Wietse Venema:
> Matt Kinni:
> > I have opendkim configured via 'smtpd_milters' to sign all outbound
> > mail, and my domain publishes a "quarantine" dmarc record to enforce the
> > consequences of this.
> >
> > I recently discovered that MAILER-DAEMON messages generated by postfix
> > itself bypass this setup and do /not/ get signed, which unfortunately
> > results in legitimate DSNs being filtered into the sender's spam/junk
> > mail folder due to the dmarc policy (I confirmed this with gmail).
> >
> > After doing some research, I learned that dkim signing can be forced for
> > postfix's internally generated mails by setting 'non_smtpd_milters' in
> > conjunction with 'internal_mail_filter_classes=bounce', however the
> > manpage for the latter parameter has this cautionary message:
> > >
> > > NOTE: It's generally not safe to enable content inspection of
> > Postfix-generated email messages. The user is warned.
> > >
> >
> > So I'm not sure what the best practice is here; postfix tries hard to
> > prevent being a source of backscatter and thus outbound DSN messages
> > should be rare, but in the event a legitimate bounce does need to be
> > sent out, I'd like it to not end up in the sender's spam folder. On the
> > other hand, miltering mailer-deamon messages adds a point of failure to
> > a privileged message class that should always be expected to succeed,
> > which I imagine is why the manpage discourages it.
>
> It's generally not safe, because Postix cannot prevent loops when,
> for example,
>
> - header_body_checks issues a FILTER action. Mail would loop between
> Postfix and the content filter until the number of Received: headers
> exceeds the hopcount_limit setting (default: 50).
>
> - I don't quickly have an example of bad things that can happen
> with Milter inspection of Postfix-generated mail. That doesn't mean
> that such bad things don't exist.
So, with that caveat you can turn on DKIMM signing of bounce messages.
Wietse
