From 6bfd9964073a69ce629bbc7530672b2c8b2b6ede Mon Sep 17 00:00:00 2001 From: Prefetch Date: Thu, 30 Apr 2020 00:01:26 +0200 Subject: Rspamd corrections and clarifications --- content/blog/2020/email-server-extras.md | 102 ++++++++++++++++++++++++++++++- content/blog/2020/email-server.md | 3 + 2 files changed, 102 insertions(+), 3 deletions(-) diff --git a/content/blog/2020/email-server-extras.md b/content/blog/2020/email-server-extras.md index 9e18f34..816bcd5 100644 --- a/content/blog/2020/email-server-extras.md +++ b/content/blog/2020/email-server-extras.md @@ -85,8 +85,26 @@ table domains "/etc/smtpd/domains" # ... match from any for domain action "RECV" ``` -In theory, that's it! You should now have a working -multi-domain email server. + +#### Rspamd + +The last thing to do is to inform Rspamd of the multiple domains. +It's really easy: simply add multiple domain blocks: +```c +domain { + foo.com { + path = "/path/to/dkim/private.key"; + selector = "hello"; + } +} +domain { + bar.com { + path = "/path/to/dkim/private.key"; + selector = "world"; + } +} +``` + @@ -175,7 +193,8 @@ just repeat the last few steps for each one. OpenSMTPD needs to verify the validity of client certificates using the CA's public certificate, so you should copy that to somewhere on the server, e.g. `/etc/smtpd/mailca.crt`, -and declare it to OpenSMTPD by adding this near the top of the file: +and declare it to OpenSMTPD by adding this near +the top of `/etc/smtpd/smtpd.conf`: ```sh ca "mailca" cert "/etc/smtpd/mailca.crt" ``` @@ -210,3 +229,80 @@ $ openssl pkcs12 -export -in mailclient.crt -inkey mailclient.key \ OpenSSL will ask you to set a password, which you'll need to enter again when importing the certificate into the client. + + +### Client certificates (instead of passwords) + +If you really want to, you can use the client certificates +as a substitute for passwords. This is especially useful +if you set up a catchall inbox in Dovecot, +because this will allow you to send emails +from arbitrary addresses from your domain. + +To do this, follow the same procedure as in the previous section, +but with a slightly different OpenSMTPD configuration: +```sh +listen on eth0 port 587 tls-require verify pki "example.com" ca "mailca" filter "rspamd" tag "VALID" +action "SEND" relay srs +match from any tag "VALID" for any action "SEND" +``` +All incoming connections that present a good certificate +will be tagged as `VALID`, and their mail will be relayed. + +Unfortunately, we're not quite done yet here, +because we've just made Rspamd very confused... + + +#### Rspamd + +When OpenSMTPD passes a message through Rspamd, it also includes +some metadata, most notably whether the sender has authenticated +successfully with OpenSMTPD... which is now no longer the case +for submissions, because we've removed the `auth` directive! + +Rspamd therefore starts regarding these outgoing emails +as *incoming* emails, because they don't seem +to come from a trusted user. So instead of signing them with DKIM +and handing them back to OpenSMTPD, it will do a full spam scan. +If they get a high spam score (which is likely for short test emails), +*your* spam filter, running on *your* server, +will be flagging *your* messages as spam! + +The solution is to whitelist your domain(s) in Rspamd, +so it won't scan them. To do this, create a new file +`/etc/rspamd/local.d/settings.conf` with these contents, +where `foo.com` and `bar.com` are the domains to whitelist: +```c +outbound { + priority = high; + from = "@foo.com"; + from = "@bar.com"; + apply { + actions { + add_header = 1000; + } + } +} +``` +Setting `priority` to `high` ensures that Rspamd checks +this rule before doing anything else. +You can add any number of `from` directives; +this rule will be applied if any of them match. +The only action it takes is to set the threshold +for the action `add_header` to `1000`. +That is, if the email doesn't get a spam score of at least 1000 +(the default is 6) Rspamd will not add any spam tags. + +Because Rspamd is still regarding your emails as inbound, +you also need to change the global settings of +the DKIM signer in `/etc/rspamd/local.d/dkim_signing.conf`, +such that they include the following: +```c +sign_inbound = true; +allow_hdrfrom_mismatch = true; +allow_username_mismatch = true; +``` +This tells Rspamd to add DKIM signatures to incoming emails, +which in this case includes yours. +Allowing these mismatches ensures that the messages still get signed, +even if you're sending from an arbitrary address. diff --git a/content/blog/2020/email-server.md b/content/blog/2020/email-server.md index b7c6aaf..53c13e4 100644 --- a/content/blog/2020/email-server.md +++ b/content/blog/2020/email-server.md @@ -662,6 +662,9 @@ domain { ``` Make sure that the DKIM `private.key` file is readable (and *only* readable) by `rspamd:rspamd`. +Allowing username mismatches is necessary, +because OpenSMTPD will only tell Rspamd about `username` +while the DKIM signer actually expects `username@example.com`. And... that's it! Of course, don't forget to start all the necessary daemons. -- cgit v1.2.3