On 05.07.24 08:42, Gilgongo via Postfix-users wrote:
I'm setting up a server to handle outbound mail for sasl auth accounts and would like to scan that mail for spam and malware before DKIM signing because I assume scanning might potentially add headers that could break the sig.Right now I have the following (extract) in my Amavis conf: $interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} # forward to a smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', notify_method => 'smtp:[127.0.0.1]:10025', With master.cf as: submission inet n - n - - smtpd ... configs... -o content_filter=smtp-amavis:[127.0.0.1]:10026 smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 # For sending notifications about actions 127.0.0.1:10025 inet n - n - - smtpd -o syslog_name=notify ....configs... # For OpenDKIM signing 127.0.0.1:10027 inet n - n - - smtpd ... configs... -o smtpd_milters=inet:127.0.0.1:8891 So I assume DKIM should come last. But the logs imply the spam/virus check is done after?
I think in case of amavis it's just the order of logs being written.IIUC amavis does not confirm receiving message from postfix until after it's scanned and passed further, which is why new scanned message is logger before
postfix/cleanup[1685]: BB20880330:
message-id=<20240705073351.001500@fre.localdomain>
opendkim[700]: BB20880330: DKIM-Signature field added (s=dkim20200516, d=
bakerbates.com)
postfix/qmgr[1558]: BB20880330: from=<u...@domain.com>, size=945, nrcpt=1
(queue active)
amavis[1563]: (01563-01) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL
[192.168.0.241]:51084 [etc.]
postfix/smtp[1686]: 76C0C80266: to=<gilgongo@localdomain>,
relay=127.0.0.1[127.0.0.1]:10026, [etc.]
postfix/qmgr[1558]: 76C0C80266: removed
If you checked all logs of messages BB20880330 and 76C0C80266 and didn't remove important parts, it should be visible that the order is:
- postfix handles incoming message 76C0C80266 from client to amavis at [127.0.0.1]:10026
- amavis scans message and passes it to postfix at 127.0.0.1:10027- postfix at 127.0.0.1:10027 receives message BB20880330 and passes it to opendkim and other milters - amavis logs status of message, including message ID sent by postfix, in this case BB20880330
- postfix logs removing of message 76C0C80266 - ... BTW, amavis can DKIM-sign the message itself.
Unfortunately, I can't tell whether the DKIM sig is OK or not in my test setup, but I'd like to ensure it's the last thing to happen before sending. How can I do that?
deliver it to mailbox locally and run spamassassin scan, it should tell you whether the signature is correct.
-- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
