Use rspamd for DKIM signing, drop OpenDKIM

OpenDKIM has not been updated in the last 7 years and failed to adopt RFC8463, which introduces Ed25519-SHA256 signatures. It has thereby held back the DKIM ecosystem, which relies on the DNS system to publish its public keys. The DNS system in turn does not handle large record sizes well (see RFC8301), which is why Ed25519 public keys would be preferable, but I'm not sure the ecosystem has caught up, so we stay on the conservative side with RSA for now. Fixes: #203 #210 #279 Obsoletes: !162 !338 Supersedes: !246
2025-04-11 05:25:08 +02:00 · 2025-04-11 05:25:08 +02:00 · 630b5c4fdd
commit 630b5c4fdd
parent 2c37e563fd
9 changed files with 78 additions and 123 deletions
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@ -22,6 +22,26 @@ let
  postfixCfg = config.services.postfix;
  rspamdCfg = config.services.rspamd;
  rspamdSocket = "rspamd.service";
+
+  rspamdUser = config.services.rspamd.user;
+  rspamdGroup = config.services.rspamd.group;
+
+  createDkimKeypair = domain: let
+    privateKey = "${cfg.dkimKeyDirectory}/${domain}.${cfg.dkimSelector}.key";
+    publicKey = "${cfg.dkimKeyDirectory}/${domain}.${cfg.dkimSelector}.txt";
+  in pkgs.writeShellScript "dkim-keygen-${domain}" ''
+    if [ ! -f "${privateKey}" ]
+    then
+      ${lib.getExe' pkgs.rspamd "rspamadm"} dkim_keygen \
+        --domain "${domain}" \
+        --selector "${cfg.dkimSelector}" \
+        --type "${cfg.dkimKeyType}" \
+        --bits ${toString cfg.dkimKeyBits} \
+        --privkey "${privateKey}" > "${publicKey}"
+      chmod 0644 "${publicKey}"
+      echo "Generated key for domain ${domain} and selector ${cfg.dkimSelector}"
+    fi
+  '';
 in
 {
  config = with cfg; lib.mkIf enable {
@ -66,8 +86,11 @@ in
              }
          ''; };
          "dkim_signing.conf" = { text = ''
-              # Disable outbound email signing, we use opendkim for this
-              enabled = false;
+            enabled = ${lib.boolToString cfg.dkimSigning};
+            path = "${cfg.dkimKeyDirectory}/$domain.$selector.key";
+            selector = "${cfg.dkimSelector}";
+            # Allow for usernames w/o domain part
+            allow_username_mismatch = true
          ''; };
          "dmarc.conf" = { text = ''
              ${lib.optionalString cfg.dmarcReporting.enable ''
@ -119,10 +142,33 @@ in

    services.redis.servers.rspamd.enable = lib.mkDefault true;

+    systemd.tmpfiles.settings."10-rspamd.conf" = {
+      "${cfg.dkimKeyDirectory}" = {
+        d = {
+          # Create /var/dkim owned by rspamd user/group
+          user = rspamdUser;
+          group = rspamdGroup;
+        };
+        Z = {
+          # Recursively adjust permissions in /var/dkim
+          user = rspamdUser;
+          group = rspamdGroup;
+        };
+      };
+    };
+
    systemd.services.rspamd = {
      requires = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
      after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
-      serviceConfig.SupplementaryGroups = [ config.services.redis.servers.rspamd.group ];
+      serviceConfig = lib.mkMerge [
+        {
+          SupplementaryGroups = [ config.services.redis.servers.rspamd.group ];
+        }
+        (lib.optionalAttrs cfg.dkimSigning {
+          ExecStartPre = map createDkimKeypair cfg.domains;
+          ReadWritePaths = [ cfg.dkimKeyDirectory ];
+        })
+      ];
    };

    systemd.services.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {