mouss wrote:
> > So is there anyway we can achieve domainkeys authentication on port 25?
>
> smtpd_client_restrictions =
> check_client_access pcre:/etc/postfix/filter_outbound
> permit_mynetworks
> permit_sasl_authenticated
> check_client_access pcre:/etc/postfix/filter_inbound
>
> == filter_outbound
> # pass to "outbound" filter
> /./ FILTER scan:[127.0.0.1]:10586
>
> == filter_inbound
> # pass to "inbound" filter
> /./ FILTER scan:[127.0.0.1]:10024
>
> if you wonder what that does:
> - if mail comes from mynetworks or is sasl authenticated, then it is
> passed to port 10586
> - otherwise, it is passed to port 10024
Right. Then on the amavisd-new side (amavisd.conf):
$inet_socket_port = [10024,10586];
$interface_policy{'10586'} = 'ORIGINATING';
$enable_dkim_signing = 1;
$enable_dkim_verification = 1;
dkim_key('example.org', 'myselector', '/var/db/dkim/mykey1.pem');
dkim_key('example.net', 'mysel2', '/var/db/dkim/mykey2.pem');
$policy_bank{'ORIGINATING'} = { # mail originates from our users
originating => 1, # permits DKIM signing (among other things)
# force MTA conversion to 7-bit before DKIM signing
# to avoid later conversions, destroying signature:
smtpd_discard_ehlo_keywords => ['8BITMIME'],
}
If you haven't already made DKIM signing keys, amavisd can
do it for you:
# amavisd genrsa /var/db/dkim/mykey1.pem
# amavisd genrsa /var/db/dkim/mykey2.pem
and after adding dkim_key() lines to amavisd.conf, show them in
a format directly suitable for inclusion into a DNS zone file:
# amavisd showkeys
and after updating DNS zone file and reloading zone:
# amavisd testkeys
Reload amavisd, all done. More in RELEASE_NOTES.
Mark
