Matt Kinni:
> I have opendkim configured via 'smtpd_milters' to sign all outbound
> mail, and my domain publishes a "quarantine" dmarc record to enforce the
> consequences of this.
>
> I recently discovered that MAILER-DAEMON messages generated by postfix
> itself bypass this setup and do /not/ get signed, which unfortunately
> results in legitimate DSNs being filtered into the sender's spam/junk
> mail folder due to the dmarc policy (I confirmed this with gmail).
>
> After doing some research, I learned that dkim signing can be forced for
> postfix's internally generated mails by setting 'non_smtpd_milters' in
> conjunction with 'internal_mail_filter_classes=bounce', however the
> manpage for the latter parameter has this cautionary message:
> >
> > NOTE: It's generally not safe to enable content inspection of
> Postfix-generated email messages. The user is warned.
> >
>
> So I'm not sure what the best practice is here; postfix tries hard to
> prevent being a source of backscatter and thus outbound DSN messages
> should be rare, but in the event a legitimate bounce does need to be
> sent out, I'd like it to not end up in the sender's spam folder. On the
> other hand, miltering mailer-deamon messages adds a point of failure to
> a privileged message class that should always be expected to succeed,
> which I imagine is why the manpage discourages it.
It's generally not safe, because Postix cannot prevent loops when,
for example,
- header_body_checks issues a FILTER action. Mail would loop between
Postfix and the content filter until the number of Received: headers
exceeds the hopcount_limit setting (default: 50).
- I don't quickly have an example of bad things that can happen
with Milter inspection of Postfix-generated mail. That doesn't mean
that such bad things don't exist.
Wietse
