Re: sign auto-reply vacation with OpenDKIM
On Sat, Oct 19, 2013 at 1:10 PM, Alexandre Ellert aell...@numeezy.comwrote: ** My final goal is to have all kind of outbound mails signed by DKIM, including bounce, auto-reply... And then announce a reject DMARC policy in DNS I already have some kind of separation for inbound/outbound but it's probably not optimal... - A dedicated IP is used for SMTP inbound and an another for users submission/POP/IMAP. - Outgoing mails, sent by users, use a dedicated IP (1 per domain). - Everything runs on single machine and actually works :) - bounce, and auto-reply are not signed :( This should be enough for signing bounces. main.cf internal_mail_filter_classes = bounce non_smtpd_milters = inet:localhost:8891 You must also update SigningTable in opendkim.conf to match MAILER-DAEMON José Borges Ferreira
Re: sign auto-reply vacation with OpenDKIM
Right now, I added : main.cf non_smtpd_milters = inet:localhost:8891 master.cf (avoid double skim signature after amavis check) 127.0.0.1:10025 inet n - n - - smtpd -o receive_override_options=no_milters I can confirm that auto-reply vacation and mail sent by /usr/sbin/sendmail command line from the mail server are correctly signed by OpenDKIM. Thanks for your answer. Now, it only remains bounces. Wietse, you said that it's not safe to use internal_mail_filter_classes = bounce. What are your recommandation ? Le 20/10/2013 13:11, Jose Borges Ferreira a écrit : This should be enough for signing bounces. main.cf [1] internal_mail_filter_classes = bounce non_smtpd_milters = inet:localhost:8891 You must also update SigningTable in opendkim.conf to match MAILER-DAEMON José Borges Ferreira Links: -- [1] http://main.cf
Re: sign auto-reply vacation with OpenDKIM
On Sun, Oct 20, 2013 at 09:25:55PM +0200, Alexandre Ellert wrote: Wietse, you said that it's not safe to use internal_mail_filter_classes = bounce. What are your recommandation ? Why do you need to send outbound bounces on the border MTA itself? You should not accept inbound mail that is going to bounce. Best solution is to only send inbound bounces for failed outbound mail, and your internal users presumably don't need signatures on the bounce mail. Don't sign bounces, they may contain malware or other content that you would not want to sign. If you really must sign bounces: - Configure Postfix to send bounces with just the original message headers, no body. bounce_size_limit = 1 - Then either route outbound mail through dedicated Postfix instances distinct from those processing inbound mail (appropriate transport settings, ...), or enable the unsafe filtering of bounces, these should be less risky with header-only bounces. internal_mail_filter_classes = bounce -- Viktor.
Re: sign auto-reply vacation with OpenDKIM
Alexandre Ellert: Right now, I added : main.cf non_smtpd_milters = inet:localhost:8891 master.cf (avoid double skim signature after amavis check) 127.0.0.1:10025 inet n - n - - smtpd -o receive_override_options=no_milters I can confirm that auto-reply vacation and mail sent by /usr/sbin/sendmail command line from the mail server are correctly signed by OpenDKIM. Thanks for your answer. Now, it only remains bounces. Wietse, you said that it's not safe to use internal_mail_filter_classes = bounce. What are your recommandation ? See my reply in the thread Error in milter documentation a five hours ago, date-stamped Sun, 20 Oct 2013 10:21:05 -0400 (EDT). Wietse
Re: sign auto-reply vacation with OpenDKIM
My final goal is to have all kind of outbound mails signed by DKIM, including bounce, auto-reply... And then announce a reject DMARC policy in DNS I already have some kind of separation for inbound/outbound but it's probably not optimal... - A dedicated IP is used for SMTP inbound and an another for users submission/POP/IMAP. - Outgoing mails, sent by users, use a dedicated IP (1 per domain). - Everything runs on single machine and actually works :) - bounce, and auto-reply are not signed :( Here is the relevant part of my configuration : master.cf # IP xx.xx.xx.1 is MX and only used to receive mail from remote MTA xx.xx.xx.1:smtp inet n - - - 1 postscreen smtpd pass - - - - - smtpd -o smtpd_milters=inet:$dkim_milter,$dmarc_milter # OpenDKIM and OpenDMARC check compliance -o non_smtpd_milters=inet:$dkim_milter,$dmarc_milter # don't know if I really need this line ? dnsblog unix - - - - 0 dnsblog tlsproxy unix - - - - 0 tlsproxy # IP xx.xx.xx.2 for users submission only xx.xx.xx.2:submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o smtpd_milters=inet:$dkim_milter # IP xx.xx.xx.3 only used for outbound mail of domain1.com out_domain1 unix - - n - - smtp -o smtp_bind_address=xx.xx.xx.3 -o smtp_helo_name=domain1.com -o syslog_name=postfix-customer-domain1 # IP xx.xx.xx.4 only used for outbound mail of domain2.com out_domain2 unix - - n - - smtp -o smtp_bind_address=xx.xx.xx.4 -o smtp_helo_name=domain2.com -o syslog_name=postfix-customer-domain2 # Amavis part amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_mime_output_conversion=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks -o cleanup_service_name=smtp-cleanup -o local_header_rewrite_clients= main.cf : # we don't have LAN, customer connect from Internet to get/receive mail mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 # bind to main IP smtp_bind_address = xx.xx.xx.1 # each customer use it's own outgoing IP sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport # postfix-policyd-spf-python is used here smtpd_recipient_restrictions = , reject_unauth_destination, check_policy_service unix:private/policy-spf # amavis scan inbound and outbound mails content_filter = amavis:[127.0.0.1]:10024 sender_transport : @domain1.com out_domain1: @domain2.com out_domain2: Let me know if you need more information and thanks for your precious advices. Alexandre Le 18/10/2013 23:25, Viktor Dukhovni a écrit : On Fri, Oct 18, 2013 at 10:49:33PM +0200, Alexandre Ellert wrote: Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail Internally, means internally by Postfix. So, can you confirm that auto-reply message from dovecot are considered as bounces and are impossible to get signed by OpenDKIM ? An auto-reply from Dovecot is not generated internally by Postfix.
Re: sign auto-reply vacation with OpenDKIM
On Fri, Oct 18, 2013 at 10:49:33PM +0200, Alexandre Ellert wrote: Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail Internally, means internally by Postfix. So, can you confirm that auto-reply message from dovecot are considered as bounces and are impossible to get signed by OpenDKIM ? An auto-reply from Dovecot is not generated internally by Postfix. -- Viktor. P.S. In larger enterprise environments, the outbound path is separate from the inbound path, and bounce notices from the inbound MTA are best routed through the outbound MTA (whose bounces are in turn inbound, ...). With DKIM signing on the outbound path, and verification on the inbound path, bounce messages from inbound mail can still get signed (if that's desired).
Re: sign auto-reply vacation with OpenDKIM
* Viktor Dukhovni postfix-users@postfix.org: On Fri, Oct 18, 2013 at 10:49:33PM +0200, Alexandre Ellert wrote: Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail Internally, means internally by Postfix. So, can you confirm that auto-reply message from dovecot are considered as bounces and are impossible to get signed by OpenDKIM ? An auto-reply from Dovecot is not generated internally by Postfix. An unverified speculation/idea: Maybe it isn't signed because messages enter via the sendmail-command and non_smtpd_milters isn't configured. It is possible to set a $postmaster_address in Dovecot and tell it to use SMTP instead of sendmail command: # If non-empty, send mails via this SMTP host[:port] instead of sendmail. #submission_host = p@rick -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
