On Monday, November 26, 2018 08:24:29 AM Alice Wonder wrote: > On 11/26/2018 07:46 AM, Viktor Dukhovni wrote: > >> On Nov 26, 2018, at 8:44 AM, Alice Wonder <al...@domblogger.net> wrote: > >> > >> I realize it would mean mail sent by the host itself via sendmail command > >> is not DKIM signed but I'm not really worried about that. > >> > >> It appears that when e-mail is sent from a user to a mail list that is > >> set up in a way to break DKIM (as many are), the mail from the list to > >> the user that comes in via the MX on port 25 then gets signed again even > >> though it was technically sent by the list and not the user. > >> > >> That itself probably isn't bad but I still don't like the idea of DKIM > >> signing happening on mail that comes in on port 25 even if the From: > >> header matches.> > > With DKIM, you typically arrange to *verify* email that comes in on port > > 25, and sign email that originates locally or comes in on 587. > > > > On dedicated relays whose port 25 traffic is outbound, you'd also sign > > port > > 25 traffic. > > > > The purpose of the "-o milter_macro_daemon_name=ORIGINATING" in the > > master.cf submission service (commented out by default) is to inform the > > milter that mail arriving on that port is outbound. > > Okay I see that and will uncomment. Thank you. > > I'll have to look again at the OpenDKIM conf/documentation to see how to > make sure it only signs with that flag as it seems to be signing > anything where the From: matches the Domain = pattern regardless of > originating or incoming now.
See MacroList in opendkim.conf (5) [1]. Scott K [1] http://www.opendkim.org/opendkim.conf.5.html
