DKIM Migration: Rpamd instead of DKIMproxy out on OpenBSD / OpenSMTPD


When I installed Rspamd with on OpenBSD / OpenSMTPD the other day, DKIMProxy out (dkimproxy_out daemon), which had been got via OpenBSD Ports package system, was used to add DKIM signatures to mails in order to improve security on emails.

Rspamd supports signing module since v1.5. Therefore, I decided to migrate from DKIMProxy to Rspamd as a DKIM signer.


First, set up Rspamd by creating dkim_signing.conf in local.d:

$ cd /etc/rspamd/local.d

$ printf "\
allow_username_mismatch = true;\n\
path = \"/etc/ssl/(...)/dkimproxy-out-key.pem\"\n\
selector=\"dkimout-selector1\"" |\
    doas tee dkim_signing.conf

$ cat dkim_signing.conf
allow_username_mismatch = true;
path = "/etc/ssl/(...)/dkimproxy-out-key.pem\"

Here, I reused TLS certificate. The key "path" and the "selector" name are up to env.
In my case, since it possibly happens that "username does not need to contain matching domain", I set true at "allow_username_mismatch".

Next, configure OpenSMTPD to disable DKIMProxy relay and add Rspamd filter on submission aka MSA.

$ doas nvim /etc/mail/smtpd.conf

smtpd.conf was changed like this:

- listen on lo0 port 10028 tag DKIM
  listen on lo0 \
          port submission \
          received-auth mask-src \
+         filter { "rspamd" } \
          tag MSA

  listen on egress \
          port submission \
          tls-require \
          pki (...) \
          auth <passwd> \
          received-auth mask-src \
+         filter { "rspamd" } \
          tag MSA  
  action "relay"      relay
- action "relay_dkim" relay host smtp://
- match tag DKIM                          for any                         action "relay"
- match tag MSA   from any auth           for any                         action "relay_dkim
+ match tag MSA   from any auth           for any                         action "relay"

Besides, filter format should be each of:

  • filter { "rspamd" } (string array)
  • filter rspamd (name without quotations)

Configuration is done now.
Switch daemons in charge of DKIM signatures and then let OpenSMTPD recognize it:

$ doas rcctl stop dkimproxy_out
$ doas rcctl check dkimproxy_out

$ doas rcctl restart {rspamd, smtpd}


I sent emails before the migration and after. The comparison test was successful.
Also, unexpectedly and happily, the hashing algorithm was changed: sha1 to sha256, as below :)

# dkimproxy_out
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=(domain); h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=(selector); bh= (...); b=(...)

# Rspamd dkim_signing
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=(domain); s=(selector); t=(...); h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
     content-transfer-encoding:content-transfer-encoding; bh=(...); b=(...)

Finally, say thank you and goodbye to DKIMProxy, if the test is successful.

$ doas pkg_delete dkimproxy
dkimproxy-1.4.1p1: ok
Read shared items: ok
--- -dkimproxy-1.4.1p1 -------------------
You should also remove /etc/dkimproxy_out.conf (which was modified)
You should also run /usr/sbin/userdel _dkimproxy
You should also run /usr/sbin/groupdel _dkimproxy

$ doas /usr/sbin/userdel _dkimproxy
$ doas /usr/sbin/groupdel _dkimproxy
$ doas rm /etc/dkimproxy_out.conf # or `doas cp -p /etc/dkimproxy_out.conf /etc/dkimproxy_out.conf.bak`