On 18 October 2011 13:52, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 10/18/2011 12:12 PM, Simon Brereton wrote: >> Hi >> >> I expect that this is not recommended practice, but before I implemented >> DKIM signing, Amavis used to scan ALL mail - incoming and outgoing - and I >> was happy with that. >> >> If I want Amavis to scan and rate the mail after dkim proxy has signed it, >> is that as simple as adding the content filter to the incoming socket? >> Curently when dkim returns the mail it looks like this (in master.cf).. >> >> ### local TCP socket for relay with dkimproxy.out >> 127.0.0.1:10029 inet n - n - 10 smtpd >> -o content_filter= >> -o >> receive_override_options=no_unknown_recipient_checks,no_header_body_checks >> -o >> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject >> -o smtpd_authorized_xforward_hosts=127.0.0.0/8 >> >> If I add smtp-amavis:[127.0.0.1]:10024 (as it is in my main.cf, will this >> pass it off to amavis to be scanned? > > that looks OK, but see below. > > >> >> Is there a good reason to not do this? Is there a better way to do this? > > Yes and yes. Rather than using dkim-proxy, I strongly recommend > using the amavisd-new built-in DKIM signing and verifying. If you > can't use that for some reason, the other excellent choice is the > OpenDKIM milter. Using dkim-proxy is a distant third. > > Reasons include simpler setup and reliability.
Thanks Noel. Clarity is not my strong point this week :( I already use amavis to do the dkim checking on incoming mails. I'm using dkimproxy to sign outgoing mails (and I confess I only found out about opendkim after I'd set it up, so I'm not keen to change it at the moment - though of course, your vote carries significant weight. What I was trying to do, and what've you confirmed works, and what I've since tested is to get amavis to scan for spam/viruses on outgoing mail. Since I'm only using dkimproxy to sign outgoing mails I can't have it sign them after they've been scanned by amavis (although I admit this would make more sense), since I would have to add the dkimproxy filter to the incoming amavis socket and then it would try to sign mails it has no business signing. Currently what I have - and I'm okay is: mail comes in on the submission port after auth and with enforced TLS. It is passed to dkimproxy to sign. Dkimproxy passes it to amavis to check for spam/viri and then passes it back to postfix who sends it out. (The fact that doing it this way means that amavis verifies the signature dkim JUST added is not optimal but acceptable). The main thing is that all outgoing mail (not just the ones clients or sendmail submit on port 25 have X-Scanned-by headers and a spam rating. I'm aware some hosts will strip those and replace them with their own, but I'd prefer they leave my site with them, than with not. Cheers Simon
