Not possible to cryptographically sign outbound Autocrypt metadata via DKIM

[horia]

We must DKIM-sign the user-provided Autocrypt header, to follow Autocrypt.org Best Practices for E-mail Service Providers.

DKIMproxy hard-coded signed headers (and it's not signing Autocrypt headers.)

Until OpenSMTPD filters (smtpfd) land in OpenBSD (6.5?), we might be stuck with DKIMproxy, instead of signing with Rspamd.

[ghost]

Is there an update here? I would like to get rid of DKIMproxy.

[horia]

The configuration needs an update to use mail/opensmtpd-filters/rspamd to DKIM-sign with mail/rspamd, and drop mail/dkimproxy

[ghost]

I updated my configuration to use mail/opensmtpd-filter-dkimsign instead of mail/rspamd and it seems to work for now. But using it only a few days now.

[hcl]

I have made a working example smtpd.conf to replace the DKIMProxy with opensmtpd-filter-dkimsign for reference.

https://github.com/hcl/caesonia/blob/replace-dkimproxy/src/etc/mail/smtpd.conf

[Katzeilla]

@hcl

Looks good to me, will test this on my setup :)