> On Nov 26, 2018, at 8:44 AM, Alice Wonder <al...@domblogger.net> wrote:
>
> I realize it would mean mail sent by the host itself via sendmail command is
> not DKIM signed but I'm not really worried about that.
>
> It appears that when e-mail is sent from a user to a mail list that is set up
> in a way to break DKIM (as many are), the mail from the list to the user that
> comes in via the MX on port 25 then gets signed again even though it was
> technically sent by the list and not the user.
>
> That itself probably isn't bad but I still don't like the idea of DKIM
> signing happening on mail that comes in on port 25 even if the From: header
> matches.
With DKIM, you typically arrange to *verify* email that comes in on port 25,
and sign email that originates locally or comes in on 587.
On dedicated relays whose port 25 traffic is outbound, you'd also sign port
25 traffic.
The purpose of the "-o milter_macro_daemon_name=ORIGINATING" in the master.cf
submission service (commented out by default) is to inform the milter that
mail arriving on that port is outbound.
--
Viktor.
