Loading ...
Sorry, an error occurred while loading the content.

dkimproxy signing

Expand Messages
  • Lynn Dobbs
    I have a working postfix server (2.8.11) which looks for incoming mail on socket, localhost, and my local network. It is also listening on port 587 for
    Message 1 of 4 , Oct 2, 2013
    • 0 Attachment
      I have a working postfix server (2.8.11) which looks for incoming mail
      on socket, localhost, and my local network. It is also listening on
      port 587 for authenticated users and on port 25 for WAN input.

      I installed dkproxy (dkimproxy.sourceforge.net) so I can sign my
      outgoing mail. I have it working after a fashion. Correctly, I am not
      signing anything that comes in from the internet on port 25. But I am
      signing everything that comes in on all the other sockets/ports even if
      the final destination is local or virtual. This is clearly unnecessary,
      but I cannot figure out how to sign only those emails not being
      delivered locally or virtually.

      Here is the relevent piece of master.cf

      smtp unix - - n - - smtp
      127.0.0.1:smtp inet n - n - - smtpd
      -o content_filter=dksign:[127.0.0.1]:10027

      # LAN clients
      10.0.1.128:smtp inet n - n - - smtpd
      -o myhostname=maila.office
      -o smtp_bind_address=10.0.1.128
      -o content_filter=dksign:[127.0.0.1]:10027

      # Authenticated clients from the WAN
      <public IP>:587 inet n - n - - smtpd
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o content_filter=dksign:[127.0.0.1]:10027
      -o smptd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

      # General, unautenticated mail from the WAN (no relaying permitted)
      <public IP>:smtp inet n - n - - smtpd
      -o content_filter=smtp-amavis:127.0.0.1:10024

      # mail to be dkim signed via content_filter
      dksign unix - - n - 4 smtp
      -o smtp_send_xforward_command=yes
      -o smtp_discard_ehlo_keywords=8bitmime,starttls

      And Postconf -n

      alias_maps = hash:/etc/aliases
      biff = no
      broken_sasl_auth_clients = no
      config_directory = /etc/postfix
      daemon_directory = /usr/lib/postfix
      default_privs = nobody
      mail_owner = postfix
      mydomain = mydomain.com
      myhostname = host.mydomain.com
      mynetworks = 127.0.0.0/24 10.0.1.0/24
      setgid_group = maildrop
      smtp_bind_address = <public IP>
      smtp_sasl_mechanism_filter = plain
      smtp_tls_security_level = may
      smtpd_reject_unlisted_recipient = yes
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_authenticated_header = yes
      smtpd_sasl_path = private/auth
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_type = dovecot
      smtpd_tls_CApath = /etc/postfix/certs/
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /etc/postfix/ssl/maila-cert.pem
      smtpd_tls_key_file = /etc/postfix/ssl/maila-key.pem
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
      tls_random_source = dev:/dev/urandom
      virtual_alias_maps = pgsql:/etc/postfix/pg_virtual.cf
      virtual_gid_maps = pgsql:/etc/postfix/pg_gids.cf
      virtual_mailbox_base = /var/spool/vmail/
      virtual_mailbox_domains = pgsql:/etc/postfix/pg_domains.cf
      virtual_mailbox_limit = 0
      virtual_mailbox_maps = pgsql:/etc/postfix/pg_mailbox.cf
      virtual_transport = maildrop
      virtual_uid_maps = pgsql:/etc/postfix/pg_uids.cf

      Lynn
      --

      Lynn Dobbs
      Chief Technical Officer
      CreditLink Corporation
    • Patrick Ben Koetter
      Was choosing dkimproxy a deliberate decision? Are you aware amavis is capable to DKIM verify incoming and DKIM sign outgoing messages as well? It would
      Message 2 of 4 , Oct 3, 2013
      • 0 Attachment
        Was choosing dkimproxy a deliberate decision? Are you aware amavis is capable to
        DKIM verify incoming and DKIM sign outgoing messages as well? It would
        simplify your system since it uses amavis anyway.

        * Lynn Dobbs <lynn.dobbs@...>:
        > I have a working postfix server (2.8.11) which looks for incoming
        > mail on socket, localhost, and my local network. It is also
        > listening on port 587 for authenticated users and on port 25 for WAN
        > input.
        >
        > I installed dkproxy (dkimproxy.sourceforge.net) so I can sign my
        > outgoing mail. I have it working after a fashion. Correctly, I am
        > not signing anything that comes in from the internet on port 25. But
        > I am signing everything that comes in on all the other sockets/ports
        > even if the final destination is local or virtual. This is clearly
        > unnecessary, but I cannot figure out how to sign only those emails
        > not being delivered locally or virtually.

        Seems as if dkimproxy is destination unaware or you didn't configure it to be
        aware of them.

        p@rick


        > Here is the relevent piece of master.cf
        >
        > smtp unix - - n - - smtp
        > 127.0.0.1:smtp inet n - n - - smtpd
        > -o content_filter=dksign:[127.0.0.1]:10027
        >
        > # LAN clients
        > 10.0.1.128:smtp inet n - n - - smtpd
        > -o myhostname=maila.office
        > -o smtp_bind_address=10.0.1.128
        > -o content_filter=dksign:[127.0.0.1]:10027
        >
        > # Authenticated clients from the WAN
        > <public IP>:587 inet n - n - - smtpd
        > -o smtpd_tls_security_level=encrypt
        > -o smtpd_sasl_auth_enable=yes
        > -o content_filter=dksign:[127.0.0.1]:10027
        > -o smptd_client_restrictions=permit_sasl_authenticated,reject
        > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
        >
        > # General, unautenticated mail from the WAN (no relaying permitted)
        > <public IP>:smtp inet n - n - - smtpd
        > -o content_filter=smtp-amavis:127.0.0.1:10024
        >
        > # mail to be dkim signed via content_filter
        > dksign unix - - n - 4 smtp
        > -o smtp_send_xforward_command=yes
        > -o smtp_discard_ehlo_keywords=8bitmime,starttls
        >
        > And Postconf -n
        >
        > alias_maps = hash:/etc/aliases
        > biff = no
        > broken_sasl_auth_clients = no
        > config_directory = /etc/postfix
        > daemon_directory = /usr/lib/postfix
        > default_privs = nobody
        > mail_owner = postfix
        > mydomain = mydomain.com
        > myhostname = host.mydomain.com
        > mynetworks = 127.0.0.0/24 10.0.1.0/24
        > setgid_group = maildrop
        > smtp_bind_address = <public IP>
        > smtp_sasl_mechanism_filter = plain
        > smtp_tls_security_level = may
        > smtpd_reject_unlisted_recipient = yes
        > smtpd_sasl_auth_enable = yes
        > smtpd_sasl_authenticated_header = yes
        > smtpd_sasl_path = private/auth
        > smtpd_sasl_security_options = noanonymous
        > smtpd_sasl_type = dovecot
        > smtpd_tls_CApath = /etc/postfix/certs/
        > smtpd_tls_auth_only = yes
        > smtpd_tls_cert_file = /etc/postfix/ssl/maila-cert.pem
        > smtpd_tls_key_file = /etc/postfix/ssl/maila-key.pem
        > smtpd_tls_received_header = yes
        > smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
        > tls_random_source = dev:/dev/urandom
        > virtual_alias_maps = pgsql:/etc/postfix/pg_virtual.cf
        > virtual_gid_maps = pgsql:/etc/postfix/pg_gids.cf
        > virtual_mailbox_base = /var/spool/vmail/
        > virtual_mailbox_domains = pgsql:/etc/postfix/pg_domains.cf
        > virtual_mailbox_limit = 0
        > virtual_mailbox_maps = pgsql:/etc/postfix/pg_mailbox.cf
        > virtual_transport = maildrop
        > virtual_uid_maps = pgsql:/etc/postfix/pg_uids.cf
        >
        > Lynn
        > --
        >
        > Lynn Dobbs
        > Chief Technical Officer
        > CreditLink Corporation
        >

        --
        [*] sys4 AG

        http://sys4.de, +49 (89) 30 90 46 64
        Franziskanerstraße 15, 81669 München

        Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
        Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
        Aufsichtsratsvorsitzender: Florian Kirstein
      • Lynn Dobbs
        ... Amavis looks at mail coming in from the internet on port 25 so I use it to verify, It isn t in the pipeline for mail going out though. I looked at that
        Message 3 of 4 , Oct 3, 2013
        • 0 Attachment

          On 10/03/2013 01:01 AM, Patrick Ben Koetter wrote:
          Was choosing dkimproxy a deliberate decision? Are you aware amavis is capable to
          DKIM verify incoming and DKIM sign outgoing messages as well? It would
          simplify your system since it uses amavis anyway.
          
          Amavis looks at mail coming in from the internet on port 25 so I use it to verify, It isn't in the pipeline for mail going out though.  I looked at that option first and decided against it for that reason. I'll look again.  Maybe it can be told what parts of itself to use depending on source and destination.  Unlike Postfix, the amavis documentation and configuration is confusing to me.  I was just pleased that I could get it to spam check incoming mail.

          I was looking over the Postfix documentation again, especially the Architecture Overview page.  I really want something that sits inbetween the qmgr and smtp in the ascii art of the "How Postfix delivers mail" section.

          I think I am "stuck" with signing anything that comes from a trusted source even if the mail is going to a local or virtual mailbox.  it's not a big deal; it just seems a little clumsy.  And as beautiful as Postfix is, I dislike adding something clumsy.

          * Lynn Dobbs <lynn.dobbs@...>:
          
          I have a working postfix server (2.8.11) which looks for incoming
          mail on socket, localhost, and my local network.  It is also
          listening on port 587 for authenticated users and on port 25 for WAN
          input.
          
          I installed dkproxy (dkimproxy.sourceforge.net) so I can sign my
          outgoing mail.  I have it working after a fashion. Correctly, I am
          not signing anything that comes in from the internet on port 25. But
          I am signing everything that comes in on all the other sockets/ports
          even if the final destination is local or virtual. This is clearly
          unnecessary, but I cannot figure out how to sign only those emails
          not being delivered locally or virtually.
          
          Seems as if dkimproxy is destination unaware or you didn't configure it to be
          aware of them.
          
          p@rick
          
          
          
          Here is the relevent piece of master.cf
          
           smtp    unix      -       -       n       -       -       smtp
          127.0.0.1:smtp    inet    n    -    n    -    -    smtpd
              -o content_filter=dksign:[127.0.0.1]:10027
          
          # LAN clients
          10.0.1.128:smtp    inet    n    -    n    -    -    smtpd
              -o myhostname=maila.office
              -o smtp_bind_address=10.0.1.128
              -o content_filter=dksign:[127.0.0.1]:10027
          
          # Authenticated clients from the WAN
          <public IP>:587    inet    n    -    n    -    -    smtpd
              -o smtpd_tls_security_level=encrypt
              -o smtpd_sasl_auth_enable=yes
              -o content_filter=dksign:[127.0.0.1]:10027
              -o smptd_client_restrictions=permit_sasl_authenticated,reject
              -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
          
          # General, unautenticated mail from the WAN (no relaying permitted)
          <public IP>:smtp inet    n    -    n    -    -    smtpd
             -o content_filter=smtp-amavis:127.0.0.1:10024
          
          # mail to be dkim signed via content_filter
          dksign    unix  -       -       n       -       4       smtp
              -o smtp_send_xforward_command=yes
              -o smtp_discard_ehlo_keywords=8bitmime,starttls
          
          And Postconf -n
          
          alias_maps = hash:/etc/aliases
          biff = no
          broken_sasl_auth_clients = no
          config_directory = /etc/postfix
          daemon_directory = /usr/lib/postfix
          default_privs = nobody
          mail_owner = postfix
          mydomain = mydomain.com
          myhostname = host.mydomain.com
          mynetworks = 127.0.0.0/24 10.0.1.0/24
          setgid_group = maildrop
          smtp_bind_address = <public IP>
          smtp_sasl_mechanism_filter = plain
          smtp_tls_security_level = may
          smtpd_reject_unlisted_recipient = yes
          smtpd_sasl_auth_enable = yes
          smtpd_sasl_authenticated_header = yes
          smtpd_sasl_path = private/auth
          smtpd_sasl_security_options = noanonymous
          smtpd_sasl_type = dovecot
          smtpd_tls_CApath = /etc/postfix/certs/
          smtpd_tls_auth_only = yes
          smtpd_tls_cert_file = /etc/postfix/ssl/maila-cert.pem
          smtpd_tls_key_file = /etc/postfix/ssl/maila-key.pem
          smtpd_tls_received_header = yes
          smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
          tls_random_source = dev:/dev/urandom
          virtual_alias_maps = pgsql:/etc/postfix/pg_virtual.cf
          virtual_gid_maps = pgsql:/etc/postfix/pg_gids.cf
          virtual_mailbox_base = /var/spool/vmail/
          virtual_mailbox_domains = pgsql:/etc/postfix/pg_domains.cf
          virtual_mailbox_limit = 0
          virtual_mailbox_maps = pgsql:/etc/postfix/pg_mailbox.cf
          virtual_transport = maildrop
          virtual_uid_maps = pgsql:/etc/postfix/pg_uids.cf
          
          Lynn
          -- 
          
          Lynn Dobbs
          Chief Technical Officer
          CreditLink Corporation
          
          

        • Jose Borges Ferreira
          ... to verify, It isn t in the pipeline for mail going out though. I looked at that option first and decided against it for that reason. I ll look again.
          Message 4 of 4 , Oct 3, 2013
          • 0 Attachment


            > Amavis looks at mail coming in from the internet on port 25 so I use it to verify, It isn't in the pipeline for mail going out though.  I looked at that option first and decided against it for that reason. I'll look again.  Maybe it can be told what parts of itself to use depending on source and destination.  Unlike Postfix, the amavis documentation and configuration is confusing to me.  I was just pleased that I could get it to spam check incoming mail.
            >
            > I was looking over the Postfix documentation again, especially the Architecture Overview page.  I really want something that sits inbetween the qmgr and smtp in the ascii art of the "How Postfix delivers mail" section.
            >
            > I think I am "stuck" with signing anything that comes from a trusted source even if the mail is going to a local or virtual mailbox.  it's not a big deal; it just seems a little clumsy.  And as beautiful as Postfix is, I dislike adding something clumsy.

            Then you should go for openDKIM and setup as milter.

            José Borges Ferreira

          Your message has been successfully submitted and would be delivered to recipients shortly.