Florian,
> >> So, if someone from outside mails to one of my hosted mailing lists,
> >> and these lists change the subject or add a footer, it's fairly normal
> >> that the Authentication-Result shows softfail for DKIM, right?
> > Yes, as received by the final recipient, member of a mailing list.
>
> Ok. What I would have expected in this case is that there is at least
> one Authentication-Results header saying that the first instance of
> the mail arrived correctly, before it even came to the mailing list
> software.
Yes, there should be one, unless it is removed by a later stage.
> However, it seems, that always only the last instance of the
> Authentication-Results header is in the mail, which of course shows
> softfail for a list that adds footers. Is there any option of
> preserving the first header, stating that the message as arrived was
> OK, before it got mangled by the mailing list software? I tried it
> with local and external domains, the result is always the same.
> > The content filter before handing message over to a MLM
> > can add its own Authentication-Result header field, which
> > would indicate the mail as received by a MLM did have a
> > valid signature.
>
> It seems I can't achieve this with my set-up. :-( I don't find out why
> no Authentication-Results header is added.
> > There is another possibility, namely the last stage may remove a
> > previous Authentication-Result header field, if it carries the same
> > domain name. This follows from:
>
> Maybe that's the reason why I am missing the first header? If so,
> can/should this be disabled?
This is the most likely reason (after ruling out the possibility
that a recipient was not considered local).
New with 2.7.0-pre13 came a new configuration setting $myauthservid,
which makes it easier to distinguish content filtering instances.
Its value defaults to $myhostname. Previously the only way to control
what domain name ends up in the Authentication-Result header field
was by using a different $myhostname for each instance.
As required by RFC 5451 each content filtering instance also removes
such header fields claiming to be from the same domain.
Try setting a different $myauthservid for each amavisd instance.
It can be changed by a policy bank too, if both the before-MLM
and after-MLM mail comes to the same amavisd.
Something like:
Mailman - mm_cfg.py:
SMTPHOST = '127.0.0.1'
SMTPPORT = 10088 # to Postfix, to be DKIM-signed by amavisd
Postfix master.cf:
# unfiltered, signing-only, mailing list manager fanout
127.0.0.1:10088 inet n - n - - smtpd
-o content_filter=amavisfeed-norm:[127.0.0.1]:10028
-o mynetworks=127.0.0.0/8,[::1]
-o smtpd_client_restrictions=permit_mynetworks,reject
...
amavisd.conf:
$myauthservid = 'filter1.example.com';
$interface_policy{'10028'} = 'MLIST-SIGN-NOCHECKS';
$policy_bank{'MLIST-SIGN-NOCHECKS'} = {
dkim_signature_options_bysender_maps => [{
'.' => { d => 'list.example.com', c => 'relaxed/simple',
a => 'rsa-sha256', ttl => 30*24*3600 }
}],
originating => 1, # allows signing
myauthservid = 'filter-mlm.example.com', # different authservid
bypass_decode_parts => 1,
bypass_header_checks_maps => [1],
bypass_virus_checks_maps => [1],
bypass_spam_checks_maps => [1],
bypass_banned_checks_maps => [1],
forward_method => 'smtp:[::1]:10025',
signed_header_fields => { 'Sender' => 1 },
};
> What still confuses me is the following:
>
> me@localdomain => another@localdomain
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=localdomain
>
> me@localdomain => another@externaldomain
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=localdomain
>
> another@externaldomain => list1@lists.localdomain
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.localdomain
>
> So far, so good.
>
> me@localdomain => list1@lists.localdomain
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=localdomain
>
> me@anotherlocaldomain => lists1@lists.localdomain
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=anotherlocaldomain
>
> So, it seems as soon as the original sender domain is local, the
> respective key is used to sign, rather than the lists key. Is this
> correct, or wrong?
Depends on what you prefer. When both keys are available for signing,
amavisd prefers to sign with the key matching a domain in a From header
field, making the signature an author-domain signature (see ADSP rfc).
But you can override this by @dkim_signature_options_bysender_maps,
like in the example above.
Mark
------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world?
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
Please visit http://www.ijs.si/software/amavisd/ regularly
For administrativa requests please send email to rainer at openantivirus dot
org
