docs: Rspamd DKIM config simplify via path setting
#3702
Conversation
using DKIM signing in Rspamd - automatically match keys for domains in dkim_signing.conf
| selector = "mail"; | ||
| path = "/tmp/docker-mailserver/opendkim/keys/$domain/$selector.private"; # this will automatically match keys for domains |
There was a problem hiding this comment.
Can you please cite the source for this feature? (EDIT: Not necessary, cited below)
I see on the rspamd dkim docs that selector is used as the default with the $selector variable, but $domain is only mentioned in a comment, is that also a fixed fallback value or is it documented somewhere as dynamic?
EDIT: After reading the first section and going over the config example / defaults, I see that $domain is from use_domain setting, which defaults to dynamically sourced from header but could be configured as a fixed domain. While selector defaults to dkim.
There was a problem hiding this comment.
This context with source citing is now also part of the related TODO issue: #3778
| selector = "mail"; | ||
| path = "/tmp/docker-mailserver/opendkim/keys/$domain/$selector.private"; # this will automatically match keys for domains | ||
|
|
||
| # domain specific configurations can be provided below: |
There was a problem hiding this comment.
Alternatively there is a simple selector_map setting that references a file of $domain $selector pairs per line.
The $domain is used to lookup the $selector override (if any), similar to how the config here works. Assuming selector_maps is compatible with multiple selectors as well, then the only difference from this config below is configuring different path which we don't really need, and a similar setting path_maps supports.
There was a problem hiding this comment.
This feedback has been migrated to a separate TODO issue: #3778
path setting
|
Worth noting perhaps, the default for I think that applies regardless of config approach. Just mentioning for maintainers to be aware of if that ever comes up as a reported problem in future π |
This can probably be configured with |
Yes, just raising awareness about it since it may show up some day as a bug report. If it does it's a simple documentation fix for rspamd/faq page(s) to communicate awareness to users. It's probably unlikely that |
|
@denisix please address the PR feedback; we can then go ahead and merge the PR. |
|
last ping @denisix |
There was a problem hiding this comment.
As the contributor is not engaging with review feedback, I'll apply my change suggestion.
DMS could better manage this internally and simplify on configuration a user needs to be aware of and manually manage via docs, but that'll need someone to contribute the change. A separate issue for tracking that with all the information discussed here has been opened.
Regarding the concern with use_esld = true and DKIM related rspamd bug reports, maintainers should be aware of this behaviour where it can affect some users that deviate from our happy path of hostname: mail.example.com with [email protected] mail domains if they have trouble with $domain expecting to match a marketing.example.com (eSLD normalization will look for example.com instead, which may not work if the user has [email protected] accounts?), instead of example.com (which is probably what they should adjust for, it's ok to use the same key for subdomains).
Since that setting has nothing to do with the contribution here, it's already true in the docs above, I'll go ahead and merge π (we could improve on the docs a bit more by explaining the suggested config further though, especially with the path that isn't actually valid presently)
| selector = "mail"; | ||
| path = "/tmp/docker-mailserver/opendkim/keys/$domain/$selector.private"; # this will automatically match keys for domains | ||
|
|
||
| # domain specific configurations can be provided below: |
There was a problem hiding this comment.
This feedback has been migrated to a separate TODO issue: #3778
| selector = "mail"; | ||
| path = "/tmp/docker-mailserver/opendkim/keys/$domain/$selector.private"; # this will automatically match keys for domains |
There was a problem hiding this comment.
This context with source citing is now also part of the related TODO issue: #3778
|
Documentation preview for this PR is ready! π Built with commit: 405be2c |
| # The path location is searched for a DKIM key with these variables: | ||
| # - `$domain` is sourced from the MIME mail message `From` header | ||
| # - `$selector` is configured for `mail` (as a default fallback) | ||
| path = "/tmp/docker-mailserver/dkim/keys/$domain/$selector.private"; |
There was a problem hiding this comment.
This path is wrong, currently the keys are in: /tmp/docker-mailserver/opendkim/keys/
I have used path = "/etc/opendkim/keys/$domain/$selector.private"; until now
There was a problem hiding this comment.
This path is wrong
It's an example and was explicitly changed to that by me for the docs.
The contributor used /tmp/docker-mailserver/... instead of /etc/... but otherwise they also referred to opendkim.
Not sure why you'd want OpenDKIM as the path for rspamd though? I want this to be a unified location for DKIM keys, but someone will need to contribute that change.
There was a problem hiding this comment.
Well, it's more that rspamd wanted to do signing before I would even know it. So I patched the path and selector to use open dkim path. Since opendkim was the first dkim stuff I had setup
Just feels like there is too many moving components in DMS and without a diagram I can not decide to shut down one component or another.
Anyway this config allows to local dkim sign and that's all I needed to pass π
using DKIM signing in Rspamd - automatically match keys for domains in dkim_signing.conf
Description
in dkim_signing.conf added configuration lines to automatically match domain keys instead of manually adding config for each domain that configured in DMS
Type of change
Checklist:
docs/)CHANGELOG.md