On 9/28/06, Henrik Ostergaard <[EMAIL PROTECTED]> wrote:
My usesrs submit their messages for relaying on port 25 like normal incoming
messages - meaning that they will be verified before they are signed,
The same dk-filter command usually provides both signing and
verification, deciding which to do based on {client IP or
authenticated user} -AND- the correct domain name. You must specify
IPs to sign and the domain name.
Use the -i option of dk-filter to specify which IPs should be signed
rather than verified, this usually corresponds what is listed in
postfix mynetworks. When mail arrives from one of those clients, AND
the domain matches, the mail will be signed rather than verified. See
"man dk-filter" for more info.
My command line (which works here but may not be correct for everyone)
looks something like this (all one line - replace example.com with
your domain name, adjust paths as appropriate):
# dk-filter -H -S mailgate -M {auth_author} -o Received -s
/var/db/certificates/domainkey.private -d example.com -i
/var/db/domainkey.clients -u milter -l -p inet:[EMAIL PROTECTED]
and the /var/db/domainkey.clients file is a list of networks that
should be signed, in CIDR notation:
# cat /var/db/domainkey.clients
127.0.0.1
192.168.0.0/16
10.0.0.0/8
--
Noel Jones
