Loading ...
Sorry, an error occurred while loading the content.

Re: dkimproxy signing

Expand Messages
  • Lynn Dobbs
    ... Amavis looks at mail coming in from the internet on port 25 so I use it to verify, It isn t in the pipeline for mail going out though. I looked at that
    Message 1 of 4 , Oct 3, 2013
    • 0 Attachment

      On 10/03/2013 01:01 AM, Patrick Ben Koetter wrote:
      Was choosing dkimproxy a deliberate decision? Are you aware amavis is capable to
      DKIM verify incoming and DKIM sign outgoing messages as well? It would
      simplify your system since it uses amavis anyway.
      
      Amavis looks at mail coming in from the internet on port 25 so I use it to verify, It isn't in the pipeline for mail going out though.  I looked at that option first and decided against it for that reason. I'll look again.  Maybe it can be told what parts of itself to use depending on source and destination.  Unlike Postfix, the amavis documentation and configuration is confusing to me.  I was just pleased that I could get it to spam check incoming mail.

      I was looking over the Postfix documentation again, especially the Architecture Overview page.  I really want something that sits inbetween the qmgr and smtp in the ascii art of the "How Postfix delivers mail" section.

      I think I am "stuck" with signing anything that comes from a trusted source even if the mail is going to a local or virtual mailbox.  it's not a big deal; it just seems a little clumsy.  And as beautiful as Postfix is, I dislike adding something clumsy.

      * Lynn Dobbs <lynn.dobbs@...>:
      
      I have a working postfix server (2.8.11) which looks for incoming
      mail on socket, localhost, and my local network.  It is also
      listening on port 587 for authenticated users and on port 25 for WAN
      input.
      
      I installed dkproxy (dkimproxy.sourceforge.net) so I can sign my
      outgoing mail.  I have it working after a fashion. Correctly, I am
      not signing anything that comes in from the internet on port 25. But
      I am signing everything that comes in on all the other sockets/ports
      even if the final destination is local or virtual. This is clearly
      unnecessary, but I cannot figure out how to sign only those emails
      not being delivered locally or virtually.
      
      Seems as if dkimproxy is destination unaware or you didn't configure it to be
      aware of them.
      
      p@rick
      
      
      
      Here is the relevent piece of master.cf
      
       smtp    unix      -       -       n       -       -       smtp
      127.0.0.1:smtp    inet    n    -    n    -    -    smtpd
          -o content_filter=dksign:[127.0.0.1]:10027
      
      # LAN clients
      10.0.1.128:smtp    inet    n    -    n    -    -    smtpd
          -o myhostname=maila.office
          -o smtp_bind_address=10.0.1.128
          -o content_filter=dksign:[127.0.0.1]:10027
      
      # Authenticated clients from the WAN
      <public IP>:587    inet    n    -    n    -    -    smtpd
          -o smtpd_tls_security_level=encrypt
          -o smtpd_sasl_auth_enable=yes
          -o content_filter=dksign:[127.0.0.1]:10027
          -o smptd_client_restrictions=permit_sasl_authenticated,reject
          -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
      
      # General, unautenticated mail from the WAN (no relaying permitted)
      <public IP>:smtp inet    n    -    n    -    -    smtpd
         -o content_filter=smtp-amavis:127.0.0.1:10024
      
      # mail to be dkim signed via content_filter
      dksign    unix  -       -       n       -       4       smtp
          -o smtp_send_xforward_command=yes
          -o smtp_discard_ehlo_keywords=8bitmime,starttls
      
      And Postconf -n
      
      alias_maps = hash:/etc/aliases
      biff = no
      broken_sasl_auth_clients = no
      config_directory = /etc/postfix
      daemon_directory = /usr/lib/postfix
      default_privs = nobody
      mail_owner = postfix
      mydomain = mydomain.com
      myhostname = host.mydomain.com
      mynetworks = 127.0.0.0/24 10.0.1.0/24
      setgid_group = maildrop
      smtp_bind_address = <public IP>
      smtp_sasl_mechanism_filter = plain
      smtp_tls_security_level = may
      smtpd_reject_unlisted_recipient = yes
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_authenticated_header = yes
      smtpd_sasl_path = private/auth
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_type = dovecot
      smtpd_tls_CApath = /etc/postfix/certs/
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /etc/postfix/ssl/maila-cert.pem
      smtpd_tls_key_file = /etc/postfix/ssl/maila-key.pem
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
      tls_random_source = dev:/dev/urandom
      virtual_alias_maps = pgsql:/etc/postfix/pg_virtual.cf
      virtual_gid_maps = pgsql:/etc/postfix/pg_gids.cf
      virtual_mailbox_base = /var/spool/vmail/
      virtual_mailbox_domains = pgsql:/etc/postfix/pg_domains.cf
      virtual_mailbox_limit = 0
      virtual_mailbox_maps = pgsql:/etc/postfix/pg_mailbox.cf
      virtual_transport = maildrop
      virtual_uid_maps = pgsql:/etc/postfix/pg_uids.cf
      
      Lynn
      -- 
      
      Lynn Dobbs
      Chief Technical Officer
      CreditLink Corporation
      
      

    • Jose Borges Ferreira
      ... to verify, It isn t in the pipeline for mail going out though. I looked at that option first and decided against it for that reason. I ll look again.
      Message 2 of 4 , Oct 3, 2013
      • 0 Attachment


        > Amavis looks at mail coming in from the internet on port 25 so I use it to verify, It isn't in the pipeline for mail going out though.  I looked at that option first and decided against it for that reason. I'll look again.  Maybe it can be told what parts of itself to use depending on source and destination.  Unlike Postfix, the amavis documentation and configuration is confusing to me.  I was just pleased that I could get it to spam check incoming mail.
        >
        > I was looking over the Postfix documentation again, especially the Architecture Overview page.  I really want something that sits inbetween the qmgr and smtp in the ascii art of the "How Postfix delivers mail" section.
        >
        > I think I am "stuck" with signing anything that comes from a trusted source even if the mail is going to a local or virtual mailbox.  it's not a big deal; it just seems a little clumsy.  And as beautiful as Postfix is, I dislike adding something clumsy.

        Then you should go for openDKIM and setup as milter.

        José Borges Ferreira

      Your message has been successfully submitted and would be delivered to recipients shortly.