Was choosing dkimproxy a deliberate decision? Are you aware amavis is capable to DKIM verify incoming and DKIM sign outgoing messages as well? It would simplify your system since it uses amavis anyway.
* Lynn Dobbs <lynn.do...@creditlink.com>: > I have a working postfix server (2.8.11) which looks for incoming > mail on socket, localhost, and my local network. It is also > listening on port 587 for authenticated users and on port 25 for WAN > input. > > I installed dkproxy (dkimproxy.sourceforge.net) so I can sign my > outgoing mail. I have it working after a fashion. Correctly, I am > not signing anything that comes in from the internet on port 25. But > I am signing everything that comes in on all the other sockets/ports > even if the final destination is local or virtual. This is clearly > unnecessary, but I cannot figure out how to sign only those emails > not being delivered locally or virtually. Seems as if dkimproxy is destination unaware or you didn't configure it to be aware of them. p@rick > Here is the relevent piece of master.cf > > smtp unix - - n - - smtp > 127.0.0.1:smtp inet n - n - - smtpd > -o content_filter=dksign:[127.0.0.1]:10027 > > # LAN clients > 10.0.1.128:smtp inet n - n - - smtpd > -o myhostname=maila.office > -o smtp_bind_address=10.0.1.128 > -o content_filter=dksign:[127.0.0.1]:10027 > > # Authenticated clients from the WAN > <public IP>:587 inet n - n - - smtpd > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o content_filter=dksign:[127.0.0.1]:10027 > -o smptd_client_restrictions=permit_sasl_authenticated,reject > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > > # General, unautenticated mail from the WAN (no relaying permitted) > <public IP>:smtp inet n - n - - smtpd > -o content_filter=smtp-amavis:127.0.0.1:10024 > > # mail to be dkim signed via content_filter > dksign unix - - n - 4 smtp > -o smtp_send_xforward_command=yes > -o smtp_discard_ehlo_keywords=8bitmime,starttls > > And Postconf -n > > alias_maps = hash:/etc/aliases > biff = no > broken_sasl_auth_clients = no > config_directory = /etc/postfix > daemon_directory = /usr/lib/postfix > default_privs = nobody > mail_owner = postfix > mydomain = mydomain.com > myhostname = host.mydomain.com > mynetworks = 127.0.0.0/24 10.0.1.0/24 > setgid_group = maildrop > smtp_bind_address = <public IP> > smtp_sasl_mechanism_filter = plain > smtp_tls_security_level = may > smtpd_reject_unlisted_recipient = yes > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous > smtpd_sasl_type = dovecot > smtpd_tls_CApath = /etc/postfix/certs/ > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/postfix/ssl/maila-cert.pem > smtpd_tls_key_file = /etc/postfix/ssl/maila-key.pem > smtpd_tls_received_header = yes > smtpd_tls_session_cache_database = > btree:/var/lib/postfix/smtpd_tls_session_cache > tls_random_source = dev:/dev/urandom > virtual_alias_maps = pgsql:/etc/postfix/pg_virtual.cf > virtual_gid_maps = pgsql:/etc/postfix/pg_gids.cf > virtual_mailbox_base = /var/spool/vmail/ > virtual_mailbox_domains = pgsql:/etc/postfix/pg_domains.cf > virtual_mailbox_limit = 0 > virtual_mailbox_maps = pgsql:/etc/postfix/pg_mailbox.cf > virtual_transport = maildrop > virtual_uid_maps = pgsql:/etc/postfix/pg_uids.cf > > Lynn > -- > > Lynn Dobbs > Chief Technical Officer > CreditLink Corporation > -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein