguably, sign_local should indeed become false because we cannot confidently set the defaults that this setting is relying upon. I will provide a PR.

[Codelica]

Sorry to drop the ball here, I was gone mountain biking with my son this weekend. Thanks for checking into this. 👍

[georglauterbach]

No worries, I am currently very slow to respond, and it might take several days.

[Codelica]

One other thing I've run into (which I can definitely start a new issue for if needed) which is also DKIM related, is RSPAMD's allow_username_mismatch option for DKIM. Basically without that set to true, an authenticated user (user@somedomain.com) won't have email DKIM signed when sending as another valid domain alias they may have (user@anotherdomain.com). I suppose some may want that strict though? Maybe just something worth including in the config with comment? Just thinking out loud. :)

[polarathene]

One other thing I've run into (which I can definitely start a new issue for if needed) which is also DKIM related, is RSPAMD's allow_username_mismatch option for DKIM.

Probably best to raise a separate issue for that, but if that's a bit of a hassle, wait until @georglauterbach responds as he might be happy to update the existing PR for this issue to include that fix too.

Our ENV SPOOF_PROTECTION=1 would partially imply it should not allow mismatch, although we have a way for Postfix to permit sending as other users with that enabled (undocumented), which is probably sufficient, thus allow_username_mismatch can probably always be allowed.

[georglauterbach]

I'd like a bit more discussion about allow_username_mismatch. @Codelica can you please open a new issue and explain this in just a bit more detail?:) What about aliases from the same domain? Moreover, @polarathene is right - we might want to make this dependent on SPOOF_PROTECTION?

Either way, I am going to merge #3439 for now, which will close this issue.

[polarathene]

Moreover, @polarathene is right - we might want to make this dependent on SPOOF_PROTECTION?

I state at the end that it's probably not necessary.

SPOOF_PROTECTION=1 should have Postfix prevent mismatch anyway. While it's undocumented, we do have support for allowing an account to send as additional users via a config file.

Virtual aliases can send as themselves when logging in via the virtual alias (and actual account recipient as login), however this is only because of the Dovecot dummy account workaround for Dovecot Quotas, may not work when the quota feature is disabled. The mentioned config file could allow aliases or any regex for an account to approved of more sender addresses.

Rspamd allow_username_mismatch isn't going to be compatible with additional approved senders, and since SPOOF_PROTECTION=1 should be enforcing this rule at the Postfix level for outbound mail, I think this rspamd setting doesn't need to be disabled.

TL;DR: allow_username_mismatch=true should be ok regardless 👍

EDIT: Unless I'm mistaken. I know Postfix is using the SASL login to compare with sender address, whereas rspamd wouldn't have that information and is presumably about a mismatch from the two mail headers of the sender address? (not sure if that changes on the Postfix end, might have some value 🤷‍♂️ )