Re: proper syntax for SenderHeaders in opendkim.conf from Patrick Proniewski on 2015-01-29 (OpenDKIM Users mailing list)

From: Patrick Proniewski <patpro_at_patpro.net>
Date: Thu, 29 Jan 2015 14:45:27 +0100

On 29 janv. 2015, at 12:46, A. Schulze wrote:

>> I want to sign everything going out
>
> try
>
> opendkim.conf:
> SigningTable refile:/path/to/signingtable
> KeyTable file:/path/to/keytable
> MTA MLM-SUBMISSION
>
> signingtable
> * signall
>
> keytable
> signall signing_domain:selector:/path/to/key

Ok, so a catch-all SigningTable can work. I'm going to give it a try after reviewing my config.

> The challenge is to not sign every message pass your MTA but only those arriving via a special
> input channel. For that I use to define a submission channel in postfix
>
> master.cf
> localhost:submission inet n - - - - smtpd
> -o milter_macro_daemon_name=MLM-SUBMISSION
> -o mynetworks=127.0.0.1,[::1]
> -o smtpd_milters=${opendkim_signer}
> -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
> -o syslog_name=postfix/mlm-submission
>
> main.cf
> opendkim_signer = inet:localhost:12345
>
> Now configure your list manager to submit via smtp at localhost:587

I'm already using a dedicated smtpd on localhost, so that every email created is handed to opendkim:

127.0.0.1:smtp inet n - n - 5 smtpd
    -o smtpd_client_connection_count_limit=10
    -o disable_mime_output_conversion=yes
    -o smtpd_milters=inet:127.0.0.1:8891
    -o non_smtpd_milters=inet:127.0.0.1:8891

and a submission interface with authentication for remote users:

submission inet n - n - - smtpd
    -o smtpd_sasl_auth_enable=yes
    ../..
    -o smtpd_milters=inet:127.0.0.1:8891
    -o non_smtpd_milters=inet:127.0.0.1:8891
    ../..

Public IP address has a dedicated smtpd on port 25 (MX) acting as proxy for amavisd-new running as before-queue content filter. It does not do opendkim signing, neither does the backend (after-queue) smtpd on port 10025.

Looks like it's compatible with your proposal. But I don't understand the usefulness of MTA directive in opendkim.conf and milter_macro_daemon_name=MLM-SUBMISSION. If network flows are segregated, is it still useful?

Thanks,
Patrick
Received on Thu Jan 29 2015 - 13:45:42 PST

This archive was generated by hypermail 2.3.0 : Thu Jan 29 2015 - 13:54:02 PST