On Mon, 28 Oct 2024 23:38:22 +0100,
Tom Li <to...@tomli.me> wrote:
>
> In OpenSMTPD, the semi-unofficial filter-dkimsign filter provides basic
> DKIM mail signing. However, the filter signs all mails it sees regardless
> of user authentication. The standard configuration is to only enable this
> filter on a Unix domain socket (or on a private submission port not used
> for incoming mails, or requires authentication on a public port, etc).
>
> However, often it's desirable to support DKIM signing for logged-in users
> from the public Internet via a standard port, too. The following patches
> introduce a new option "-u", when enabled, only mails from authenticated
> users are signed, mails from unauthenticated users are passed unmodified,
> making filter-dkimsign more useful simple option for servers with simple
> needs.
>
I wonder why you can't use different listeners with and without filters?
For example I do have following setup:
listen on socket
listen on egress inet4 port smtp tls pki mx.catap.net \
filter { admdscrub, "auth", dnsbl }
listen on egress port submission \
tls-require pki mx.catap.net auth <credentials> \
mask-src \
filter sign
where sign is filter chain which adds DKIM and ARC signatures for the mail
which is relayed in behalf of authenticated users.
--
wbr, Kirill
