Index | Thread | Search

From:
Kirill A. Korinsky <kirill@korins.ky>
Subject:
Re: mail/opensmtpd-filter-sign: request for testing
To:
OpenBSD ports <ports@openbsd.org>
Cc:
martijn@openbsd.org
Date:
Fri, 13 Dec 2024 02:18:52 +0100

Download raw body.

Thread 
On Thu, 12 Dec 2024 18:57:48 +0100,
Kirill A. Korinsky <kirill@korins.ky> wrote:
> 
> ports@,
> 
> I'd like to share with you a port of mail/opensmtpd-filter-sign.
> 
> This filter is a fork of mail/opensmtpd-filter-dkimsign, which introduced
> support for both ACR sign and seal.
> 
> It can be used as an in-place replacement for filter-dkimsign.
> 
> New ACR-related options:
>  -A is a switch to create ACR signature;
>  -S is a switch to create ACR seal.
> 
> Additionally, it supports -D file where you can keep one line per domain
> instead of -d domain1 -d domain2 -d domain3.
> 
> The code is available here: https://github.com/catap/opensmtpd-filter-sign
> 
> I have been using it for more than 6 months on my servers, and the last fix
> was made about 6 months ago, and I think this code is ready to be tested by
> anyone who is interested.
> 

Sorry for the noice, but I just realized that I haven't sent everything.

ARC requires also ARC-Authentication-Results header which can be added via
mail/opensmtpd-filter-auth.

Here an updated tgz with two filters.

I use it like this:

    # DKIM, use both signatures: ED25519 and RSA
    filter sign_ed25519 proc-exec "filter-sign -a ed25519-sha256 -D /etc/mail/domains \
           -s 20240125ed25519 -k /etc/mail/dkim/20240125.ed25519.key" user _dkimsign group _dkimsign
    filter sign_rsa proc-exec "filter-sign -a rsa-sha256 -D /etc/mail/domains \
           -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign

    # ARC has only one signature, use RSA as the most supported
    filter arc_auth proc-exec "filter-auth -A"
    filter arc_sign proc-exec "filter-sign -A -a rsa-sha256 -d mx.catap.net \
           -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign
    filter arc_seal proc-exec "filter-sign -S -a rsa-sha256 -d mx.catap.net \
           -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign

    # Build the sign chain, RFC8617 Section 4.1.2 requires that DKIM included into ARC
    filter sign chain { sign_ed25519 sign_rsa arc_auth arc_sign arc_seal }

    listen on egress port submission \
           tls-require pki mx.catap.net auth <credentials> \
           mask-src \
           filter sign

-- 
wbr, Kirill