I have a working postfix server (2.8.11) which looks for incoming mail
on socket, localhost, and my local network. It is also listening on
port 587 for authenticated users and on port 25 for WAN input.
I installed dkproxy (dkimproxy.sourceforge.net) so I can sign my
outgoing mail. I have it working after a fashion. Correctly, I am not
signing anything that comes in from the internet on port 25. But I am
signing everything that comes in on all the other sockets/ports even if
the final destination is local or virtual. This is clearly unnecessary,
but I cannot figure out how to sign only those emails not being
delivered locally or virtually.
Here is the relevent piece of master.cf
smtp unix - - n - - smtp
127.0.0.1:smtp inet n - n - - smtpd
-o content_filter=dksign:[127.0.0.1]:10027
# LAN clients
10.0.1.128:smtp inet n - n - - smtpd
-o myhostname=maila.office
-o smtp_bind_address=10.0.1.128
-o content_filter=dksign:[127.0.0.1]:10027
# Authenticated clients from the WAN
<public IP>:587 inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o smptd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# General, unautenticated mail from the WAN (no relaying permitted)
<public IP>:smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:127.0.0.1:10024
# mail to be dkim signed via content_filter
dksign unix - - n - 4 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls
And Postconf -n
alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
default_privs = nobody
mail_owner = postfix
mydomain = mydomain.com
myhostname = host.mydomain.com
mynetworks = 127.0.0.0/24 10.0.1.0/24
setgid_group = maildrop
smtp_bind_address = <public IP>
smtp_sasl_mechanism_filter = plain
smtp_tls_security_level = may
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CApath = /etc/postfix/certs/
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/maila-cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/maila-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
virtual_alias_maps = pgsql:/etc/postfix/pg_virtual.cf
virtual_gid_maps = pgsql:/etc/postfix/pg_gids.cf
virtual_mailbox_base = /var/spool/vmail/
virtual_mailbox_domains = pgsql:/etc/postfix/pg_domains.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = pgsql:/etc/postfix/pg_mailbox.cf
virtual_transport = maildrop
virtual_uid_maps = pgsql:/etc/postfix/pg_uids.cf
Lynn
--
Lynn Dobbs
Chief Technical Officer
CreditLink Corporation
