On Mon, 2021-05-10 at 16:35 +0200, Harald Dunkel wrote: > On 5/10/21 3:14 PM, Martijn van Duren wrote: > > There's filter-dkimsign in packages, which is also mentioned in > > smtpd.conf. I don't think there's a more lightweight solution > > possible. > > > > I had found your web site https://palant.info/2020/11/09/adding-\ > dkim-support-to-opensmtpd-with-custom-filters/, but it mentioned > building opensmtpd-filter-dkimsign from "some Dutch web server". > I didn't expect a package.
palant.info is not my website, but yes: I'm some dutch guy doing some self hosting for some of my code. I don't see the problem in that. Also, support for multiple domains landed in the my repository in august 2020 and got released in september, so the article was already outdated when published. > > Actually I am running my major MTA with sendmail, still. The > problem in this configuration is, the opendkim milter is called > before masquerading is done. opendkim signs a header that is > modified my sendmail later. (There are some workarounds, but they > are unreliable.) > > Is there a similar pitfall for opensmtpd-filter-dkimsign and > opensmtpd? Unfortunately the data goes through the filter before it goes through the masquerade, so you either need to write a masquerade filter and use that instead of smtpd's internal masquerade feature and you can put that filter before the filter-dkimsign via chaining, or you need to reroute the data over a loopback connection; similar to how dkim signing was previously suggested: https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/ Personally I'd like to see a more elaborate senders/masquerade functionality in filters at some point, but I haven't found the time and proper inspiration to do so myself yet. If you want to debug your dkim signatures you can add 1 or 2 -z flags to filter-dkimsign, so that the headers at the time of signing are placed inside the dkim header. Hope this helps. martijn@ > > > Regards > Harri >
