On 2020-12-30 12:51, Matus UHLAR - fantomas wrote:
On 28.12.20 18:20, Benny Pedersen wrote:
On 2020-12-28 18:09, Matus UHLAR - fantomas wrote:
we have mail gateway where most of internal mail comes already
signed, and
I'd prefer to sign only mail that is not signed already.
+1
can I dkim-sign only mail that is not already signed?
with policy banks yes
how?
see ORIGINATING
https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-postfix
have you remote local servers that using submission/smtps where some
mails is already dkim signed ?
you know how to make that with trusted networks and untrusted
networks, and xclient ip
I don't. Advise?
this is part of the problem then
client IP does not work since the same IP sometimes send signed,
sometimes
unsigned mail.
amavisd works better if it knows internal networks aswell same as what
spamassassin knows
make sure this is all in sync
That's why I ask about only signing mail that is not signed, or,
skipping
mail that is already signed (with valid signature).
equal to how milters in postfix/sendmail is only sign submission/smtps
and not port 25 this should be easy
it is not due to what I described above.
... if it was that easy, I would ask different question, or not ask at
all.
opendkim can have MTA=ORIGINATING in its conf, and only mails that are
ORIGINATING will be signed, even if ips is unknown from internal or
external ip
if amavisd have xclient data it would work on ip level aswell
sorry not using amavisd anymore
