Andreas, > First, emails only arrive with a dkim-signature if i do add the > following to the amavis config: > $interface_policy{'10024'} = 'DKIM_ALWAYS'; > $policy_bank{'DKIM_ALWAYS'} = { > originating => 1, > };
Yes, as documented, the 'originating' flag must be on to enable signing (and additionally, a signing key corresponding to a sender address must be available). How you turn on the 'originating' flag is up to you. An implicit way is through a client's IP address matching @mynetworks, an explicit way is through a policy bank. How you trigger loading of a suitable policy bank depends on a mail flow topology / on MTA configuration. Typically a policy bank is attached to a TCP port number, but can be also loaded by a custom hook for more tricky needs. > but amavis doesn't do authentication if i send mail from > m...@onedomain.de to m...@otherdomain.de probably because both are on > the same machine. Depends on how you have a MTA set up. Are you sure mail is passing through amavisd at all when sending from a host itself to a local user? How is your content_filter Postfix setting applied: globally, or per postfix service, or by a FILTER option in a Postfix access table? > if i do send myself a mail from google mail to m...@onedomain.de amavis > does authenticate it and append the "Authentication-Results" Header with > the passed authentication info. Now you are talking about DKIM verification. Amavisd either signs or verifies a signature, but not both for the same mail passage. > I would like to make amavis to do that for mails from one local domain > to another also, is this possible? Possible. The key issues for signing by amavisd is to have 'originating' flag on, and a signing key matching the From address available. See: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-postfix-dual-path for some ideas. If all your users are within your networks, then the setup is easy, the correct setting of @mynetworks suffices to get the 'originating' flag set. Otherwise, if some of your users are outside and are using some sort of SMTP authentication to submit mail, you need to configure Postfix to pass originating mail to amavisd on a separate port, to distinguish it from incoming mail. Attaching different content_filter Postfix options to different Postfix smtpd services (or using separate MTA instance dedicated to mail submission) is the cleanest solution. A more messy solution is to fiddle with FILTER option in Postfix access tables, like using some access table in smtpd_sender_restrictions. If you are not sure why some signing does not take place, turn up amavisd logging to level 2 or more, and search the log for " dkim: " Mark ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/