Hello, I’m migrating postfix servers to opensmtpd and one use case I found was a single instance being responsible for e.g. 10 domains, where each domain has its own DKIM key, selector, etc. Using opendkim this is easy to do. However, with OpenBSD:
filter-dkimsign works with "filter filter-name proc-exec command”, which means that it’s a “filter” (duh). However, filters can only be applied in listeners with “listen on”, and not “action”s or other configuration options. This means that I can’t create a “filter dkim-sign-example-org”, a “filter dkim-sign-example-net”, and then choose which one to apply using a “match”. I’ll either have to create a filter chain and sign every e-mail with every key, or rely on filter-dkimsign’s support for multiple “-d”s, which has its own issues[1]. Both of these options aren’t great. Another alternative would be to outsource DKIM signing to rspamd, which is slightly smarter, but this requires using rspamd even when the server is an outgoing-only relay. Of course, there’s always the option of writing my own smtpd-filters(7) solution but this seems like a problem others have had in the past and somehow solved, and I’m just missing it. I’ve read that the listeners can use a domain name instead of an interface or IP address, but after looking at create_if_listener and host_dns in parse.y, this simply resolves the domain and listens on the returned IPs, which makes sense. It’s not a recipient-domain-aware system, which is probably a good thing :) Any ideas on whether this is possible and I just can’t figure it out, or if it would require patches to be achieved? Thanks, Antonis [1]: This requires all domains to have the same private key, and does not work well with SRS as it fails to identify the correct domain and uses the first one always.
