Hi Wietse,
thanks for your reply.
Am 24.12.2024 um 01:32 schrieb Wietse Venema via Postfix-users:
Andreas Kuhlen via Postfix-users:
Hello,
I am running my Postfix server with Amavis, Spamassassin, Clamav and
have added a configuration for OpenDKIM, OpenDMARC and SPF. Sending and
receiving mail is working satisfactorily so far. However, I noticed
today that a DKIM signature field is inserted twice when I send a mail.
The verification is considered valid because it says in the mail headers:
It's not normal for it to be signed twice, or am I wrong?
main.cf:
smtpd_milters = local:opendkim/opendkim.sock, local:opendmarc/opendmarc.sock,
local:spamass/spamass.sock
non_smtpd_milters = $smtpd_milters
You are using content_filter in master.cf. Given the above in
main.cf, you are signing messages before they to to the filter, and
again after the filter.
Okay, I understand that.
Solutions:
- Use the amavis to sign the messages,instead of a Milter
that plugs into Postfix. Amavis should be able to do that.
- Alternatively, turn off DKIM signing in the before-filter path.
This requires adding in master.cf
{ -o receive_override_options = no_milters }
with every smtp server that has a "content_filter" setting.
https://www.postfix.org/postconf.5.html#receive_override_options
has some tips to avoid doing things before and after a filter.
I don't want to use amavis to sign the messages, rather a Milter.
I've added the following in main.cf
127.0.0.1:10025 inet n - n - - smtpd
-o syslog_name=postfix/10025
-o content_filter=
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o local_recipient_maps=
-o relay_recipient_maps=
-o strict_rfc821_envelopes=yes
-o smtp_tls_security_level=none
-o smtpd_tls_security_level=none
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_end_of_data_restrictions=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings,*no_milters*
It seems this does the job. I've got only one DKIM signature now. But I
guess this is not fully correct, if I understood you right. The DKIM
signature should be added AFTER all content-filtering has been done. Is
that correct?
The no_milters should also be added like this?
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o content_filter=smtp-amavis:[127.0.0.1]:10026
-o receive_override_options=no_milters
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o content_filter=smtp-amavis:[127.0.0.1]:10026
-o receive_override_options=no_milters
Is that correct?
Wietse
_______________________________________________
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org
Andreas
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
