0

I've got Postfix + spamassassin working already and I'm introducing opendkim.

I'm almost there except outgoing messages are DKIM signed twice, which is not only useless but even makes them DKIM invalid.

From what I gathered, the whole thing boils down to the fact that Postfix calls opendkim, then hands down the message to spamassassin, which in turns gives it back to postfix which calls opendkim again.

This said, I don't know what to change to the configuration to prevent this.

I don't think the DKIM config itself is wrong. I followed following tutorials:

/etc/opendkim.conf

KeyTable                refile:/etc/postfix/dkim/keytable
SigningTable            refile:/etc/postfix/dkim/signingtable
ExternalIgnoreList      refile:/etc/postfix/dkim/TrustedHosts
InternalHosts           refile:/etc/postfix/dkim/TrustedHosts

/etc/postfix/dkim/TrustedHosts

127.0.0.1
::1
localhost
xxx.xxx.xxx.xxx (server IP)
xxxx:xxxx:... (server IPv6)
domain.tld
*.domain.tld

Postfix configuration is the following.

I added those lines to main.cf:

[...]
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891, inet:localhost:8892
non_smtpd_milters = $smtpd_milters

I left master.cf untouched:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
    -o content_filter=spamassassin
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
spamassassin unix -     n       n       -       -       pipe
  user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

The advices I found about the "DKIM signs twice" issue explain why it happens but the resolution applies to configurations that differ from mine (e.g. on Ubuntu documentation). They suggest to add no_milters to a -o receive_override_options= line. But I don't have this line. I don't use amavis. And I can't figure out how to proceed as master.cf is a bit cryptic to me.

Questions:

  • Is the rootcause correctly identified (double signature due to spamassassin resending the message to the queue)?
  • How to skip milters when the messages come back to the queue?
  • Would it be better to DKIM sign after spamassassin rather than before? If so, what would be the configuration? (I suppose removing smtpd_milters from main.cf and adding -o smtpd_milters=... in place of receive_override_options=no_milters but it seems uncommon, so I'd say this doesn't matter.)
Jérôme
  • 615
  • 2
  • 8
  • 19
  • Having double DKIM signature should be considered valid as long as all signatures are technically correct so having identical double signature should only waste some bandwidth. In some cases for DKIM-signed forwarded messages I've seen three different signatures and at least Gmail successfully validated all those. – Mikko Rantalainen Jun 28 '22 at 09:46

3 Answers3

1

The best solution seems to be to simply modify lines in /etc/postfix/master.cf like this:

Original lines:

smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin

Fixed lines:

smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin -o receive_override_options=no_milters

That is, you just add -o receive_override_options=no_milters to the spamassassin line. That skips applying any milters before passing the message to SpamAssassin.

As SpamAssassin then re-submits the message to queue without SMTP, you want to apply the milter for non_smtpd_milters, too.

This allows correct signature for both SMTP submitted mail and locally submitted mail without double signature for either.

PS. Just run man 5 master to see full documentation about master.cf file syntax.

Mikko Rantalainen
  • 1,030
  • 14
  • 30
1

I think I managed to find the right configuration.

Keeping the master.cf file above, here's main.cf content:

# DKIM
non_smtpd_milters = inet:localhost:8891
# DMARC
smtpd_milters = inet:localhost:8892

With this configuration, outgoing messages are DKIM signed, whether they come from my email client or the webmail installed on the server.

And DMARC is checked on incoming messages.

Postfix docs:

The SMTP-only filters handle mail that arrives via the Postfix smtpd(8) server. They are typically used to filter unwanted mail and to sign mail from authorized SMTP clients. [...] Mail that arrives via the Postfix smtpd(8) server is not filtered by the non-SMTP filters that are described next.

The non-SMTP filters handle mail that arrives via the Postfix sendmail(1) command-line or via the Postfix qmqpd(8) server. They are typically used to digitally sign mail only. [...]

IIUC, if I didn't use spamassassin, I should set opendkim as a smtpd milter. But since spamassassin reposts the message back using sendmail, it goes through opendkim as a non smtpd milter so the solution is to set opendkim as smtpd filter only.

I found this by trial and error. I hope it can help someone with a similar issue, but I'm still interested in an educated explanation.

BTW, here are the links to the online testers I used to validate the DKIM signatures:

Jérôme
  • 615
  • 2
  • 8
  • 19
1

Thanks for the research, I had the exact same problem.

I think the lines in main.cf should read:

smtpd_milters = inet:127.0.0.1:8891 inet:127.0.0.1:8893
non_smtpd_milters =

Although it looks like your dmarc is running on 8892 from your post - I'm running Centos 7.5 / RHEL 7.5.

I don't see a need to run DKIM after spamassasin. I think DKIM should be run before spamassasin on all SMTPD incoming so it can read the results and use it for classifying spam. My dmarc ignores 127.0.0.1 anyway.

This does have DKIM add my local signature to incoming mail from fetchmail (external mailboxes) that obviously then passes (and dmarc ignores) but I would rather have spamassassin check everything else and don't see a way to specify SMTPD options specifically for those originating from 127.0.0.1

non_smtpd_milters probably defaults to empty - I left it in for clarification to myself.

milter_protocol = 2 is unnecessary if your Postfix is greater than 2.6.

Peleion
  • 303
  • 1
  • 7
  • This is otherwise good solution but what about if you also need to send automated messages from localhost without SMTP? With this solution those will be missing all signatures. Maybe it would be possible to somehow configure opendkim not to sign the message if an another signature already exists? – Mikko Rantalainen Jun 28 '22 at 09:39
  • Maybe add `-o receive_override_options=no_milters` to Postfix `master.cf` before calling `spamassassin`? – Mikko Rantalainen Jun 28 '22 at 09:44