mouss wrote:
kemas wrote:
mouss wrote:
kemas wrote:
Hi All,
can someone give me light on this, e
I followed http://www.ijs.si/software/amavisd/amavisd-new-docs.html
about dkim signing,
the doc talk about it can be achieve the same with dkimproxy but I
google around but still can figure it out how to make it work
like that.
Perhaps I'm doing damn wrong here please point me out
My setup is postfix 2.5.5 with amavisd-new 2.6.1
External mail -----------> smtp:10024 ---------------> smtp:10025
- external mail came in
- caught by postfix filter to be sent to amavis on port 10024,
- enter External policy bank do some work
- and goes to port 10025 fo reinjection to postfix
Internal mail -----------> smtp:10026 ---------------->
dkimproxy_out:4445 ----------> smtp:10027
- internal mail came in, sent to amavis on port 10026
- enter 10026 policy bank do some work
- goes to dkimproxy_out on port 4445
- then dkimproxy reinject the mail back to postfix on port 10027
did I break anything?
looks ok to me. an alternative is to do signing in amavisd-new (thus
not needing dkimproxy anymore). this is up to you.
could please give me a hint on how to do that?
$enable_dkim_signing = 1;
dkim_key('example.com', 'yourselector',
'/path/to/key.pem', c => 'relaxed/simple');
$policy_bank{'ORIGINATING'} = {
...
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
}
check amavisd-new RELEASE NOTES for more.
this looks better, cleaner and simple, no more one smtp hop again.
is there any caveat ?
which one better, with or without dkimproxy
it's really up to you:
- if you do it in amavisd-new, you avoid one smtp hop, you don't need
to configure/watch/maintain/... dkimproxy.
easy life
- if you do it in dkimproxy, you can sign mail even if you skip
amavisd-new (although this seems unnecessary as you can simply add
another port to disable whatever scanning you don't want in such case)
you make my eye open
just be careful if you modify mail after it was signed. For example,
if you use smtp_generic_maps to modify From headers. There is no
simple solution to this (because you want to do generic before
signing, but you only want to do generic if the message will be
forwarded via smtp later!)
mouss, would please give me anexample,
I'm not 100% understand what you mean..
If you don't use smtp_generic_maps to rewrite headers, there should be
no problem.
guess you're right. I'm not doing (yet..) smtp_generic_maps right now.
thanks mouss
