Re: Issue with Postfix Amavisd-new S/MIME encryption and DKIM

Thu, 09 Aug 2012 07:37:05 -0700 

On 8/9/2012 9:51 AM, Viktor Dukhovni wrote:

On Thu, Aug 09, 2012 at 09:28:57AM -0400, Deeztek.com Support wrote:


I have the following setup:

Postfix, Amavisd-new and an email encryption gateway called djigzo
integrated into the same system:

Email flows is as follows:

Postfix- 
-->10021--->Amavis--->10022---->Postfix---->10025---->Djigzo---->10026---->Postfix---->25---->Internet


Postfix injects email to Amavis on port 10021. Amavis reinjects on
port 10022 and then Postfix injects to the Djigzo SMTP server for
S/MIME encryption on port 10025 which in turn reinjects on port
10026.

Use multiple Postfix instances.

        http://www.postfix.org/MULTI_INSTANCE_README.html

configure DKIM signing only in the final output Postfix instance
that is behind the S/MIME proxy.

Also consider eliminating the middle Postfix from the mail flow.
You only need a queue between two content filters if one of them
is CPU intensive and low latency (so you want low concurrency) and
the other CPU-light and high latency (waits for lots of remote DNS
lookups, ...) so you want high concurrency. Otherwise, you can just
configure Amavis to send directly do the S/MIME proxy at the same
concurrency (the default is 20 which is the

        <transport>_destination_concurrency_limit

for the content-filter transport), you can tune this to match your
requirements provided it matches the concurrency supported by
the proxy.
So what are you saying is, instead of having amavis reinject back to Postfix on 10022, to have it inject directly to the s/mime gateway on port 10025 and then the s/mime gateway reinject back to postfix on 10026? All the s/mime gateway is a custom implementation of the java james smtp.
Is multiple postfix instances the absolute best way to handle this? It seems complicated. If it is, then that's what it is. I guess, part of what I am asking is this. Since the DKIM signing happens with a smtpd_milter directive in the main.cf file I assume that's the very first thing that happens before the email is even sent to amavis for processing (correct me if I'm wrong), can it instead be setup in the master.cf file after the s/mime configuration or something alone those lines? I can attach the master.cf configuration if necessary to get a clear idea.

Reply via email to