From: Michael on
In reference to the following page:
http://dkimproxy.sourceforge.net/postfix-outbound-howto.html

it includes the following:
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject


however I do not send emails from my desktop using port 587, I use port 25 as
standard.

How could I include the line "-o content_filter=dksign:[127.0.0.1]:10027" in a
manner where only OUTBOUND emails only are passed through DKIM proxy, and not
incoming emails? Yes, I am well aware that SMTP does not draw a distinction
between the 2, but I am thinking there must be a way, or do I have to send
emails via a port other then 25 to achieve this?

On this topic has anyone found a good DKIM signing solution that will work
with multiple domains?

From: Stefan Foerster on
* Michael <pfml(a)nettrust.co.nz>:
> In reference to the following page:
> http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
>
> it includes the following:
> submission inet n - n - - smtpd
> -o smtpd_etrn_restrictions=reject
> -o smtpd_sasl_auth_enable=yes
> -o content_filter=dksign:[127.0.0.1]:10027
> -o receive_override_options=no_address_mappings
> -o
> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
>
>
> however I do not send emails from my desktop using port 587, I use port 25 as
> standard.
>
> How could I include the line "-o content_filter=dksign:[127.0.0.1]:10027" in a
> manner where only OUTBOUND emails only are passed through DKIM proxy, and not
> incoming emails? Yes, I am well aware that SMTP does not draw a distinction
> between the 2, but I am thinking there must be a way, or do I have to send
> emails via a port other then 25 to achieve this?

I am using amavisd-new for DKIM signing (I was using it anyways, so I
saw no potential gain in including another piece of software, e.g.
dkimproxy, into the toolchain). Using a custom package, one can match
for a header line which states that the mail was received by one's own
MTA using SMTP AUTH (RFC 3848). So the first step is to define a new
policy bank in amavisd-new:

#v+
$policy_bank{'MINI-SUBMISSION'} = {
originating => 1,
};
#v-

Then add a custom script loading this policy bank (this example will
match "mail.incertum.net". Code base contributed by Alexander Wirt,
bad PCRE is my fault, not his):

#v+
package Amavis::Custom;
use strict;

BEGIN {
import Amavis::Conf qw(:platform :confvars c cr ca $myhostname);
import Amavis::Util qw(do_log untaint safe_encode safe_decode);
import Amavis::rfc2821_2822_Tools;
import Amavis::Notify qw(build_mime_entity);
}

sub new {
my($class,$conn,$msginfo) = @_;
my($self) = bless {}, $class;

my $sasl_owned = 0;

foreach my $line (@{$msginfo->{'orig_header'}}) {
$line =~ s/\n\t/ /g;
$sasl_owned = 1 if $line =~ m/^Received:.*by mail.incertum.net.*with ESMTP(S)?A.*/i;
}

if ($sasl_owned) {
do_log(2, sprintf("Load SASL policy bank"));
Amavis::load_policy_bank('MINI-SUBMISSION')
}

return $self;
}

1; # insure a defined return
#v-

This way, offering AUTH on the port 25, one could offer "MX and
submission services" within one Postfix instance.

I _think_ (and I'm really not 100% sure if this would work) another
possibility would be to use a feature introduced with Postfix 2.7,
namely sender_dependent_default_transport_maps. You could define a
transport which passes all mail to the DKIM proxy. The proxy itself
would have to reinject the mails to a dedicated smtpd(8) clone,
defined in master.cf, with and empty sender_dependent_default_transport_maps
(or at least one which doesn't include the entry for your DKIM proxy).
Then populate the map referenced in sender_dependent_default_transport_maps
with all your domains you want to sign. As I said, this might be a bad
idea.

> On this topic has anyone found a good DKIM signing solution that will work
> with multiple domains?

I don't understand that question. You can only sign domains for which
you have the private key.


Stefan

From: Stefan Foerster on
* Stefan Foerster <cite+postfix-users(a)incertum.net>:
> I _think_ (and I'm really not 100% sure if this would work) another
> possibility would be to use a feature introduced with Postfix 2.7,
> namely sender_dependent_default_transport_maps. You could define a
> transport which passes all mail to the DKIM proxy. The proxy itself
> would have to reinject the mails to a dedicated smtpd(8) clone,
> defined in master.cf, with and empty sender_dependent_default_transport_maps
> (or at least one which doesn't include the entry for your DKIM proxy).
> Then populate the map referenced in sender_dependent_default_transport_maps
> with all your domains you want to sign. As I said, this might be a bad
> idea.

Bad idea. As stated in the release notes, sender_dependent_default_transport_maps
don't support the "nexthop" feature of a regular transport map entry.
You could try with sender_dependent_relayhost_maps, available as of
Postfix 2.3.


Stefan

From: mouss on
Michael a �crit :
> In reference to the following page:
> http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
>
> it includes the following:
> submission inet n - n - - smtpd
> -o smtpd_etrn_restrictions=reject
> -o smtpd_sasl_auth_enable=yes
> -o content_filter=dksign:[127.0.0.1]:10027
> -o receive_override_options=no_address_mappings
> -o
> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
>
>
> however I do not send emails from my desktop using port 587, I use port 25 as
> standard.
>
> How could I include the line "-o content_filter=dksign:[127.0.0.1]:10027" in a
> manner where only OUTBOUND emails only are passed through DKIM proxy, and not
> incoming emails? Yes, I am well aware that SMTP does not draw a distinction
> between the 2, but I am thinking there must be a way, or do I have to send
> emails via a port other then 25 to achieve this?
>

better move to 587, which is the standard submission port.

If you insist (but once again, 587 is simpler and brings other
benefits), you can still use the FILTER statement in an access check:

smtpd_client_restrictions =
check_client_access pcre:/etc/postfix/filter_trusted
permit_mynetwork
permit_sasl_authenticated
check_client_access pcre:/etc/postfix/filter_default


== filter_trusted
/./ FILTER filter:[127.0.0.1]:10586

== filter_default
/./ FILTER filter:[127.0.0.1]:10024

note that with this, content_filter settings are unused.


> On this topic has anyone found a good DKIM signing solution that will work
> with multiple domains?

If you are not happy with dkim-proxy, you can try dkim-milter or
amavisd-new.