zeyple breaks opendkim

[spiderrabbit]

Using DKIM via opendkim on Debian server

DKIM is now failing for messages which are not encrypted by zeyple
If I remove content_filter = zeyple from main.cf DKIM works fine

If I use zeyple even on mail that isn't encrypted DKIM signature fails:

2020-05-10 16:10:47,164 14072 INFO Zeyple ready to encrypt outgoing emails
2020-05-10 16:10:47,165 14072 INFO Processing outgoing message <[email protected]>
2020-05-10 16:10:47,165 14072 INFO Recipient:xxx@xxxx
2020-05-10 16:10:47,165 14072 INFO Trying to encrypt for xxx@xxxx
2020-05-10 16:10:47,189 14072 INFO Key ID: None
2020-05-10 16:10:47,189 14072 WARNING No keys found, message will be sent unencrypted
2020-05-10 16:10:47,189 14072 INFO Sending message <20200xxxx7.0FF85FF36D@xxx>
2020-05-10 16:10:47,229 14072 INFO Message <20200xxxx7.0FF85FF36D@xxxx> sent

[spiderrabbit]

fixed by removing no_milters from

-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

in /etc/postfix/master.cf

[t-m-w]

tl;dr: I couldn't find a way to make opendkim work with zeyple due to the improper ordering of milter vs content filter (opendkim a milter, before-queue filter, and zeyple a content filter, after-queue filter), so I switched to amavisd-new for DKIM signing instead, since it is a content filter too, and now that I think I have figured out a passable configuration, it seems to be working fine.

I know that this isn't entirely on-topic, but searching for solutions to this problem was challenging, and this is one of the top results, so I wanted to leave an informational comment for anyone else struggling with this. This is as-is, but it is working for me. (I also notice now that this was added to a milestone recently. Nice to see!)

I had to scour a few sites to figure out how to set up amavisd-new for DKIM signing. I left some links in comments in the config files below, but here's a useful page from the documentation: https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim

With my particular setup - which involves relaying - I needed to add some header signing adjustments, which manifested as signature verification failures until I figured out what was happening after a few hours.

You'll need to get your DKIM keys placed somewhere that amavis can read them. I'm using Ubuntu and placed them in a new directory, /etc/amavis/dkim/keys. The amavis user needs to be able to read them, and no other user should be able to.

Here are the config files I used, with domain replaced with example.com (I also turned on verification):

/etc/amavis/conf.d/51-dkim

use strict;

# info from: https://blog.jeanbruenn.info/2021/08/07/amavisd-new-and-dkim/

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('example.com', 'default', '/etc/amavis/dkim/keys/example.com/default.private');
@dkim_signature_options_bysender_maps = ({
    '.' => {d => 'example.com'}
});

# Turn off signing of certain headers that seem to break relaying through my VPS.
# These headers didn't seem to be signed by opendkim, which had been working fine.
# Learned of this feature here: https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-am-sign
$signed_header_fields{'content-type'} = 0;
$signed_header_fields{'message-id'} = 0;
$signed_header_fields{'mime-version'} = 0;
$signed_header_fields{'received'} = 0;
$signed_header_fields{'user-agent'} = 0;
$signed_header_fields{'x-mailer'} = 0;

$policy_bank{'ORIGINATING'} = {
  originating => 1,
  forward_method => 'smtp:localhost:10025',
  notify_method => 'smtp:localhost:10025',
  terminate_dsn_on_notify_success => 0,

  # see: https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
  # force MTA to convert mail to 7-bit before DKIM signing
  # to avoid later conversions which could destroy signature:
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
};

# from https://www.linuxquestions.org/questions/linux-server-73/how-to-dkim-sign-emails-by-amavisd-new-839526/page2.html#post4275274
# Use ORIGINATING policy to enable DKIM signing
$interface_policy{'10024'} = 'ORIGINATING';

# This doesn't really seem to help with anything...?
#@mynetworks = qw(127.0.0.0/8 ::1/128);

#------------ Do not modify anything below this line -------------
1;  # ensure a defined return

/etc/postfix/main.cf

Added to bottom:

zeyple-and-amavis    unix  -       n       n       -       -       pipe
  user=zeyple argv=/usr/local/bin/zeyple.py ${recipient}

localhost:10026 inet  n       -       n       -       10      smtpd
  -o content_filter=smtp-amavis:localhost:10024
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8,[::1]/128
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128

# Security level is lowered because we are talking to localhost so do not need TLS.
smtp-amavis unix  -     -     n     -    2   smtp
 -o smtp_tls_security_level=may
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
 -o disable_dns_lookups=yes
 -o disable_mime_output_conversion=yes
 -o max_use=20

localhost:10025  inet  n  -    n    -     -   smtpd
 -o content_filter=
 -o local_recipient_maps=
 -o relay_recipient_maps=
 -o smtpd_restriction_classes=
 -o smtpd_client_restrictions=
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o mynetworks=127.0.0.0/8,[::1]/128
 -o strict_rfc821_envelopes=yes
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001
 -o smtpd_hard_error_limit=1000

/etc/postfix/master.cf

Removed the smtpd_milters and non_smtpd_milters lines that I had added for OpenDKIM - or at least OpenDKIM's part in them.

Then, added to bottom:

content_filter = zeyple-and-amavis

Hopefully this helps someone else, but if not, maybe it will help refresh the memory of future-me.