Thank you. Interesting possibilities & tech. I’m going to think this over, i.e. I think it will be easier in my case to create a special mail user for this in dovecot (drop the alias/rewrite-outgoing apporach and use an extra mail account for these messages). But reading about multi instance postfix was interesting.
G > On 1 Feb 2021, at 22:59, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > On Mon, Feb 01, 2021 at 10:21:32PM +0100, Gerben Wierda wrote: > >> What I suspect here is that DKIM is the problem. As trivial-rewrite >> changes the message, the DKIM signature is no longer valid. @gmail.com >> reports the fail (spf is OK) but delivers anyway. Office365 is more >> strict it seems. > > Indeed DKIM signing needs to happen after all the header rewrites. This > requires a dual instance Postfix configuration, with rewriting in the > input instance, which then sends all mail to the output instance for > signing, but via more than one transport, some of which have > recipient-domain-specific smtp_generic_maps. > > If you still want to play this game, and use DKIM, see > > http://www.postfix.org/MULTI_INSTANCE_README.html > > Basically you get to run two MTAs without having to operate two separate > O/S installations on two machines. > >> So it works, but it breaks DKIM, because DKIM happens before the rewrite? >> >> So, suppose I want to do a sender rewrite that survives the DKIM >> generation? (I’m using rspamd for that). Probably solve this in >> Rspamd, right? > > That's not possible, you just need to sign south of the rewrites. > > -- > Viktor.
