* Michael <p...@nettrust.co.nz>:
> In reference to the following page:
> http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
>
> it includes the following:
> submission inet n - n - - smtpd
> -o smtpd_etrn_restrictions=reject
> -o smtpd_sasl_auth_enable=yes
> -o content_filter=dksign:[127.0.0.1]:10027
> -o receive_override_options=no_address_mappings
> -o
> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
>
>
> however I do not send emails from my desktop using port 587, I use port 25 as
> standard.
>
> How could I include the line "-o content_filter=dksign:[127.0.0.1]:10027" in
> a
> manner where only OUTBOUND emails only are passed through DKIM proxy, and not
> incoming emails? Yes, I am well aware that SMTP does not draw a distinction
> between the 2, but I am thinking there must be a way, or do I have to send
> emails via a port other then 25 to achieve this?
I am using amavisd-new for DKIM signing (I was using it anyways, so I
saw no potential gain in including another piece of software, e.g.
dkimproxy, into the toolchain). Using a custom package, one can match
for a header line which states that the mail was received by one's own
MTA using SMTP AUTH (RFC 3848). So the first step is to define a new
policy bank in amavisd-new:
#v+
$policy_bank{'MINI-SUBMISSION'} = {
originating => 1,
};
#v-
Then add a custom script loading this policy bank (this example will
match "mail.incertum.net". Code base contributed by Alexander Wirt,
bad PCRE is my fault, not his):
#v+
package Amavis::Custom;
use strict;
BEGIN {
import Amavis::Conf qw(:platform :confvars c cr ca $myhostname);
import Amavis::Util qw(do_log untaint safe_encode safe_decode);
import Amavis::rfc2821_2822_Tools;
import Amavis::Notify qw(build_mime_entity);
}
sub new {
my($class,$conn,$msginfo) = @_;
my($self) = bless {}, $class;
my $sasl_owned = 0;
foreach my $line (@{$msginfo->{'orig_header'}}) {
$line =~ s/\n\t/ /g;
$sasl_owned = 1 if $line =~ m/^Received:.*by
mail.incertum.net.*with ESMTP(S)?A.*/i;
}
if ($sasl_owned) {
do_log(2, sprintf("Load SASL policy bank"));
Amavis::load_policy_bank('MINI-SUBMISSION')
}
return $self;
}
1; # insure a defined return
#v-
This way, offering AUTH on the port 25, one could offer "MX and
submission services" within one Postfix instance.
I _think_ (and I'm really not 100% sure if this would work) another
possibility would be to use a feature introduced with Postfix 2.7,
namely sender_dependent_default_transport_maps. You could define a
transport which passes all mail to the DKIM proxy. The proxy itself
would have to reinject the mails to a dedicated smtpd(8) clone,
defined in master.cf, with and empty sender_dependent_default_transport_maps
(or at least one which doesn't include the entry for your DKIM proxy).
Then populate the map referenced in sender_dependent_default_transport_maps
with all your domains you want to sign. As I said, this might be a bad
idea.
> On this topic has anyone found a good DKIM signing solution that will work
> with multiple domains?
I don't understand that question. You can only sign domains for which
you have the private key.
Stefan
