On 11/26/2018 08:40 AM, Scott Kitterman wrote:
On Monday, November 26, 2018 08:24:29 AM Alice Wonder wrote:
On 11/26/2018 07:46 AM, Viktor Dukhovni wrote:
On Nov 26, 2018, at 8:44 AM, Alice Wonder <al...@domblogger.net> wrote:
I realize it would mean mail sent by the host itself via sendmail command
is not DKIM signed but I'm not really worried about that.
It appears that when e-mail is sent from a user to a mail list that is
set up in a way to break DKIM (as many are), the mail from the list to
the user that comes in via the MX on port 25 then gets signed again even
though it was technically sent by the list and not the user.
That itself probably isn't bad but I still don't like the idea of DKIM
signing happening on mail that comes in on port 25 even if the From:
header matches.>
With DKIM, you typically arrange to *verify* email that comes in on port
25, and sign email that originates locally or comes in on 587.
On dedicated relays whose port 25 traffic is outbound, you'd also sign
port
25 traffic.
The purpose of the "-o milter_macro_daemon_name=ORIGINATING" in the
master.cf submission service (commented out by default) is to inform the
milter that mail arriving on that port is outbound.
Okay I see that and will uncomment. Thank you.
I'll have to look again at the OpenDKIM conf/documentation to see how to
make sure it only signs with that flag as it seems to be signing
anything where the From: matches the Domain = pattern regardless of
originating or incoming now.
See MacroList in opendkim.conf (5) [1].
Scott K
[1] http://www.opendkim.org/opendkim.conf.5.html
Thank you! That clarifies it.
