Messages

I'm not sure if I find the time for it. Is there already a feature request in github?

There is at least an open issue in github from March 2021 that was opened by mimugmail...  ;)
https://github.com/opnsense/plugins/issues/2294

[setup-dkim-signing.sh]

I put together a small script that automates the setup for a DKIM signing of outgoing e-mails. The keys are created in /root/dkim, uploaded to Redis, and the configuration will survive a restart / reboot of the firewall. These are the available commands:

Code Select Expand

usage: setup-dkim-signing.sh {add|check|del|deleteall} [example.com] [myselector]
  add {example.com} {myselector}
    Generate a new DKIM key (if necessary), upload it into Redis and configure rspamd accordingly.
  check
    Show keys stored in Redis and domains configured in rspamd
  del {example.com} {myselector}
    Delete a single key from Redis and rspamd. The key files will not be deleted.
  deleteall
    Delete all keys from Redis and rspamd. The key files will not be deleted.

So to add a new domain for signing one would simply need to call:

Code Select Expand

./setup-dkim-signing.sh add example.com myselector
(Update 05.08.2021: Bug: The domain clause in the config file is not formatted properly in case of multiple domains, but this can be fixed manually following the template at the end of this post)

setup-dkim-signing.sh

Code Select Expand

#!/bin/sh

# setup-dkim-signing.sh
# OPNsense firewall shell script to implement DKIM signing of outgoing e-mails
# Forum thread: https://forum.opnsense.org/index.php?topic=20280.0
# v0.1 20210523 AlienMindbender

# prepare environment
COMMAND=$1
DOMAIN=$2
SELECTOR=$3
KEYPATH="/root/dkim"
CONFIGPATH="/usr/local/etc/rspamd/local.d/"
CONFIGFILE=$CONFIGPATH"dkim_signing.conf"
TMPFILE="/tmp/setup-dkim-signing.$$.tmp"
mkdir $KEYPATH >/dev/null 2>&1
cd $KEYPATH

case $1 in
add)
# check for 3 arguments
if [ $# -lt 3 ]; then
    echo "Both domain name and selector are required to add a key:"
echo "  add {example.com} {myselector}"
    exit 1
fi
# generate 2048 bit RSA key
if [ -f "$DOMAIN.key" ];
then
echo "Key file "$KEYPATH"/"$DOMAIN".key exists, skipping key generation"
else
echo "Generating new 2048 bit RSA key..."
rspamadm dkim_keygen -b 2048 -d $DOMAIN -s $SELECTOR -k $DOMAIN.key > $DOMAIN.dns
echo "Done, key stored in "$KEYPATH
fi
echo
# display DNS record
echo "The following record needs to be added to your DNS zonefile:"
cat $DOMAIN.dns
echo
# upload key to Redis
echo "Uploading key to Redis..."
echo "local key = [[""`cat $DOMAIN.key`""]]" > $DOMAIN.redis && echo "redis.call('HMSET', 'DKIM_KEYS', '$SELECTOR.$DOMAIN', key)" >> $DOMAIN.redis
redis-cli --eval ./$DOMAIN.redis
echo
# configure Rspamd
echo "Unprotecting Rspamd config file..."
chflags noschg $CONFIGFILE
chmod u+w $CONFIGFILE
echo "Adding domain "$DOMAIN" to config file..."
echo "domain { "$DOMAIN" { selector = '"$SELECTOR"'; } }" >> $CONFIGFILE
echo "Write protecting Rspamd config file..."
chmod u-w $CONFIGFILE
chflags schg $CONFIGFILE
echo
echo "Done."
;;

check)
echo "*** Redis key storage ***"
redis-cli HGETALL DKIM_KEYS
echo
echo "*** Rspamd configured domains ***"
grep "domain {" $CONFIGFILE
echo
echo "*** Rspamd config file protection ***"
ls -lo $CONFIGFILE > $TMPFILE
if grep "schg" $TMPFILE 2> /dev/null;
then
echo "Config file is write protected."
else
echo "Config file is not write protected."
fi
rm -f $TMPFILE
;;

del)
# check for 3 arguments
if [ $# -lt 3 ]; then
    echo "Both domain name and selector are required to delete a single key:"
echo "  del {example.com} {myselector}"
    exit 1
fi
echo "Removing key from Redis..."
redis-cli HDEL DKIM_KEYS $SELECTOR.$DOMAIN
echo
echo "Unprotecting Rspamd config file..."
chflags noschg $CONFIGFILE
chmod u+w $CONFIGFILE
echo "Removing key from configuration file..."
grep -v "domain { $DOMAIN { selector = '$SELECTOR'; } }" $CONFIGFILE > $TMPFILE
cat $TMPFILE > $CONFIGFILE
rm -f $TMPFILE
echo "Write protecting Rspamd config file..."
chmod u-w $CONFIGFILE
chflags schg $CONFIGFILE
echo
echo "Done."
;;

deleteall)
read -r -p "Delete all DKIM keys from Redis and Rspamd configuration (y/N)? " REPLY
case $REPLY in
[yY])
echo "Deleting keys from Redis..."
redis-cli DEL DKIM_KEYS
echo "Unprotecting Rspamd config file..."
chflags noschg $CONFIGFILE
chmod u+w $CONFIGFILE
echo "Removing domains from Rspamd configuration..."
grep -v "domain {" $CONFIGFILE > $TMPFILE
cat $TMPFILE > $CONFIGFILE
rm -f $TMPFILE
echo
echo "Done."
;;
*)
echo "Aborting."
;;
esac
;;

*)
    echo "usage: setup-dkim-signing.sh {add|check|del|deleteall} [example.com] [myselector]"
echo "  add {example.com} {myselector}"
echo "    Generate a new DKIM key (if necessary), upload it into Redis and configure rspamd accordingly."
echo "  check"
echo "    Show keys stored in Redis and domains configured in rspamd"
echo "  del {example.com} {myselector}"
echo "    Delete a single key from Redis and rspamd. The key files will not be deleted."
echo "  deleteall"
echo "    Delete all keys from Redis and rspamd. The key files will not be deleted."
echo
    exit 1
;;
esac

I have to confess that I am a clumsy and awful coder, plus this is rather a hack than a solution, e.g. the setup is made persistent by setting the immutable flag on the configuration file. However, it serves my needs until this feature will make it to the GUI.

Update 05.08.2021
This is what the configuration file should look like:
/usr/local/etc/rspamd/local.d/dkim_signing.conf

Code Select Expand

enabled = true;
allow_envfrom_empty = true;
allow_hdrfrom_mismatch = true;
allow_hdrfrom_multiple = false;
allow_username_mismatch = true;
auth_only = false;
selector = "dkim";
sign_local = true;
symbol = "DKIM_SIGNED";
try_fallback = false;
use_domain = "header";
use_esld = true;
use_redis = true;
key_prefix = "DKIM_KEYS";
domain { example.com { selector = 'selectone'; },
              example2.com { selector = 'selecttwo'; }
            }

Der Einsatz von ECC bei ZFS wird aber nach wie vor promotet, z.B. auch in der offiziellen TrueNAS Doku:

Using ECC RAM is strongly recommended

(Quelle: https://www.truenas.com/docs/hub/intro/corehardwareguide/)

Das heißt aber natürlich nicht, dass andere Dateisysteme ohne ECC sicherer wären. Einen Vergleich dazu habe ich noch nirgends gesehen. Gut möglich, dass ZFS in der Tat auch mit und ohne ECC am stabilsten ist (und man halt das "Pech" hat als einziger ECC zu empfehlen)...  :)

Mein Punkt ist einfach: wir haben in BSD mit ZFS ein rock solid enterprise grade Filesystem.

Das stimmt sicher, nur wird "rock solid" aus der BSD-Ecke (FreeNAS / TrueNAS) immer wieder an Bedingungen geknüpft:

• 2 GB RAM seien die Untergrenze für ZFS, ohne irgendwelche Services,
• eine USV gehöre zur Standardausstattung,
• und wer kein ECC einsetzt möge sich  überhaupt gleich teufelchenrot verkriechen, da seien Probleme vorprogrammiert

Das ist vielleicht alles übertrieben, trägt aber zum "Respekt" (Misstrauen) gegenüber ZFS bei. Mir ist noch kein Kommentar untergekommen der ECC für ext4, NTFS oder FAT fordert.
(Was im Umkehrschluss aber natürlich nicht heißt dass ich FAT gegenüber ZFS bevorzugen würde  ;D)

Ein Stromausfall ist aber bei anderen gängigen Journaling-FS (NTFS, ext3/4...) auch kein Problem. Wenn UFS da Probleme macht wäre es doch einfacher auch gjournal zu verwenden...?

I can recommend the Grandstream GWN Access Points. I recently bought three GWN7605, and for approx. € 80,00 you'll get 2.4 & 5 Ghz Dual Band, MIMO, PoE, VLAN tagging, Multi-SSID, centralized management with or without cloud, captive portal and so on.

Curious about the RLAN. Is that setup through opnsense? Just a VLAN?

My box has 5 NICs. I have each WAN, LAN and DMZ on a dedicated NIC. RLAN and all WLANs share one NIC via VLAN. BCS and CAM share another NIC via VLAN.

I have all my IoTs connected to my guest account. I don't think my Orbi has the ability to create more than 1 guest wireless. What type of wireless point are you using that does this?

You need an AP that supports Multi-SSID and VLAN tagging, plus you need something that will take care of the tagged packages (like a Smart Switch and / or an OPNsense box). I am currently using three Grandstream GWN7605.

Kann mich da nur anschließen. ZFS für Storage, z.B. TrueNAS? Sowieso.
Für eine Firewall? Da sehe ich andere Prioritäten.

Ping ist per default nur auf das LAN-Interface möglich. Hast du eine entsprechende Firewall-Regel erstellt?
Klappt es wenn du mit port-based statt tagged VLAN arbeitest?
Traffic Segmentation / Port Security im Switch aktiv?

I've got the following:

• LAN (PC, NAS with private data, Laptops when on Ethernet)
• RLAN (restricted LAN: smart TV, sockets for guests - no access to my NAS or building control)
• BCS (building control system = KNX, photovoltaics, alarm)
• DMZ (externally reachable DNS, Web and Mailserver)
• private WLAN (just like LAN)
• IoT WLAN (Echo Dots...)
• TV WLAN (separate to allow for bandwith control)

But "best practice" is always a balace between having a safe setup and still keeping it simple (KISS), and the above is admittedly not simple any more.

I would basically just separate everything of value (private data, NAS) from everything I do not trust (smart TVs, whatever-WLAN-gadget...).

Your access points need to support VLAN tagging and multiple SSIDs for that.

...that would be great, I'll follow up!  :)

I followed these steps and it worked for me:
https://docs.opnsense.org/manual/how-tos/mailgateway.html


All services (redis, clamav, rspamd, postfix) must of course be enabled and the milter protocol should be kept on the "IPv6" setting. You actually enable rspamd in the Antispam tab of the postfix settings.

Hi bubbel,

switching over from a Sophos UTM home licence to OPNsense I was up to the same taks.
It appears to me that especially the rspamd / postfix integration is work in progress, for DKIM signing the options are uncommented and a bit cryptic, plus there appears to be no way from the GUI to upload / manage the DKIM keys in redis.

Rspamd would be able to use keys from a config file, but such CLI changes would most probably be overwritten.

There is a generic description on how to use redis based DKIM key storage in the rspamd documentation:
https://rspamd.com/doc/modules/dkim_signing.html#dkim-key-management

I am going to try this approach and I will comment on my findings, should anybody be interested.