On 2022-01-15 20:01, Robert Siemer wrote:
I need to DKIM sign possibly huge emails (up to 150MB).
insane
Conceptually DKIM needs to go over the email twice: once to calculate and sign the checksum and once to write it out with the result of the previous step in the headers.¹
what is your planned mailflow ?
A DKIM signer can do this by either keeping the message in memory (a no-go for me) or write it to a file.
will a mount point on tmpfs work ?, and use this as a tmp path in opendkim ?
this is safe aslong postfix have the mail stored on non tmpfs all this is dokomented in amavisd
For the task at hand I want to use a Postfix (filter) mechanism that allows me to do that without keeping the message in memory and without having it written to disc twice!
what is your planned mailflow ?
So far I see that the after-queue content filter mechanism (FILTER_README) forces you to write the email to disc again. (And for no good reason, unfortunately: pipe should pass a read-only file descriptor of the queue file to filter’s stdin. The filter can use lseek() on that.)
its possible to disable milters on 127.0.0.1 so no double check is done for verify, but it makes more sense to configure content filters better in master.cf or if its milters, disable them pr service
The alternative, the before-queue milter (MILTER_README), is insufficiently documented for me to see if it avoids keeping the message in memory and avoids writing the original mail to file twice. – Maybe some expert here knows if the milter API can avoid that and if both milter sides, i.e. Postfix and e.g. opendkim indeed do avoid these pitfalls.
there is not possible to dkim sign before queue, it does not make sense if it this was possible
what is your planned mailflow ? i can only suggest fuglu in prequeue setup
