DKIM signing on foreign domains

[busybit]

Classification (Please choose one option):

• [] Crash/Hang/Data loss
• WebUI/Usability
• [X ] Unintended behaviour (bug)
• Enhancement

Reproducibility (Please choose one option):

• Always
• Sometimes
• Rarely
• Unable
• I didn’t try
• Not applicable

Rspamd version: 1.9.0

Operation system Debian Stretch, CPU amd64:

Description (Please provide a descriptive summary of the issue):

DKIM signing module tries signing for foreign domains

Compile errors (if any):

Relevant logs (see details here):

Expected results:

No signing on foreign domains

Actual results:

Debugging information (see details here):

Configuration (e.g. rspamadm configdump module):

Additional information:

I'm using rspamd for dkim signing on outgoing mails through postfix milter. This generally works, but rspamd does not distinguish on sender domains. When forwarding mail through dovecot sieve rules, mails passes rspamd milter and it tries to sign the mail. But when forwarding mails, the sender ist different from the local domain, and rspamd does not find a key for signing, resulting in an error.
rspamd should only try to sign sender domains listed in the domain section of configuration.

[toto4ds]

same result

[vstakhov]

I don't understand your question. There are lots of knobs to control signing and I have neither time nor desire to explore your particular setup. So my question is if there is any issue with Rspamd that cannot be resolved by some proper configuration?

[busybit]

rspamd tries to sign EVERY mail that goes through the milter, but it should only sign mails with sender domains that are listed in the domain{} section.

[vstakhov]

Then there is something wrong with your configuration.

[hildeb]

Could you please show some logs? I'd like to check with my setup. Am Mi., 3. Apr. 2019 um 16:03 Uhr schrieb Vsevolod Stakhov < notifications@github.com>:

…

Then there is something wrong with your configuration. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2832 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACUF2lf5kharhVxcZngAW2_EcSxC9rpfks5vdLTCgaJpZM4cYxN0> .

[busybit]

Thats a very helpful answer :-(
Maybe the documentation of the dkim signing modul is missing some explanation?

[busybit]

@hildeb: at the moment I have no error messages because I resetted them. In the error log of webui I saw error messages that it could not find the signing key (for the foreign sender domains)

[vstakhov]

Are you suggesting me to telepathically get your relevant config or debug logs? Enable debugging for dkim_signing module and provide your local config (maybe replacing actual domains or keys). Such discussions should also happen in the mailing list, as the issue tracker is for bug reports mainly and not a general help channel for Rspamd.

…

On 3 April 2019 15:08:08 busybit ***@***.***> wrote: Thats a very helpful answer :-( Maybe the documentation of the dkim signing modul is missing some explanation? -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: #2832 (comment)

[toto4ds]

cannot load dkim key /var/lib/rspamd/dkim/tomsk.ru.dkim.key: cannot stat key file: '/var/lib/rspamd/dkim/tomsk.ru.dkim.key' Нет такого файла или каталога

[vstakhov]

That's not a debug log.

…

On 3 April 2019 16:00:15 toto4ds ***@***.***> wrote: cannot load dkim key /var/lib/rspamd/dkim/tomsk.ru.dkim.key: cannot stat key file: '/var/lib/rspamd/dkim/tomsk.ru.dkim.key' Нет такого файла или каталога -- -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: #2832 (comment)

[busybit]

@vstakhov: I tried it on the mailing list but got no answer. And I assume its a bug when it tries signing domains which are not listed in the domain{} section. Maybe its a lack of documentation for proper setup, but then its a bug in documentation.

[vstakhov]

To understand your problem I need two things: your local config and debug logs for dkim_signing. Everything else is just a useless noise I'm afraid. Please understand my point: I receive quite a lot of reports and messages in the mailing list. I just want to have more productive reports:

https://rspamd.com/doc/faq.html#how-to-debug-some-module-in-rspamd
https://rspamd.com/doc/faq.html#how-to-get-my-configuration

[busybit]

Ok, here is the config an a debug log of dkim_signing on a mail received from gmail and forwarded through sieve rule.

dkimlog.txt
rspamconfig.gz

[vstakhov]

You have default_path and allows fallback. Hence, Rspamd tries to load keys in the default path. That's all expected behaviour and debug logs clearly show what's happening there:

2019-04-03 18:46:19 #7292(rspamd_proxy) <ca0eac>; lua; settings.lua:419: <CANig=CaE5rnsGLvyNtgkLj9GTVuipp3mfFTmMh-SCpgCTwLX7w@mail.gmail.com> apply settings according to rule sign_networks (ip matched)
2019-04-03 18:46:19 #7292(rspamd_proxy) <ca0eac>; dkim_signing; lua_dkim_tools.lua:149: mail is from local address
2019-04-03 18:46:19 #7292(rspamd_proxy) <ca0eac>; dkim_signing; lua_dkim_tools.lua:244: use domain(header) for signature: gmail.com
2019-04-03 18:46:19 #7292(rspamd_proxy) <ca0eac>; dkim_signing; lua_dkim_tools.lua:263: final DKIM domain: gmail.com
2019-04-03 18:46:19 #7292(rspamd_proxy) <ca0eac>; dkim_signing; lua_dkim_tools.lua:45: add key "/var/lib/rspamd/dkim/$domain.$selector.key" using default path
2019-04-03 18:46:19 #7292(rspamd_proxy) <ca0eac>; dkim_signing; lua_dkim_tools.lua:50: set selector to "dkim" using default selector
2019-04-03 18:46:19 #7292(rspamd_proxy) <ca0eac>; dkim_signing; lua_dkim_tools.lua:50: set domain to "gmail.com" using dkim_domain
2019-04-03 18:46:19 #7292(rspamd_proxy) <ca0eac>; dkim_signing; dkim_signing.lua:159: using key "/var/lib/rspamd/dkim/gmail.com.dkim.key", use selector "dkim" for domain "gmail.com"
2019-04-03 18:46:19 #7292(rspamd_proxy) <ca0eac>; proxy; dkim_module_load_key_format: cannot load dkim key /var/lib/rspamd/dkim/gmail.com.dkim.key: cannot stat key file: '/var/lib/rspamd/dkim/gmail.com.dkim.key' Datei oder Verzeichnis nicht gefunden

You can disable fallback for your case and Rspamd will use merely specifically defined domains.