postfix-users May 2014 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: RE: Getting DKIM to work with Mailman and Postfix

RE: Getting DKIM to work with Mailman and Postfix

From: Marius Gologan <marius.gologan_at_nospam>
Date: Mon May 05 2014 - 19:39:57 GMT
To: "'James B. Byrne'" <byrnejb@harte-lyne.ca>, "'Postfix users'" <postfix-users@postfix.org>

I prefer amavis instead of opendkim as a personal choice. You could run a
simpler test machine and see all applicable cases. Some are not.

What I've sent is applicable when amavisd-new is used after-queue, not
before-queue.

Incoming messages from Internet cannot be signed, since you cannot publish
your public key on someone's domain. Only the owner can authorize your
machine to send emails for those domains.
Hence, @domain and IP are related.

If mailman has limited technicalities, send the message back to a reliable
machine, as Postfix and sign the outgoing message.
If the message appears as from @gmail.com @yahoo.com is no point in DKIM.

Marius.

-----Original Message-----
From: James B. Byrne [mailto:byrnejb@harte-lyne.ca]
Sent: Monday, May 5, 2014 9:46 PM
To: Postfix users
Cc: Marius Gologan
Subject: RE: Getting DKIM to work with Mailman and Postfix

On Mon, May 5, 2014 14:29, Marius Gologan wrote:
> I've noticed you are using amavisd-new. It can easily sign your messages.
>
> I'm showing what I use:
>
> cat /etc/amavis/conf.d/22-dkim
> use strict;
>
> $enable_dkim_signing = 1;
>
> dkim_key('domain1.com', 'dkim', '/path/to/domain1.com-dkim.key.pem');
> @dkim_signature_options_bysender_maps = (
> { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
> @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
> 192.168.0.0/16 ); # list your internal networks
>
> 1; # ensure a defined return
>
>
> Generate certificate:
> amavisd-new genrsa /path/to/domain1.com-dkim.key.pem 2048
>
>
> Show the formatted value for DNS TXT record:
> amavisd-new showkeys domain1.com
>
>
> Marius.

Forgive me if I do not understand what you are trying to convey. We already
have Postfix DKIM correctly signing emails originating in our domains and
passing through our outgoing smtp gateway. The problem is that mail that
comes to that host destined for a Mailman mailing list is not being signed
when it is forwarded out again. That is what I want to have fixed.

I am not sure of anything but at the moment my belief is that the Mailman
forwarded mail is not being processed by OpenDKIM because of this entry in
master.cf:

# Before-queue Amavis after-filter processing # Receive amavis re-injection
and do no other checks #
127.0.0.1:10025
            inet n - n - - smtpd
    -o content_filter=
. . .
    -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,
    -->> no_milters, <<-- no_address_mappings

Just a guess mind you. However, I am not yet desperate enough to play
around with this without some informed guidance on the matter.

-- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3