[pfx] Re: smtp_header_checks and opendkim

Sat, 18 Nov 2023 17:15:09 -0800 

Danil Smirnov via Postfix-users:
> Hi all,
> 
> I want to manipulate the headers (add and replace) of the outgoing mail
> before the message is signed by Opendkim. If using smtp_header_checks I see
> that the signature is broken - probably because Opendkim has signed the
> message earlier in the pipeline.
> 
> The signing is configured via the following code:
> 
> postconf -e milter_protocol=2
> postconf -e milter_default_action=accept
> postconf -e smtpd_milters=inet:localhost:12301
> postconf -e non_smtpd_milters=inet:localhost:12301
> 
> Is there a way to put my headers manipulation logic before the point when
> the message is being signed?

Is there any reason why you cannot use canical_maps? The transform
addresses before your signing milter (smtpd propagates its milters
into the cleanup daemon).

    network -> smtpd(with smtpd_milters) -> cleanup(uses canonical_maps
        then smtpd_milters) -> smtp -> network

    sendmail -> postdrop -> pickup -> cleanup(uses canonical_maps
        then non_smtpd_milters) -> smtp -> network

Thst should work with your main.cf settings above, plus a canonical_maps
setting instead of smtp_header_checks.

Otherwise, use a null content filter, do the address mapping in the
SMTP client before the filter, and sign DKIM in the path after the
filter.

    network -> smtpd -> cleanup -> smtp(with smtpd_header_checks
        -> smtpd(with smtpd_milters) -> cleanup(with smtpd_milters)
        -> smtp -> network

    sendmail -> postdrop -> pickup -> cleanup > smtp(with smtpd_header_checks
        -> smtpd(with smtpd_milters) -> cleanup(with smtpd_milters)
        -> smtp -> network

main.cf:
    content_filter = smtp-with-header_checks:127.0.0.1:10027
    milter_protocol = 2
    milter_default_action = accept
    # no smtpd_milters
    # no non_smtpd_milters
    # no smtp_header_checks

master.cf:
    smtp-with-header_checks    unix  -       -       n       -       -       
smtp
        -o { smtp_header_checks = maptype:mapname }
    127.0.0.1:10027            inet  n       -       n       -       -       
smtpd
        -o { smtpd_milters = inet:localhost:12301 }

The example is s little messy, from memory, not tested.

        Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to