[NEW] mail/opensmtpd-filter-dkim

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

[NEW] mail/opensmtpd-filter-dkim

Martijn van Duren-7
$ cat pkg/DESCR
filter-dkim is an opensmtpd filter that signs email with a dkim signature.
$

Since I'm not too familiar with ports I would like to pay special
attention to the Makefile of both the port as well as the source.

Also, I currently host the release tarballs at my personal server, which
I also use for generic other stuff and might not always be available.
If someone from the ports team has a more stable location to host the
release tarballs let me know.

Furthermore smtpd.conf allows for filters to be run as another user
(currently undocumented). I know we're tight for uids, but can we
reserve one for this port, so we can protect the dkim signing key from
the smtpd users? Or could it be possible to share a uid with another
port with similar purpose? E.g. dkimproxy?

martijn@



opensmtpd-filter-dkim.tar.gz (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Gilles Chehade-7
On Sat, Aug 24, 2019 at 06:37:21AM +0200, Martijn van Duren wrote:

> $ cat pkg/DESCR
> filter-dkim is an opensmtpd filter that signs email with a dkim signature.
> $
>
> Since I'm not too familiar with ports I would like to pay special
> attention to the Makefile of both the port as well as the source.
>
> Also, I currently host the release tarballs at my personal server, which
> I also use for generic other stuff and might not always be available.
> If someone from the ports team has a more stable location to host the
> release tarballs let me know.
>
> Furthermore smtpd.conf allows for filters to be run as another user
> (currently undocumented). I know we're tight for uids, but can we
> reserve one for this port, so we can protect the dkim signing key from
> the smtpd users? Or could it be possible to share a uid with another
> port with similar purpose? E.g. dkimproxy?
>

Might be worth thinking about reserving one for smtpd filters as a whole
so we don't request a user for each filter ?

Or maybe we could consider one in base and assume all filters to use the
user as a default ?


--
Gilles Chehade       @poolpOrg

https://www.poolp.org            patreon: https://www.patreon.com/gilles

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Stuart Henderson
In reply to this post by Martijn van Duren-7
On 2019/08/24 06:37, Martijn van Duren wrote:

> $ cat pkg/DESCR
> filter-dkim is an opensmtpd filter that signs email with a dkim signature.
> $
>
> Since I'm not too familiar with ports I would like to pay special
> attention to the Makefile of both the port as well as the source.
>
> Also, I currently host the release tarballs at my personal server, which
> I also use for generic other stuff and might not always be available.
> If someone from the ports team has a more stable location to host the
> release tarballs let me know.
>
> Furthermore smtpd.conf allows for filters to be run as another user
> (currently undocumented). I know we're tight for uids, but can we
> reserve one for this port, so we can protect the dkim signing key from
> the smtpd users?

Maybe it makes sense to use a shared uid for the other filters, but
it sounds reasonable to assign a new uid for this one.

>                  Or could it be possible to share a uid with another
> port with similar purpose? E.g. dkimproxy?

Definitely prefer not to do that.

Ports UIDs need a more general solution rather than trying to conserve the
odd 1 or 2 here and there.

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Antoine Jacoutot-7
On Sat, Aug 24, 2019 at 09:42:10AM +0100, Stuart Henderson wrote:

> On 2019/08/24 06:37, Martijn van Duren wrote:
> > $ cat pkg/DESCR
> > filter-dkim is an opensmtpd filter that signs email with a dkim signature.
> > $
> >
> > Since I'm not too familiar with ports I would like to pay special
> > attention to the Makefile of both the port as well as the source.
> >
> > Also, I currently host the release tarballs at my personal server, which
> > I also use for generic other stuff and might not always be available.
> > If someone from the ports team has a more stable location to host the
> > release tarballs let me know.
> >
> > Furthermore smtpd.conf allows for filters to be run as another user
> > (currently undocumented). I know we're tight for uids, but can we
> > reserve one for this port, so we can protect the dkim signing key from
> > the smtpd users?
>
> Maybe it makes sense to use a shared uid for the other filters, but
> it sounds reasonable to assign a new uid for this one.
>
> >                  Or could it be possible to share a uid with another
> > port with similar purpose? E.g. dkimproxy?
>
> Definitely prefer not to do that.
>
> Ports UIDs need a more general solution rather than trying to conserve the
> odd 1 or 2 here and there.

Maybe we could also reserve a directory in ports (e.g. mail/opensmtpd-filter)?
So we can have:
mail/opensmtpd-filter/dkim
mail/opensmtpd-filter/dnsbl
and so on...

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Stuart Henderson
On 2019/08/24 11:52, Antoine Jacoutot wrote:

> On Sat, Aug 24, 2019 at 09:42:10AM +0100, Stuart Henderson wrote:
> > On 2019/08/24 06:37, Martijn van Duren wrote:
> > > $ cat pkg/DESCR
> > > filter-dkim is an opensmtpd filter that signs email with a dkim signature.
> > > $
> > >
> > > Since I'm not too familiar with ports I would like to pay special
> > > attention to the Makefile of both the port as well as the source.
> > >
> > > Also, I currently host the release tarballs at my personal server, which
> > > I also use for generic other stuff and might not always be available.
> > > If someone from the ports team has a more stable location to host the
> > > release tarballs let me know.
> > >
> > > Furthermore smtpd.conf allows for filters to be run as another user
> > > (currently undocumented). I know we're tight for uids, but can we
> > > reserve one for this port, so we can protect the dkim signing key from
> > > the smtpd users?
> >
> > Maybe it makes sense to use a shared uid for the other filters, but
> > it sounds reasonable to assign a new uid for this one.
> >
> > >                  Or could it be possible to share a uid with another
> > > port with similar purpose? E.g. dkimproxy?
> >
> > Definitely prefer not to do that.
> >
> > Ports UIDs need a more general solution rather than trying to conserve the
> > odd 1 or 2 here and there.
>
> Maybe we could also reserve a directory in ports (e.g. mail/opensmtpd-filter)?
> So we can have:
> mail/opensmtpd-filter/dkim
> mail/opensmtpd-filter/dnsbl
> and so on...
>
> --
> Antoine
>

Yes please!

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Martijn van Duren-7
On 8/24/19 12:20 PM, Stuart Henderson wrote:

> On 2019/08/24 11:52, Antoine Jacoutot wrote:
>> On Sat, Aug 24, 2019 at 09:42:10AM +0100, Stuart Henderson wrote:
>>> On 2019/08/24 06:37, Martijn van Duren wrote:
>>>> $ cat pkg/DESCR
>>>> filter-dkim is an opensmtpd filter that signs email with a dkim signature.
>>>> $
>>>>
>>>> Since I'm not too familiar with ports I would like to pay special
>>>> attention to the Makefile of both the port as well as the source.
>>>>
>>>> Also, I currently host the release tarballs at my personal server, which
>>>> I also use for generic other stuff and might not always be available.
>>>> If someone from the ports team has a more stable location to host the
>>>> release tarballs let me know.
>>>>
>>>> Furthermore smtpd.conf allows for filters to be run as another user
>>>> (currently undocumented). I know we're tight for uids, but can we
>>>> reserve one for this port, so we can protect the dkim signing key from
>>>> the smtpd users?
>>>
>>> Maybe it makes sense to use a shared uid for the other filters, but
>>> it sounds reasonable to assign a new uid for this one.

Thanks. Diff below reserves one.
As for Gilles' suggestion to reserve one for all filters in general, I'm
not convinced that's needed, since user _smtpd in general can't do much
damage.
>>>
>>>>                  Or could it be possible to share a uid with another
>>>> port with similar purpose? E.g. dkimproxy?
>>>
>>> Definitely prefer not to do that.
>>>
>>> Ports UIDs need a more general solution rather than trying to conserve the
>>> odd 1 or 2 here and there.

It was just an idea to scrape the barrel considering any bit might help.

>>
>> Maybe we could also reserve a directory in ports (e.g. mail/opensmtpd-filter)?
>> So we can have:
>> mail/opensmtpd-filter/dkim
>> mail/opensmtpd-filter/dnsbl
>> and so on...
>>
>> --
>> Antoine
>>
>
> Yes please!
>
I don't mind doing it that way.

Index: infrastructure/db/user.list
===================================================================
RCS file: /cvs/ports/infrastructure/db/user.list,v
retrieving revision 1.350
diff -u -p -r1.350 user.list
--- infrastructure/db/user.list 2 Aug 2019 21:59:35 -0000 1.350
+++ infrastructure/db/user.list 24 Aug 2019 19:08:18 -0000
@@ -349,3 +349,4 @@ id  user group port options
 838 _i2pd _i2pd net/i2pd
 839 _exabgp _exabgp net/exabgp
 840 _dma _dma mail/dma
+841 _smtpd_dkim _smtpd_dkim mail/opensmtpd-filter/dkim

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Antoine Jacoutot-7
On Sat, Aug 24, 2019 at 09:10:18PM +0200, Martijn van Duren wrote:

> On 8/24/19 12:20 PM, Stuart Henderson wrote:
> > On 2019/08/24 11:52, Antoine Jacoutot wrote:
> >> On Sat, Aug 24, 2019 at 09:42:10AM +0100, Stuart Henderson wrote:
> >>> On 2019/08/24 06:37, Martijn van Duren wrote:
> >>>> $ cat pkg/DESCR
> >>>> filter-dkim is an opensmtpd filter that signs email with a dkim signature.
> >>>> $
> >>>>
> >>>> Since I'm not too familiar with ports I would like to pay special
> >>>> attention to the Makefile of both the port as well as the source.
> >>>>
> >>>> Also, I currently host the release tarballs at my personal server, which
> >>>> I also use for generic other stuff and might not always be available.
> >>>> If someone from the ports team has a more stable location to host the
> >>>> release tarballs let me know.
> >>>>
> >>>> Furthermore smtpd.conf allows for filters to be run as another user
> >>>> (currently undocumented). I know we're tight for uids, but can we
> >>>> reserve one for this port, so we can protect the dkim signing key from
> >>>> the smtpd users?
> >>>
> >>> Maybe it makes sense to use a shared uid for the other filters, but
> >>> it sounds reasonable to assign a new uid for this one.
>
> Thanks. Diff below reserves one.
> As for Gilles' suggestion to reserve one for all filters in general, I'm
> not convinced that's needed, since user _smtpd in general can't do much
> damage.
> >>>
> >>>>                  Or could it be possible to share a uid with another
> >>>> port with similar purpose? E.g. dkimproxy?
> >>>
> >>> Definitely prefer not to do that.
> >>>
> >>> Ports UIDs need a more general solution rather than trying to conserve the
> >>> odd 1 or 2 here and there.
>
> It was just an idea to scrape the barrel considering any bit might help.
> >>
> >> Maybe we could also reserve a directory in ports (e.g. mail/opensmtpd-filter)?
> >> So we can have:
> >> mail/opensmtpd-filter/dkim
> >> mail/opensmtpd-filter/dnsbl
> >> and so on...
> >>
> >> --
> >> Antoine
> >>
> >
> > Yes please!
> >
> I don't mind doing it that way.

Make it  opensmtpd-filter*s* I guess :-)

>
> Index: infrastructure/db/user.list
> ===================================================================
> RCS file: /cvs/ports/infrastructure/db/user.list,v
> retrieving revision 1.350
> diff -u -p -r1.350 user.list
> --- infrastructure/db/user.list 2 Aug 2019 21:59:35 -0000 1.350
> +++ infrastructure/db/user.list 24 Aug 2019 19:08:18 -0000
> @@ -349,3 +349,4 @@ id  user group port options
>  838 _i2pd _i2pd net/i2pd
>  839 _exabgp _exabgp net/exabgp
>  840 _dma _dma mail/dma
> +841 _smtpd_dkim _smtpd_dkim mail/opensmtpd-filter/dkim

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Martijn van Duren-7
On 8/25/19 11:43 AM, Antoine Jacoutot wrote:

> On Sat, Aug 24, 2019 at 09:10:18PM +0200, Martijn van Duren wrote:
>> On 8/24/19 12:20 PM, Stuart Henderson wrote:
>>> On 2019/08/24 11:52, Antoine Jacoutot wrote:
>>>> On Sat, Aug 24, 2019 at 09:42:10AM +0100, Stuart Henderson wrote:
>>>>> On 2019/08/24 06:37, Martijn van Duren wrote:
>>>>>> $ cat pkg/DESCR
>>>>>> filter-dkim is an opensmtpd filter that signs email with a dkim signature.
>>>>>> $
>>>>>>
>>>>>> Since I'm not too familiar with ports I would like to pay special
>>>>>> attention to the Makefile of both the port as well as the source.
>>>>>>
>>>>>> Also, I currently host the release tarballs at my personal server, which
>>>>>> I also use for generic other stuff and might not always be available.
>>>>>> If someone from the ports team has a more stable location to host the
>>>>>> release tarballs let me know.
>>>>>>
>>>>>> Furthermore smtpd.conf allows for filters to be run as another user
>>>>>> (currently undocumented). I know we're tight for uids, but can we
>>>>>> reserve one for this port, so we can protect the dkim signing key from
>>>>>> the smtpd users?
>>>>>
>>>>> Maybe it makes sense to use a shared uid for the other filters, but
>>>>> it sounds reasonable to assign a new uid for this one.
>>
>> Thanks. Diff below reserves one.
>> As for Gilles' suggestion to reserve one for all filters in general, I'm
>> not convinced that's needed, since user _smtpd in general can't do much
>> damage.
>>>>>
>>>>>>                  Or could it be possible to share a uid with another
>>>>>> port with similar purpose? E.g. dkimproxy?
>>>>>
>>>>> Definitely prefer not to do that.
>>>>>
>>>>> Ports UIDs need a more general solution rather than trying to conserve the
>>>>> odd 1 or 2 here and there.
>>
>> It was just an idea to scrape the barrel considering any bit might help.
>>>>
>>>> Maybe we could also reserve a directory in ports (e.g. mail/opensmtpd-filter)?
>>>> So we can have:
>>>> mail/opensmtpd-filter/dkim
>>>> mail/opensmtpd-filter/dnsbl
>>>> and so on...
>>>>
>>>> --
>>>> Antoine
>>>>
>>>
>>> Yes please!
>>>
>> I don't mind doing it that way.
>
> Make it  opensmtpd-filter*s* I guess :-)

No objection one way or the other. So if noone objects I'll make it so.

While at it, should we also give a clearer DISTNAME? E.g.
opensmtpd-filter-<subname>? Right now it's filter-..., which might
not be clear to everyone that it's an smtpd filter.

>
>>
>> Index: infrastructure/db/user.list
>> ===================================================================
>> RCS file: /cvs/ports/infrastructure/db/user.list,v
>> retrieving revision 1.350
>> diff -u -p -r1.350 user.list
>> --- infrastructure/db/user.list 2 Aug 2019 21:59:35 -0000 1.350
>> +++ infrastructure/db/user.list 24 Aug 2019 19:08:18 -0000
>> @@ -349,3 +349,4 @@ id  user group port options
>>  838 _i2pd _i2pd net/i2pd
>>  839 _exabgp _exabgp net/exabgp
>>  840 _dma _dma mail/dma
>> +841 _smtpd_dkim _smtpd_dkim mail/opensmtpd-filter/dkim
>

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Martijn van Duren-7
In reply to this post by Martijn van Duren-7
On 8/24/19 6:37 AM, Martijn van Duren wrote:

> $ cat pkg/DESCR
> filter-dkim is an opensmtpd filter that signs email with a dkim signature.
> $
>
> Since I'm not too familiar with ports I would like to pay special
> attention to the Makefile of both the port as well as the source.
>
> Also, I currently host the release tarballs at my personal server, which
> I also use for generic other stuff and might not always be available.
> If someone from the ports team has a more stable location to host the
> release tarballs let me know.
>
> Furthermore smtpd.conf allows for filters to be run as another user
> (currently undocumented). I know we're tight for uids, but can we
> reserve one for this port, so we can protect the dkim signing key from
> the smtpd users? Or could it be possible to share a uid with another
> port with similar purpose? E.g. dkimproxy?
>
> martijn@
>
>
I renamed the package to opensmtpd-filter-dkimsign. This to allow for a
future dkimverify. Moved port to mail/opensmtpd-filters/dkimsign.

Apart from reserving a user, same questions as above remain.

Index: user.list
===================================================================
RCS file: /cvs/ports/infrastructure/db/user.list,v
retrieving revision 1.351
diff -u -p -r1.351 user.list
--- user.list 25 Aug 2019 12:06:28 -0000 1.351
+++ user.list 5 Sep 2019 13:21:08 -0000
@@ -350,3 +350,4 @@ id  user group port options
 839 _exabgp _exabgp net/exabgp
 840 _dma _dma mail/dma
 841 _rt _rt www/rt
+842 _dkimsign _dkimsign mail/opensmtpd-filters/dkimsign

opensmtpd-filter-dkimsign.tar.gz (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Martijn van Duren-7
Ping

Doesn't anyone want to replace dkimproxy with something that integrates
a little better?

On 9/5/19 3:22 PM, Martijn van Duren wrote:

> On 8/24/19 6:37 AM, Martijn van Duren wrote:
>> $ cat pkg/DESCR
>> filter-dkim is an opensmtpd filter that signs email with a dkim signature.
>> $
>>
>> Since I'm not too familiar with ports I would like to pay special
>> attention to the Makefile of both the port as well as the source.
>>
>> Also, I currently host the release tarballs at my personal server, which
>> I also use for generic other stuff and might not always be available.
>> If someone from the ports team has a more stable location to host the
>> release tarballs let me know.
>>
>> Furthermore smtpd.conf allows for filters to be run as another user
>> (currently undocumented). I know we're tight for uids, but can we
>> reserve one for this port, so we can protect the dkim signing key from
>> the smtpd users? Or could it be possible to share a uid with another
>> port with similar purpose? E.g. dkimproxy?
>>
>> martijn@
>>
>>
> I renamed the package to opensmtpd-filter-dkimsign. This to allow for a
> future dkimverify. Moved port to mail/opensmtpd-filters/dkimsign.
>
> Apart from reserving a user, same questions as above remain.
>
> Index: user.list
> ===================================================================
> RCS file: /cvs/ports/infrastructure/db/user.list,v
> retrieving revision 1.351
> diff -u -p -r1.351 user.list
> --- user.list 25 Aug 2019 12:06:28 -0000 1.351
> +++ user.list 5 Sep 2019 13:21:08 -0000
> @@ -350,3 +350,4 @@ id  user group port options
>  839 _exabgp _exabgp net/exabgp
>  840 _dma _dma mail/dma
>  841 _rt _rt www/rt
> +842 _dkimsign _dkimsign mail/opensmtpd-filters/dkimsign
>

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Mikolaj Kucharski-3
Hi,

On Thu, Sep 12, 2019 at 09:08:31AM +0200, Martijn van Duren wrote:
> Ping
>
> Doesn't anyone want to replace dkimproxy with something that integrates
> a little better?

I used this port and it worked for me. Initially I could not get
DKIM pass with GMail, but with -c relaxed/relaxed Google is now
happy.

I also ran filter-dkimsign as _smtpd user and not as the one from below
patch named _dkimsign. I didn't see that last attached version of the
port referenced that user. My only feedback would be small smtpd.conf
snippet inside the package to show how to integrate this filter with
smtpd.

> On 9/5/19 3:22 PM, Martijn van Duren wrote:
> > On 8/24/19 6:37 AM, Martijn van Duren wrote:
> >> $ cat pkg/DESCR
> >> filter-dkim is an opensmtpd filter that signs email with a dkim signature.
> >> $
> >>
> >> Since I'm not too familiar with ports I would like to pay special
> >> attention to the Makefile of both the port as well as the source.
> >>
> >> Also, I currently host the release tarballs at my personal server, which
> >> I also use for generic other stuff and might not always be available.
> >> If someone from the ports team has a more stable location to host the
> >> release tarballs let me know.
> >>
> >> Furthermore smtpd.conf allows for filters to be run as another user
> >> (currently undocumented). I know we're tight for uids, but can we
> >> reserve one for this port, so we can protect the dkim signing key from
> >> the smtpd users? Or could it be possible to share a uid with another
> >> port with similar purpose? E.g. dkimproxy?
> >>
> >> martijn@
> >>
> >>
> > I renamed the package to opensmtpd-filter-dkimsign. This to allow for a
> > future dkimverify. Moved port to mail/opensmtpd-filters/dkimsign.
> >
> > Apart from reserving a user, same questions as above remain.

Not sure, which one is the "same questions as above", but if it is about
the below user I think this is good idea.


> > Index: user.list
> > ===================================================================
> > RCS file: /cvs/ports/infrastructure/db/user.list,v
> > retrieving revision 1.351
> > diff -u -p -r1.351 user.list
> > --- user.list 25 Aug 2019 12:06:28 -0000 1.351
> > +++ user.list 5 Sep 2019 13:21:08 -0000
> > @@ -350,3 +350,4 @@ id  user group port options
> >  839 _exabgp _exabgp net/exabgp
> >  840 _dma _dma mail/dma
> >  841 _rt _rt www/rt
> > +842 _dkimsign _dkimsign mail/opensmtpd-filters/dkimsign
> >
>

--
Regards,
 Mikolaj

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Mikolaj Kucharski-3
In reply to this post by Martijn van Duren-7
On Sun, Aug 25, 2019 at 12:24:31PM +0200, Martijn van Duren wrote:
> While at it, should we also give a clearer DISTNAME? E.g.
> opensmtpd-filter-<subname>? Right now it's filter-..., which might
> not be clear to everyone that it's an smtpd filter.

I think this is good idea.

--
Regards,
 Mikolaj

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Stuart Henderson
In reply to this post by Mikolaj Kucharski-3
On 2019/09/16 20:42, Mikolaj Kucharski wrote:
> Hi,
>
> On Thu, Sep 12, 2019 at 09:08:31AM +0200, Martijn van Duren wrote:
> > Ping
> >
> > Doesn't anyone want to replace dkimproxy with something that integrates
> > a little better?

that's not a good incentive, i never used dkimproxy :) (amavisd used to do
that for me, but I switched to rspamd's signing a couple of years ago and
haven't had any interest in looking for alternatives yet).

> I used this port and it worked for me. Initially I could not get
> DKIM pass with GMail, but with -c relaxed/relaxed Google is now
> happy.

it's probably worth figuring out what's going on without that setting, but
generally relaxed/relaxed is recommended anyway

https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/
https://wordtothewise.com/2018/07/minimal-dmarc/

> I also ran filter-dkimsign as _smtpd user and not as the one from below
> patch named _dkimsign. I didn't see that last attached version of the
> port referenced that user. My only feedback would be small smtpd.conf
> snippet inside the package to show how to integrate this filter with
> smtpd.
>
> > On 9/5/19 3:22 PM, Martijn van Duren wrote:
> > > On 8/24/19 6:37 AM, Martijn van Duren wrote:
> > >> $ cat pkg/DESCR
> > >> filter-dkim is an opensmtpd filter that signs email with a dkim signature.
> > >> $
> > >>
> > >> Since I'm not too familiar with ports I would like to pay special
> > >> attention to the Makefile of both the port as well as the source.

like libopensmtpd, it needs MAKE_FLAGS= CC="${CC}".

WANTLIB needs updating:

opensmtpd-filter-dkimsign-0.1(mail/opensmtpd-filters/dkimsign):
Missing: crypto.45 (/usr/local/libexec/smtpd/filter-dkimsign) (system lib)
Extra:  pthread.26
WANTLIB += crypto
*** Error 1 in target 'port-lib-depends-check' (ignored)


> > >> Also, I currently host the release tarballs at my personal server, which
> > >> I also use for generic other stuff and might not always be available.
> > >> If someone from the ports team has a more stable location to host the
> > >> release tarballs let me know.

I think that's all that anyone else doing ports distfile hosting has ..

> > >> Furthermore smtpd.conf allows for filters to be run as another user
> > >> (currently undocumented). I know we're tight for uids, but can we
> > >> reserve one for this port, so we can protect the dkim signing key from
> > >> the smtpd users? Or could it be possible to share a uid with another
> > >> port with similar purpose? E.g. dkimproxy?
> > >>
> > >> martijn@
> > >>
> > >>
> > > I renamed the package to opensmtpd-filter-dkimsign. This to allow for a
> > > future dkimverify. Moved port to mail/opensmtpd-filters/dkimsign.
> > >
> > > Apart from reserving a user, same questions as above remain.
>
> Not sure, which one is the "same questions as above", but if it is about
> the below user I think this is good idea.
>
>
> > > Index: user.list
> > > ===================================================================
> > > RCS file: /cvs/ports/infrastructure/db/user.list,v
> > > retrieving revision 1.351
> > > diff -u -p -r1.351 user.list
> > > --- user.list 25 Aug 2019 12:06:28 -0000 1.351
> > > +++ user.list 5 Sep 2019 13:21:08 -0000
> > > @@ -350,3 +350,4 @@ id  user group port options
> > >  839 _exabgp _exabgp net/exabgp
> > >  840 _dma _dma mail/dma
> > >  841 _rt _rt www/rt
> > > +842 _dkimsign _dkimsign mail/opensmtpd-filters/dkimsign
> > >
> >
>
> --
> Regards,
>  Mikolaj
>

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Mikolaj Kucharski-3
On Tue, Sep 17, 2019 at 12:03:34AM +0100, Stuart Henderson wrote:
> > I used this port and it worked for me. Initially I could not get
> > DKIM pass with GMail, but with -c relaxed/relaxed Google is now
> > happy.
>
> it's probably worth figuring out what's going on without that setting, but
> generally relaxed/relaxed is recommended anyway
>
> https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/
> https://wordtothewise.com/2018/07/minimal-dmarc/

I'm not sure what was the problem, as when took the same emails as raw
mbox file and tested it with:

- https://www.appmaildev.com/en/dkim
- dkimverify.pl from p5-Mail-DKIM-0.54
- dkimverify from dkimpy 0.9.3

they all reported as DKIM pass. My emails were plain text, sent via Mutt
with only few random characters in the email body.

--
Regards,
 Mikolaj

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Martijn van Duren-7
On 9/17/19 7:33 AM, Mikolaj Kucharski wrote:

> On Tue, Sep 17, 2019 at 12:03:34AM +0100, Stuart Henderson wrote:
>>> I used this port and it worked for me. Initially I could not get
>>> DKIM pass with GMail, but with -c relaxed/relaxed Google is now
>>> happy.
>>
>> it's probably worth figuring out what's going on without that setting, but
>> generally relaxed/relaxed is recommended anyway
>>
>> https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/
>> https://wordtothewise.com/2018/07/minimal-dmarc/
>
> I'm not sure what was the problem, as when took the same emails as raw
> mbox file and tested it with:
>
> - https://www.appmaildev.com/en/dkim
> - dkimverify.pl from p5-Mail-DKIM-0.54
> - dkimverify from dkimpy 0.9.3
>
> they all reported as DKIM pass. My emails were plain text, sent via Mutt
> with only few random characters in the email body.
>
Thanks for the report.
I'm looking into it right now.

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Martijn van Duren-7
In reply to this post by Mikolaj Kucharski-3
On 9/17/19 7:33 AM, Mikolaj Kucharski wrote:

> On Tue, Sep 17, 2019 at 12:03:34AM +0100, Stuart Henderson wrote:
>>> I used this port and it worked for me. Initially I could not get
>>> DKIM pass with GMail, but with -c relaxed/relaxed Google is now
>>> happy.
>>
>> it's probably worth figuring out what's going on without that setting, but
>> generally relaxed/relaxed is recommended anyway
>>
>> https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/
>> https://wordtothewise.com/2018/07/minimal-dmarc/
>
> I'm not sure what was the problem, as when took the same emails as raw
> mbox file and tested it with:
>
> - https://www.appmaildev.com/en/dkim
> - dkimverify.pl from p5-Mail-DKIM-0.54
> - dkimverify from dkimpy 0.9.3
>
> they all reported as DKIM pass. My emails were plain text, sent via Mutt
> with only few random characters in the email body.
>
tl;dr: Can you give this one a try?

So this took me way longer than I'd like considering the reason.

First of, I tested the following platforms without issues:
- office365
- yahoo
- yandex
- p5-DKIM
- manual (yes, you can do it manually with openssl(1)).

The reason google failed is because my header was named DKIM-signature
instead of DKIM-Signature (note the capital S). Headers are case
insensitive and this is also the case with google, since it does
recognize the header (else we wouldn't have the fail-line).
The problem is that google changes the header-name back to
DKIM-Signature before validating, which is in violation with RFC6376
section 3.4.1:
Header fields MUST be presented to the signing or verification algorithm
exactly as they are in the message being signed or verified.

If anyone has a line to the google devs, please let them know.

martijn@

dkimsign.tar.gz (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Martijn van Duren-7
In reply to this post by Stuart Henderson
Saw this message only after I send my previous one.
CC and WANTLIB updated.

On 9/17/19 1:03 AM, Stuart Henderson wrote:

> On 2019/09/16 20:42, Mikolaj Kucharski wrote:
>> Hi,
>>
>> On Thu, Sep 12, 2019 at 09:08:31AM +0200, Martijn van Duren wrote:
>>> Ping
>>>
>>> Doesn't anyone want to replace dkimproxy with something that integrates
>>> a little better?
>
> that's not a good incentive, i never used dkimproxy :) (amavisd used to do
> that for me, but I switched to rspamd's signing a couple of years ago and
> haven't had any interest in looking for alternatives yet).
s/dkimproxy/amavisd/g, I want something that integrates better with
smtpd. :-)
Other advantages: it's a minimal implementation that's pledged and can
run under a dedicated user for your dkim key.
>
>> I used this port and it worked for me. Initially I could not get
>> DKIM pass with GMail, but with -c relaxed/relaxed Google is now
>> happy.
>
> it's probably worth figuring out what's going on without that setting, but
> generally relaxed/relaxed is recommended anyway

Absolutely, and should be fixed.
>
> https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/
> https://wordtothewise.com/2018/07/minimal-dmarc/

That entirely depends on your usecase and who you ask.
The official RFC recommendation is: simple/simple: RFC6376 section 3.5
"c=". Hence this is the default for filter-dkimsign.

If someone messes with my mail the recipient should be aware, even
if it's not too intrusive.

dkimsign.tar.gz (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Stuart Henderson
In reply to this post by Martijn van Duren-7
On 2019/09/17 14:09, Martijn van Duren wrote:

> The reason google failed is because my header was named DKIM-signature
> instead of DKIM-Signature (note the capital S). Headers are case
> insensitive and this is also the case with google, since it does
> recognize the header (else we wouldn't have the fail-line).
> The problem is that google changes the header-name back to
> DKIM-Signature before validating, which is in violation with RFC6376
> section 3.4.1:
> Header fields MUST be presented to the signing or verification algorithm
> exactly as they are in the message being signed or verified.
>
> If anyone has a line to the google devs, please let them know.

You could try on the mailops list, but if google has a problem, there's a
fair chance other implementations may also have a problem.

Reply | Threaded
Open this post in threaded view
|

Re: [NEW] mail/opensmtpd-filter-dkim

Mikolaj Kucharski-3
In reply to this post by Martijn van Duren-7
On Tue, Sep 17, 2019 at 02:09:56PM +0200, Martijn van Duren wrote:
> tl;dr: Can you give this one a try?

Seems to work for me. You can have a look at this email headers.
Gmail is happy with c=simple/simple, however I am going to stick
to c=relaxed/relaxed in long run.

Thank you Martijn for this work. After so many years, I finally have
DKIM.

--
Regards,
 Mikolaj