I started hosting my personal domain's email on 9front and wanted to sign my outgoing emails with a DKIM, so I wrote something in Go that reads a message from stdin and writes a DKIM signed version to stdout (https://github.com/driusan/dkim).
I was planning on using it in /mail/lib/remotemail by having the final "exec smtp [...]" replaced by " exec dkimsign [...] | upas/smtp [...]" and that works with marshal (if I ensure that I add all the headers that I'm signing manually), but not acme. >From what I can tell, acme always uses a From line of "From: localname" (overriding any that you manually specified), and expects upas/smtp to add in the domain, which is causing the signature to fail after smtp modifies the signed header. (marshal leaves any headers that you manually specify unmolested, so the signature is valid as long as you include a fully qualified From: line while writing the message.) Is there a better place/way to do the signing? Ideally I could sign it as the last thing it does before going out over the wire, but at the very least I need to sign it after expanding the addresses. (The standard says I also need to do the hashing before smtp dot stuffing, but I can take care of that with a flag on the Go side..) The best I can think of is some convoluted mix of "upas/smtp -f .domainname | dkimsign | [some script that undoes most of what upas/smtp -f did ] | upas/smtp", but I have a feeling I'm just missing some better place to do the signing from. - Dave