Re: Submission and milter_macro_daemon_name parameter
On 2021-05-15 12:08 a.m., Benny Pedersen wrote: On 2021-05-15 04:30, J Doe wrote: 1. Why was the magic value of "ORIGINATING" used in the Digital Ocean example ? 2. Can I allow the default value of: milter_macro_daemon_name to be used _WITHOUT_ affecting OpenDKIM and ClamAV ? in opendkim.conf use this in MTA MTA=ORIGINATING then opendkim will only dkim sign on originating mails, not incomming in port 25 hopefully guides at DO is not say all mta must use submission for outgoing mails, i see the problem here, mta must only use port 25 for all outbound mails, any guide that says otherwize is badly writed clamav milter supports SASL auth do not use it in clamav milter if its not used for developing new virus signatures note i do not use milters anymore, fuglu is better atleast for me :=) Hi Benny, Thanks for your reply. I haven't changed the OpenDKIM configuration script to have: MTA=ORIGINATING and my mail flows still seem to work: 1. Clients submitting e-mail via submission have their e-mail DKIM signed. 2. Mail from the world has SPF, DKIM and DMARC validated. The Digital Ocean tutorial does not say that e-mail has to be submitted only via submission, but all my clients submit it this way with SASL AUTH. I do not have SASL AUTH on my port 25 e-mail. Thanks, - J
Re: Submission and milter_macro_daemon_name parameter
On 2021-05-15 at 20:16:29 UTC-0400 (Sat, 15 May 2021 20:16:29 -0400) J Doe is rumored to have said: As it stands right now I have not changed any of the milters to examine the daemon name of "ORIGINATING" and everything is working. Is this because I have separate flows - submission and smtpd ? A milter would only see messages as part of distinct 'flows' if they check for the daemon name, as the connections between an MTA and a milter are not persistent. The only one of your milters that needs to treat inbound and outbound mail differently is OpenDKIM, which in most cases can make the sign/verify decision based on other criteria (see the OPERATION section of the opendkim man page.) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Submission and milter_macro_daemon_name parameter
On 2021-05-14 11:38 p.m., Bill Cole wrote:
On 2021-05-14 at 22:30:18 UTC-0400 (Fri, 14 May 2021 22:30:18 -0400)
J Doe
is rumored to have said:
My questions are:
1. Why was the magic value of "ORIGINATING" used in the Digital
Ocean example ?
It's not 'magic' but it is the value that Postfix uses as an example in
master.cf.
2. Can I allow the default value of: milter_macro_daemon_name to
be used _WITHOUT_ affecting OpenDKIM and ClamAV ?
That depends on what you want to do with those milters.
If you want to handle incoming (smtp) and outgoing (smtps and/or
sumbission) mail differently in your milters, you need a way for the
milters to tell the difference. The ${daemon_name} macro is the usual
way for a milter to make that differentiation. It is almost certain that
you want OpenDKIM to deal with inbound and outbound mail differently
(signing or verifying.) Using the default value of
milter_macro_daemon_name for all of the smtp-like services that use
milters eliminates the ability of your milters to make that
differentiation. Check the documentation of your milters for details.
Hi Bill,
Thanks for your reply.
You're right - I didn't realize that the master.cf file that ships with
Postfix uses the same value of "ORIGINATING" for both submission and
smtps. With that being the case I can see that Digital Ocean is
including this as well and is not an arbitrary value introduced by their
tutorial.
Yes, I have different functionality for different mail flows. For
submission, where clients are submitting e-mail to be relayed, I make
use of OpenDKIM to DKIM sign those messages and the ClamAV milter to see
if anyone submitting e-mail is in fact sending attachments with malware
(which would indicate that those clients are infected).
Mail to and from "the world" is via an smtpd instance, For inbound
e-mail from "the world" I use a Python policy program to check SPF,
OpenDKIM to validate DKIM signatures and OpenDMARC to check DMARC.
As it stands right now I have not changed any of the milters to examine
the daemon name of "ORIGINATING" and everything is working.
Is this because I have separate flows - submission and smtpd ?
Thanks,
- J
Re: Submission and milter_macro_daemon_name parameter
On 2021-05-16 02:21, J Doe wrote: Hi Benny, Thanks for your reply. I haven't changed the OpenDKIM configuration script to have: MTA=ORIGINATING and my mail flows still seem to work: it depends :=) 1. Clients submitting e-mail via submission have their e-mail DKIM signed. if just opendkim know 127.0.0.1 as internal its works, some needs more ips to be own, but with the mta macro, ooendkim trust postfix service is originating without define any ips in opendkim 2. Mail from the world has SPF, DKIM and DMARC validated. thats inbound, not outbound mta= is only for outbound check logs for opendkim on what it does or not does, with the mta trick you wont dkim sign forged senders in port 25, even if envelope sender is local The Digital Ocean tutorial does not say that e-mail has to be submitted only via submission, but all my clients submit it this way with SASL AUTH. I do not have SASL AUTH on my port 25 e-mail. good, i just hope this stops on my mx.junc.eu, sadly its not just DO
