Use rspamd for DKIM signing, drop OpenDKIM

OpenDKIM has not been updated in the last 7 years and failed to adopt RFC8463, which introduces Ed25519-SHA256 signatures. It has thereby held back the DKIM ecosystem, which relies on the DNS system to publish its public keys. The DNS system in turn does not handle large record sizes well (see RFC8301), which is why Ed25519 public keys would be preferable, but I'm not sure the ecosystem has caught up, so we stay on the conservative side with RSA for now. Fixes: #203 #210 #279 Obsoletes: !162 !338 Supersedes: !246
2025-04-11 05:25:08 +02:00 · 2025-04-11 05:25:08 +02:00 · 630b5c4fdd
commit 630b5c4fdd
parent 2c37e563fd
9 changed files with 78 additions and 123 deletions
--- a/mail-server/environment.nix
+++ b/mail-server/environment.nix
@ -22,7 +22,7 @@ in
 {
  config = with cfg; lib.mkIf enable {
    environment.systemPackages = with pkgs; [
-      dovecot opendkim openssh postfix rspamd
+      dovecot openssh postfix rspamd
    ] ++ (if certificateScheme == "selfsigned" then [ openssl ] else []);
  };
 }
--- a/mail-server/opendkim.nix
+++ b/mail-server/opendkim.nix
@ -1,89 +0,0 @@
-#  nixos-mailserver: a simple mail server
-#  Copyright (C) 2017  Brian Olsen
-#
-#  This program is free software: you can redistribute it and/or modify
-#  it under the terms of the GNU General Public License as published by
-#  the Free Software Foundation, either version 3 of the License, or
-#  (at your option) any later version.
-#
-#  This program is distributed in the hope that it will be useful,
-#  but WITHOUT ANY WARRANTY; without even the implied warranty of
-#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#  GNU General Public License for more details.
-#
-#  You should have received a copy of the GNU General Public License
-#  along with this program. If not, see <http://www.gnu.org/licenses/>
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.mailserver;
-
-  dkimUser = config.services.opendkim.user;
-  dkimGroup = config.services.opendkim.group;
-
-  createDomainDkimCert = dom:
-    let
-      dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key";
-      dkim_txt = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.txt";
-    in
-        ''
-          if [ ! -f "${dkim_key}" ]
-          then
-              ${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \
-                                                   -d "${dom}" \
-                                                   --bits="${toString cfg.dkimKeyBits}" \
-                                                   --directory="${cfg.dkimKeyDirectory}"
-              mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.private" "${dkim_key}"
-              mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.txt" "${dkim_txt}"
-              chmod 644 "${dkim_txt}"
-              echo "Generated key for domain ${dom} selector ${cfg.dkimSelector}"
-          fi
-        '';
-  createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains);
-
-  keyTable = pkgs.writeText "opendkim-KeyTable"
-    (lib.concatStringsSep "\n" (lib.flip map cfg.domains
-      (dom: "${dom} ${dom}:${cfg.dkimSelector}:${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key")));
-  signingTable = pkgs.writeText "opendkim-SigningTable"
-    (lib.concatStringsSep "\n" (lib.flip map cfg.domains (dom: "${dom} ${dom}")));
-
-  dkim = config.services.opendkim;
-  args = [ "-f" "-l" ] ++ lib.optionals (dkim.configFile != null) [ "-x" dkim.configFile ];
-in
-{
-    config = mkIf (cfg.dkimSigning && cfg.enable) {
-      services.opendkim = {
-        enable = true;
-        selector = cfg.dkimSelector;
-        keyPath = cfg.dkimKeyDirectory;
-        domains = "csl:${builtins.concatStringsSep "," cfg.domains}";
-        configFile = pkgs.writeText "opendkim.conf" (''
-          Canonicalization ${cfg.dkimHeaderCanonicalization}/${cfg.dkimBodyCanonicalization}
-          UMask 0002
-          Socket ${dkim.socket}
-          KeyTable file:${keyTable}
-          SigningTable file:${signingTable}
-        '' + (lib.optionalString cfg.debug ''
-          Syslog yes
-          SyslogSuccess yes
-          LogWhy yes
-        ''));
-      };
-
-      users.users = optionalAttrs (config.services.postfix.user == "postfix") {
-        postfix.extraGroups = [ "${dkimGroup}" ];
-      };
-      systemd.services.opendkim = {
-        preStart = lib.mkForce createAllCerts;
-        serviceConfig = {
-          ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
-          PermissionsStartOnly = lib.mkForce false;
-        };
-      };
-      systemd.tmpfiles.rules = [
-        "d '${cfg.dkimKeyDirectory}' - ${dkimUser} ${dkimGroup} - -"
-      ];
-    };
-}
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@ -126,9 +126,7 @@ let
  inetSocket = addr: port: "inet:[${toString port}@${addr}]";
  unixSocket = sock: "unix:${sock}";

-  smtpdMilters =
-   (lib.optional cfg.dkimSigning "unix:/run/opendkim/opendkim.sock")
-   ++ [ "unix:/run/rspamd/rspamd-milter.sock" ];
+  smtpdMilters = [ "unix:/run/rspamd/rspamd-milter.sock" ];

  policyd-spf = pkgs.writeText "policyd-spf.conf" cfg.policydSPFExtraConfig;

@ -300,9 +298,9 @@ in
        tls_random_source = "dev:/dev/urandom";

        smtpd_milters = smtpdMilters;
-        non_smtpd_milters = lib.mkIf cfg.dkimSigning ["unix:/run/opendkim/opendkim.sock"];
+        non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
        milter_protocol = "6";
-        milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
+        milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";

        # Fix for https://www.postfix.org/smtp-smuggling.html
        smtpd_forbid_bare_newline = cfg.smtpdForbidBareNewline;
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@ -22,6 +22,26 @@ let
  postfixCfg = config.services.postfix;
  rspamdCfg = config.services.rspamd;
  rspamdSocket = "rspamd.service";
+
+  rspamdUser = config.services.rspamd.user;
+  rspamdGroup = config.services.rspamd.group;
+
+  createDkimKeypair = domain: let
+    privateKey = "${cfg.dkimKeyDirectory}/${domain}.${cfg.dkimSelector}.key";
+    publicKey = "${cfg.dkimKeyDirectory}/${domain}.${cfg.dkimSelector}.txt";
+  in pkgs.writeShellScript "dkim-keygen-${domain}" ''
+    if [ ! -f "${privateKey}" ]
+    then
+      ${lib.getExe' pkgs.rspamd "rspamadm"} dkim_keygen \
+        --domain "${domain}" \
+        --selector "${cfg.dkimSelector}" \
+        --type "${cfg.dkimKeyType}" \
+        --bits ${toString cfg.dkimKeyBits} \
+        --privkey "${privateKey}" > "${publicKey}"
+      chmod 0644 "${publicKey}"
+      echo "Generated key for domain ${domain} and selector ${cfg.dkimSelector}"
+    fi
+  '';
 in
 {
  config = with cfg; lib.mkIf enable {
@ -66,8 +86,11 @@ in
              }
          ''; };
          "dkim_signing.conf" = { text = ''
-              # Disable outbound email signing, we use opendkim for this
-              enabled = false;
+            enabled = ${lib.boolToString cfg.dkimSigning};
+            path = "${cfg.dkimKeyDirectory}/$domain.$selector.key";
+            selector = "${cfg.dkimSelector}";
+            # Allow for usernames w/o domain part
+            allow_username_mismatch = true
          ''; };
          "dmarc.conf" = { text = ''
              ${lib.optionalString cfg.dmarcReporting.enable ''
@ -119,10 +142,33 @@ in

    services.redis.servers.rspamd.enable = lib.mkDefault true;

+    systemd.tmpfiles.settings."10-rspamd.conf" = {
+      "${cfg.dkimKeyDirectory}" = {
+        d = {
+          # Create /var/dkim owned by rspamd user/group
+          user = rspamdUser;
+          group = rspamdGroup;
+        };
+        Z = {
+          # Recursively adjust permissions in /var/dkim
+          user = rspamdUser;
+          group = rspamdGroup;
+        };
+      };
+    };
+
    systemd.services.rspamd = {
      requires = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
      after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
-      serviceConfig.SupplementaryGroups = [ config.services.redis.servers.rspamd.group ];
+      serviceConfig = lib.mkMerge [
+        {
+          SupplementaryGroups = [ config.services.redis.servers.rspamd.group ];
+        }
+        (lib.optionalAttrs cfg.dkimSigning {
+          ExecStartPre = map createDkimKeypair cfg.domains;
+          ReadWritePaths = [ cfg.dkimKeyDirectory ];
+        })
+      ];
    };

    systemd.services.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {
--- a/mail-server/systemd.nix
+++ b/mail-server/systemd.nix
@ -76,10 +76,10 @@ in
    systemd.services.postfix = {
      wants = certificatesDeps;
      after = [ "dovecot2.service" ]
-        ++ lib.optional cfg.dkimSigning "opendkim.service"
+        ++ lib.optional cfg.dkimSigning "rspamd.service"
        ++ certificatesDeps;
      requires = [ "dovecot2.service" ]
-        ++ lib.optional cfg.dkimSigning "opendkim.service";
+        ++ lib.optional cfg.dkimSigning "rspamd.service";
    };
  };
 }