On 11/26/2018 07:46 AM, Viktor Dukhovni wrote:
On Nov 26, 2018, at 8:44 AM, Alice Wonder <al...@domblogger.net> wrote:
I realize it would mean mail sent by the host itself via sendmail command is
not DKIM signed but I'm not really worried about that.
It appears that when e-mail is sent from a user to a mail list that is set up
in a way to break DKIM (as many are), the mail from the list to the user that
comes in via the MX on port 25 then gets signed again even though it was
technically sent by the list and not the user.
That itself probably isn't bad but I still don't like the idea of DKIM signing
happening on mail that comes in on port 25 even if the From: header matches.
With DKIM, you typically arrange to *verify* email that comes in on port 25,
and sign email that originates locally or comes in on 587.
On dedicated relays whose port 25 traffic is outbound, you'd also sign port
25 traffic.
The purpose of the "-o milter_macro_daemon_name=ORIGINATING" in the master.cf
submission service (commented out by default) is to inform the milter that
mail arriving on that port is outbound.
Okay I see that and will uncomment. Thank you.
I'll have to look again at the OpenDKIM conf/documentation to see how to
make sure it only signs with that flag as it seems to be signing
anything where the From: matches the Domain = pattern regardless of
originating or incoming now.
