On 9 November 2011 00:48, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 11/8/2011 10:35 PM, Simon Brereton wrote: >> On 8 November 2011 15:30, Wietse Venema <wie...@porcupine.org> >> wrote: >>> Simon Brereton: >>>> On 4 November 2011 15:49, Simon Brereton >>>> <simon.brere...@buongiorno.com> wrote: >>>>> Hi >>>>> >>>>> Amavis checks both incoming and outgoing mail. ?DKIMPROXY >>>>> signs outgoing mail (sadly, before Amavis, so amavis >>>>> verifies the signature - but I'm okay with that for now) >>>>> on the submission port. >>>>> >>>>> Mail that is injected (i.e. from CRON, applications, >>>>> etc), still passes through amavis (obviously) but doesn't >>>>> get signed. ?I would like to sign those mails as well. >>>>> >>>>> As I was writing this, it occurred to me that the way to >>>>> do that is to add the content filter in master.cf >>>>> >>>>> ? -o content_filter=dksign:[127.0.0.1]:10028 >>>>> >>>>> I think I need to add that to the pickup line - is that >>>>> correct? ?If not, where do I add it so that mails that >>>>> are injected are added? >>>> >>>> Well in the absence of any one telling me not to be stupid, >>>> I went ahead and tried that. It wasn't a miserable >>>> failure, but it didn't do anything. >>> >>> First, you can add -o content_filter to the pickup daemon >>> only if your content filter is based on SMTP otherwise you >>> get an infinite loop. >>> >>> Second, you need to add the same -o content_filter >>> information as with the smtpd line. There is nothing magical >>> about filters, except perhaps that DKIMPROXY expects to see >>> message headers that the pickup daemon cannot provide. >>> >>> Wietse >>> >>>> If anyone has any pointers on how to do this (or if you'd >>>> like to tell me it's not possible and why) that would be >>>> great. >> >> >> I don't think this is your fault - but that went completely >> over my level of smtp understanding. >> >> Putting the content filter in the pickup (exactly as it is in >> in the smtpd) doesn't appear to do anything. But then I expect >> that's related to your comment about the content-filter being >> based on smtp.. I don't get an infinite loop. I don't get >> anything. >> >> I think I'll have to wait until I start running separate >> amavis/postfix processes to figure this out. >> >> Simon > > > I think you should spend 15 minutes to get amavisd-new to do your > DKIM signing and drop dkimproxy. Better performance, simpler > setup, one less critical component in the mail path. See the > amavisd-new release notes and docs for further info. >
Noel, you're almost always right - but I'm so proud of my dkim setup :) Probably this is in the documentation, but since amavis checks ALL mail (incoming and outgoing) doesn't that mean it would try to sign incoming mail? Actually that can't be right. Most people use amavis to check outgoing mail only, so for it to do dkim signing it must be able to tell what's going in and what's going out. I'll RTFM. Simon
