On Mon, May 09, 2022 at 03:03:42PM -0400, Wietse Venema wrote:
> > - I don't quickly have an example of bad things that can happen
> > with Milter inspection of Postfix-generated mail. That doesn't mean
> > that such bad things don't exist.
>
> So, with that caveat you can turn on DKIMM signing of bounce messages.
Bounces to external domains are "backscatter", and should ideally be
rather rare, in so far as recipient validation should reject most if not
all inbound mail that is undeliverable *before* it is accepted into the
Postfix queue.
That said, if quotas are in place, or some other issue prevents delivery
for a valid recipient, the occasional bounce may take place.
There is a modest risk that the bounced content may contain spam or
malware, and so it is not ideal to impute your site's reputation to
such content by adding a DKIM signature.
A reasonable work-around on an inbound MTA is to configure Postfix
to bounce only the headers, dropping all other message content:
bounce_size_Limit = 1
With that, the returned message carries at most a spammy subject...
--
Viktor.
