On 10/03/2013 01:01 AM, Patrick Ben Koetter wrote:
Was choosing dkimproxy a deliberate decision? Are you aware amavis is capable to
DKIM verify incoming and DKIM sign outgoing messages as well? It would
simplify your system since it uses amavis anyway.
Amavis looks at mail coming in from the internet on port 25 so I use it
to verify, It isn't in the pipeline for mail going out though. I looked
at that option first and decided against it for that reason. I'll look
again. Maybe it can be told what parts of itself to use depending on
source and destination. Unlike Postfix, the amavis documentation and
configuration is confusing to me. I was just pleased that I could get
it to spam check incoming mail.
I was looking over the Postfix documentation again, especially the
Architecture Overview<http://www.postfix.org/OVERVIEW.html> page. I
really want something that sits inbetween the qmgr and smtp in the ascii
art of the "How Postfix delivers mail" section.
I think I am "stuck" with signing anything that comes from a trusted
source even if the mail is going to a local or virtual mailbox. it's not
a big deal; it just seems a little clumsy. And as beautiful as Postfix
is, I dislike adding something clumsy.
* Lynn Dobbs <[email protected]>:
I have a working postfix server (2.8.11) which looks for incoming
mail on socket, localhost, and my local network. It is also
listening on port 587 for authenticated users and on port 25 for WAN
input.
I installed dkproxy (dkimproxy.sourceforge.net) so I can sign my
outgoing mail. I have it working after a fashion. Correctly, I am
not signing anything that comes in from the internet on port 25. But
I am signing everything that comes in on all the other sockets/ports
even if the final destination is local or virtual. This is clearly
unnecessary, but I cannot figure out how to sign only those emails
not being delivered locally or virtually.
Seems as if dkimproxy is destination unaware or you didn't configure it to be
aware of them.
p@rick
Here is the relevent piece of master.cf
smtp unix - - n - - smtp
127.0.0.1:smtp inet n - n - - smtpd
-o content_filter=dksign:[127.0.0.1]:10027
# LAN clients
10.0.1.128:smtp inet n - n - - smtpd
-o myhostname=maila.office
-o smtp_bind_address=10.0.1.128
-o content_filter=dksign:[127.0.0.1]:10027
# Authenticated clients from the WAN
<public IP>:587 inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o smptd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# General, unautenticated mail from the WAN (no relaying permitted)
<public IP>:smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:127.0.0.1:10024
# mail to be dkim signed via content_filter
dksign unix - - n - 4 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls
And Postconf -n
alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
default_privs = nobody
mail_owner = postfix
mydomain = mydomain.com
myhostname = host.mydomain.com
mynetworks = 127.0.0.0/24 10.0.1.0/24
setgid_group = maildrop
smtp_bind_address = <public IP>
smtp_sasl_mechanism_filter = plain
smtp_tls_security_level = may
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CApath = /etc/postfix/certs/
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/maila-cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/maila-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
virtual_alias_maps = pgsql:/etc/postfix/pg_virtual.cf
virtual_gid_maps = pgsql:/etc/postfix/pg_gids.cf
virtual_mailbox_base = /var/spool/vmail/
virtual_mailbox_domains = pgsql:/etc/postfix/pg_domains.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = pgsql:/etc/postfix/pg_mailbox.cf
virtual_transport = maildrop
virtual_uid_maps = pgsql:/etc/postfix/pg_uids.cf
Lynn
--
Lynn Dobbs
Chief Technical Officer
CreditLink Corporation
