On Monday 6. February 2017 01.15.30 frank wrote: > I literally just did DKIM last week. And the way I did it didn't touch > qpsmtpd, instead it's a couple helper scripts that feed qmail-remote, > messages are signed as they're being sent out.
Ah, TIMTOWDI, I like it! :-) I think wrapping qmail-remote makes a lot of sense, so I'd like to try that too. > The instructions I > followed didn't exactly fit my setup but it only really took a couple > edits to get things working. I'm pretty sure it was helpful that I have > a real cert signed by a CA rather than self-signed, but maybe it > doesn't matter(?) Right. I don't know. I suppose Let's Encrypt certificates can't be used for that purpose? > At the same time I added TLS to qmail-remote so I now transmit email > encrypted. Separately I activated the TLS plugin on qpsmtpd (mine is > 0.95) so incoming mail can be encrypted too. I have a second instance > of qpsmtpd for auth that has been using stunnel3 for encryption for > years. Both QPs feed the same qmail instance. > > The DKIM instructions I used: > https://beingasysadmin.wordpress.com/2013/04/30/dkim-signing-in-qmail/ > > You will probably have to compile libdomainkeys to get the dktest binary > because it's not usually included in distro packages. Hmmmm. I don't really understand this... Hasn't DomainKeys been completely replaced by DKIM? I would have been guessing that using Mail::DKIM with the dkimsign.pl script would be sufficient to support DKIM, and the stuff that they do with dktest and libdomainkeys is to support the legacy DomainKeys that isn't needed anymore? So, I'm wondering if this could be simplified? > Qmail TLS patch was from http://inoa.net/qmail-tls/ Cool! I'd like to do that too. > Hope this gives you a start. Yes, it does! > -frank > > P.S. If you're using tcpserver you should be able to add your subnet to > your tcp.cdb with a tag to tell QP it's ok. Something like: > 172.22:allow,RELAYCLIENT="" OK, but I'm just using forkserver. It's been Just Working for many years now :-) Cheers, Kjetil
