Use rspamd for DKIM signing, drop OpenDKIM

OpenDKIM has not been updated in the last 7 years and failed to adopt RFC8463, which introduces Ed25519-SHA256 signatures. It has thereby held back the DKIM ecosystem, which relies on the DNS system to publish its public keys. The DNS system in turn does not handle large record sizes well (see RFC8301), which is why Ed25519 public keys would be preferable, but I'm not sure the ecosystem has caught up, so we stay on the conservative side with RSA for now. Fixes: #203 #210 #279 Obsoletes: !162 !338 Supersedes: !246
2025-04-11 05:25:08 +02:00 · 2025-04-11 05:25:08 +02:00 · 630b5c4fdd
commit 630b5c4fdd
parent 2c37e563fd
9 changed files with 78 additions and 123 deletions
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@ -4,6 +4,8 @@ Release Notes
 NixOS 25.05
 -----------

+- OpenDKIM has been removed and DKIM signing is now handled by Rspamd, which only supports ``relaxed`` canoncalizaliaton.
+  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/374>`__)
 - Rspamd now connects to Redis over its Unix Domain Socket by default
  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/375>`__)

--- a/docs/setup-guide.rst
+++ b/docs/setup-guide.rst
@ -173,7 +173,7 @@ Note that it can take a while until a DNS entry is propagated.
 Set ``DKIM`` signature
 ^^^^^^^^^^^^^^^^^^^^^^

-On your server, the ``opendkim`` systemd service generated a file
+On your server, the ``rspamd`` systemd service generated a file
 containing your DKIM public key in the file
 ``/var/dkim/example.com.mail.txt``. The content of this file looks
 like