My final goal is to have all kind of outbound mails signed by DKIM, including bounce, auto-reply... And then announce a reject DMARC policy in DNS
I already have some kind of separation for inbound/outbound but it's probably not optimal... - A dedicated IP is used for SMTP inbound and an another for users submission/POP/IMAP. - Outgoing mails, sent by users, use a dedicated IP (1 per domain). - Everything runs on single machine and actually works :) - bounce, and auto-reply are not signed :( Here is the relevant part of my configuration : master.cf # IP xx.xx.xx.1 is MX and only used to receive mail from remote MTA xx.xx.xx.1:smtp inet n - - - 1 postscreen smtpd pass - - - - - smtpd -o smtpd_milters=inet:$dkim_milter,$dmarc_milter # OpenDKIM and OpenDMARC check compliance -o non_smtpd_milters=inet:$dkim_milter,$dmarc_milter # don't know if I really need this line ? dnsblog unix - - - - 0 dnsblog tlsproxy unix - - - - 0 tlsproxy # IP xx.xx.xx.2 for users submission only xx.xx.xx.2:submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o smtpd_milters=inet:$dkim_milter # IP xx.xx.xx.3 only used for outbound mail of domain1.com out_domain1 unix - - n - - smtp -o smtp_bind_address=xx.xx.xx.3 -o smtp_helo_name=domain1.com -o syslog_name=postfix-customer-domain1 # IP xx.xx.xx.4 only used for outbound mail of domain2.com out_domain2 unix - - n - - smtp -o smtp_bind_address=xx.xx.xx.4 -o smtp_helo_name=domain2.com -o syslog_name=postfix-customer-domain2 # Amavis part amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_mime_output_conversion=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks -o cleanup_service_name=smtp-cleanup -o local_header_rewrite_clients= main.cf : # we don't have LAN, customer connect from Internet to get/receive mail mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 # bind to main IP smtp_bind_address = xx.xx.xx.1 # each customer use it's own outgoing IP sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport # postfix-policyd-spf-python is used here smtpd_recipient_restrictions = ...., reject_unauth_destination, check_policy_service unix:private/policy-spf # amavis scan inbound and outbound mails content_filter = amavis:[127.0.0.1]:10024 sender_transport : @domain1.com out_domain1: @domain2.com out_domain2: Let me know if you need more information and thanks for your precious advices. Alexandre Le 18/10/2013 23:25, Viktor Dukhovni a écrit : > On Fri, Oct 18, 2013 at 10:49:33PM +0200, Alexandre Ellert wrote: > >> "Postfix currently does not apply content filters to mail that is forwarded >> or aliased internally, or to mail that is generated internally such as >> bounces or Postmaster notifications. This may be a problem when you want to >> apply a signing Milter to such mail" > > Internally, means "internally by Postfix". > >> So, can you confirm that auto-reply message from dovecot are considered as >> bounces and are impossible to get signed by OpenDKIM ? > > An auto-reply from Dovecot is not generated internally by Postfix.