On Wed, Dec 20, 2023 at 03:21:03PM +0000, Linkcheck via Postfix-users wrote:
>
> > How does your milter decide which messages to sign? Does it perhaps
> > look for:
> >
> > milter_macro_daemon_name=ORIGINATING
>
> I originally had this in place but could find no reason for it online nor
> any sufficient reason to use it, so I removed it, with no apparent change in
> performance.
It is a clear signal to milters that the message is being handled by a
(presumably authentiated) submission service, and, in the case of a DKIM
milter, should then be DKIM *signed* rather than *verified*.
My question still stands, how do you expect your OpenDKIM milter to
known which messages should be signed, and which should be verified.
If you have users connecting to your MSA from random external IP
addresses, there's no way to know, if the SUBMIT service and the
(inbound) SMTP service use the same (bidirectional) DKIM milter.
> It was in use on the old server but no sign of a macro it could refer
> to. I have now replaced it but am unsure what to do to satisfy its
> inclusion.
>From the stock "opendkim.conf":
## MacroList macro[=value][,...]
##
## Gives a set of MTA-provided macros which should be checked to see
## if the sender has been determined to be a local user and therefore
## whether or not signing should be done. See opendkim.conf(5) for
## more information.
# MacroList foo=bar,baz=blivit
And in:
https://linux.die.net/man/5/opendkim.conf
MacroList (dataset)
Defines a set of MTA-provided macros that should be checked to see
if the sender has been determined to be a local user and therefore
whether or not the message should be signed. If a value is specified
matching a macro name in the data set, the value of the macro must
match a value specified (matching is case-sensitive), otherwise the
macro must be defined but may contain any value. The set is empty by
default, meaning macros are not considered when making the
sign-verify decision. The general format of the value is
value1[|value2[|...]]; if one or more value is defined then the
macro must be set to one of the listed values, otherwise the macro
must be set but can contain any value.
In order for the macro and its value to be available to the filter
for checking, the MTA must send it during the protocol exchange.
This is either accomplished via manual configuration of the MTA to
send the desired macros or, for MTA/filter combinations that support
the feature, the filter can request those macros that are of
interest. The latter is a feature negotiated at the time the filter
receives a connection from the MTA and its availability depends upon
the version of milter used to compile the filter and the version of
the MTA making the connection.
This data set must be of type "file" or "csl".
> > which should then be set for the submission service in master.cf? Or
> > does it have a set of client IP CIDR blocks that it considers internal?
>
> No CIDR that I'm aware of. How do I implement this, please?
You still haven't been sufficiently clear on whether your submission
users are all internal to your network and signing can be IP-based, or
whether they are roaming and authenticate via SASL, in which case an MSA
macro is the only way to go.
> > "postconf -Mf" output
>
> My apologies. I was unaware of the f switch.
Perhaps the instructions at "DEBUG_README.html#mail" could be updated to
suggest "postconf -nf" and "postconf -Mf", now that all supported
versions of Postfix have had "-f" for some years.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
