On Mon, Feb 01, 2021 at 10:21:32PM +0100, Gerben Wierda wrote:
> What I suspect here is that DKIM is the problem. As trivial-rewrite
> changes the message, the DKIM signature is no longer valid. @gmail.com
> reports the fail (spf is OK) but delivers anyway. Office365 is more
> strict it seems.
Indeed DKIM signing needs to happen after all the header rewrites. This
requires a dual instance Postfix configuration, with rewriting in the
input instance, which then sends all mail to the output instance for
signing, but via more than one transport, some of which have
recipient-domain-specific smtp_generic_maps.
If you still want to play this game, and use DKIM, see
http://www.postfix.org/MULTI_INSTANCE_README.html
Basically you get to run two MTAs without having to operate two separate
O/S installations on two machines.
> So it works, but it breaks DKIM, because DKIM happens before the rewrite?
>
> So, suppose I want to do a sender rewrite that survives the DKIM
> generation? (I’m using rspamd for that). Probably solve this in
> Rspamd, right?
That's not possible, you just need to sign south of the rewrites.
--
Viktor.
