Hello,
OpenDKIM bases its decision whether mail can be signed on, among other
things, the connecting IP. However this only works if there has been no
SMTP relay or proxy prior to the mail reaching the milter. If there has
been, OpenDKIM sees the IP address of the relay/proxy and treats it as
"trusted". This leads to it signing some incoming mail (if the From:
has been forged to use my domain name).
My setup for incoming smtpd mail currently has proxsmtp acting as an
SMTP proxy - this scans mail using bogofilter.
Setup:
Incoming mail -> postfix (25) -> proxsmtp (10025) -> postfix
(10026) + opendkim milter -> cleanup, queue, etc.
XFORWARD is verified to be working through proxsmtp - this is confirmed
in the log files which show Postfix giving the correct "orig_client"
value right through to queuing. I have verified that OpenDKIM is basing
its decision to sign based on the client IP being 127.0.0.1 (it's coming
from the proxy).
Questions:
1. When Postfix sends the {client_addr} macro to the milter, is that
the originating client from XFORWARD? Can it send that?
2. If not, is there any other way to provide a macro to the milter,
that contains the originating client ID from XFORWARD?
3. Is there an alternative solution to my problem that does not involve
removing the SMTP proxy, or using Amavisd-milter (I'm on low memory)?
Surely people who use secondary MX servers encounter this same issue,
because the secondary MX relays to the first and OpenDKIM would see its
IP address instead of the connecting client?
- When milter (opendkim) is behind a proxy/relay, how to gi... Thomas R.
-
