On Fri, May 31, 2024 at 06:22:03PM -0700, Brandon Long via mailop wrote:
> There's also nothing to prevent you from DKIM signing your bounce messages.
This can be a bit more complicated with, e.g., Postfix, because Postfix
tries to avoid potentially fragile content processing of bounces, so
in particular milters (often used to perform DKIM signing) don't get
to pre-process bounces by default.
http://www.postfix.org/postconf.5.html#internal_mail_filter_classes
The most robust option (possibly inconvenient for senders who regret not
saving a copy of a sent message) is to configure "header only" bounces:
bounce_size_limit = 1
internal_mail_filter_classes = bounce
and with that, enable bounce content inspection, because just the
message headers (as "text/rfc822-headers" content) are much less likely
to be rejected by milters.
In a multi-instance Postfix configuration, with a separate instance
handling outbound mail, DKIM signing would be done by the outbound
instance, while bounces would be generated in the inbound instance
and relayed to the outbound one for delivery, where the message is
no longer "internally generated", and also milters are less likely
to have aggressive filtering.
And, of course, as noted upthread, always best to avoid bounces as much
as possible, reject, rather than accept and then bounce.
--
Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
