Re: Discussion of advanced signing decision making
On Thursday 28 October 2010 05:45:44 Todd Lyons wrote:
> I think that the combination of KeyTable and SigningTable and LUA and
> MTA macros provide all the tools I need to do this, but the specifics
> of how to do it are not something I've had to delve into yet.
> Basically I have this scenario in mind:
>
> 1. Cluster of mail servers ong 10.2.1.0/24
> 2. Webmail servers on 10.2.2.0/24
>
> The cluster of mail servers handles both smtp auth and webmail users
> sending. It needs to be able to make the decision:
> 1. Always sign for webmail users if a key exists and if mail is coming
> from 10.2.2.0/24, never verify.
If the webmail program uses smtp-auth underneath this requirement collapses
into #2. Otherwise specificfy these webmail servers as InternalHosts.
> 2. Always sign for smtp auth users if mail is authenticated, and use
> the envelope sender to generate the signing domain, never verify.
> 3. Never sign email for forwarded email, but always verify inbound email.
So this would be the PeeList option to specify your internal network of
forwarders. You may need to exclude the webmail hosts and those that do smtp
auth.
(I don't check if auth is given as a signing criteria before the peerlist)
(doco - should opendkim/opendkim.8.in Operation mention PeerList?)
> The complicated part is that the same set of mail servers must make a
> signing decision based on auth, source ip, and whether to use the From
> sender or envelope sender.
There's a lua script in contrib/authheaders-check-setup-hook.lua that enforces
both header and envelope sender.
SigningTable file:/etc/opendkim/signtable.txt
KeyTable file:/etc/opendkim/keytable.txt
signtable.txt
* thekey
keytable.txt
thekey %:oct2010:/etc/opendkim/signkey.private
(note - murray - doco fix opendkim.conf.5 - KeyTable "second value consists
solely of a percent sign ("%")" - should this be "first"?)
Received on Wed Oct 27 2010 - 21:16:40 PST
This archive was generated by hypermail 2.3.0
: Mon Oct 29 2012 - 23:32:54 PST