docker-mailserver: bug report: Rspamd dkim_signing module should have try_fallback = false ?

After reading through all of this, and looking at the docs etc. I agree that try_fallback = false; should be the default. I will provide a PR.

Moreover, we can discuss using sign_local = false; instead of our current default. Rspamd does not know about Postfix’s configuration at all, so mynetworks from Postfix is not involved here - after all, you can use Rspamd without Postfix perfectly fine. It is Rspamd’s local_networks (also see this part of the Rspamd docs). We do not set a default because we cannot confidently guess which networks our users are using. The only setting would be 127.0.0.1/8; we should add this to our default configuration. So, arguably, sign_local should indeed become false because we cannot confidently set the defaults that this setting is relying upon. I will provide a PR.

You’re probably going to have to wait on @georglauterbach when he has time to spare, as he’s helming the rspamd feature integration.

In the meantime, this can probably be reproduced offline with two DMS instances and a local DNS (eg: CoreDNS container) + certs (eg: Smallstep container/CLI) if it’s helpful to simulate a third-party like gmail.

The issue you linked seems to be convincing with the last comment though: https://github.com/rspamd/rspamd/issues/2832#issuecomment-479581185

As does this section of the Rspamd DKIM docs. So defaulting to try_fallback=false sounds good 👍 I’ll leave that decision to @georglauterbach

Well, I think the fix you mention would be for people who are/were using OpenDKIM to create their local keys and just want rspamd to know where those keys are located for signing outbound mail from local domains – which would be a different issue.

What I’m saying is that rspamd currently seems to be trying to sign all mail – not just outbound mail from local domains you have keys for.

For example, if an email comes in to your server from someone@gmail.com, rspamd will currently try to sign it using a key for gmail.com, which obviously you won’t have 😃 , and will log that it can’t find the key.

Give this a shot on your Docker host some time and see what comes up:

docker exec mailserver cat /var/log/supervisor/rspamd.log |grep 'cannot load dkim key'

I’m thinking you will see results from that and they will likely be from inbound email from remote domains which it shouldn’t be trying to sign – because try_fallback=true currently.

I think we may be talking about two different things. 😃

I’m coming into DMS fresh, so I never setup keys via OpenDKIM. Rather I just created them via setup config dkim domain xxxxxx.com for each domain and then added entried for them to my rspamd/override.d/dkim_signing.conf I’ve verified things are signed for my domains when outbound mail is sent.

What I was seeing is that inbound mail (from say gmail.com, linkedin.com, etc) that gets run through rspamd for filtering was also trying to be signed by rspamd (in addition to being verified). That’s where the log entries about not being able to find keys for gmail.com, linkedin.com, etc were coming from. Apparently that’s because the current conf has try_fallback = true set for the dkim signing module. Setting that to false did stop all of that inbound signing log activity, and my local outbound email are still signed before heading out.

So I’m thinking that’s just not the default that’s wanted ? i’m still very new to DMS and rspamd though, so I could be confused. 😃

One other thing I’ve run into (which I can definitely start a new issue for if needed) which is also DKIM related, is RSPAMD’s allow_username_mismatch option for DKIM. Basically without that set to true, an authenticated user (user@somedomain.com) won’t have email DKIM signed when sending as another valid domain alias they may have (user@anotherdomain.com). I suppose some may want that strict though? Maybe just something worth including in the config with comment? Just thinking out loud. 😃

@williamdes I think you hit on the right clue ! 😃

Basically I have DMS setup on the side to test before swapping out my current mail server. So I have my current mail server configured to also relay all incoming email to DMS for testing. However, apparently because that mail host is on the local network (mynetworks?), rspamd is trying to add DKIM signing on the mail even though it’s “from” remote domains. As a quick test I changed port forwarding to DMS directly and send a couple from Gmail which didn’t trigger the dkim key not found warning.

I hope that’s not too confusing! But basically once I move DMS into production I shouldn’t see those signing issues as remote mail will all be from remote host connections.

However that does seem to mean try_fallback=true will try to DKIM sign any email accepted from “local” network hosts, regardless if the from address is a local domain or not.

So I’m still not sure if that’s what is wanted in the end? Obviously if there is a local relay feeding external email it will hit the situation I was seeing. And really a fall back doesn’t seem necessary if all the local domains have their DKIM key info in dkim_signing.conf explicitly. I’m not sure. That’s probably for your rspam guru to contemplate.

Sorry for the confusion though, the situation is different than I originally thought.

EDIT: FWIW sign_local = true; seems to be involved here also, basically telling rspamd to DKIM sign all email accepted by local connections. sign_authenticated=true; is also set which I think(?) is what most people would want/expect – basically sign everything originating from local authenticated users.