Le 09/11/2011 16:43, Simon Brereton a écrit : > On 9 November 2011 00:48, Noel Jones <[email protected]> wrote: >> On 11/8/2011 10:35 PM, Simon Brereton wrote: >>> On 8 November 2011 15:30, Wietse Venema <[email protected]> >>> wrote: >>>> Simon Brereton: >>>>> On 4 November 2011 15:49, Simon Brereton >>>>> <[email protected]> wrote: >>>>>> Hi >>>>>> >>>>>> Amavis checks both incoming and outgoing mail. ?DKIMPROXY >>>>>> signs outgoing mail (sadly, before Amavis, so amavis >>>>>> verifies the signature - but I'm okay with that for now) >>>>>> on the submission port. >>>>>> >>>>>> Mail that is injected (i.e. from CRON, applications, >>>>>> etc), still passes through amavis (obviously) but doesn't >>>>>> get signed. ?I would like to sign those mails as well. >>>>>> >>>>>> As I was writing this, it occurred to me that the way to >>>>>> do that is to add the content filter in master.cf >>>>>> >>>>>> ? -o content_filter=dksign:[127.0.0.1]:10028 >>>>>> >>>>>> I think I need to add that to the pickup line - is that >>>>>> correct? ?If not, where do I add it so that mails that >>>>>> are injected are added? >>>>> >>>>> Well in the absence of any one telling me not to be stupid, >>>>> I went ahead and tried that. It wasn't a miserable >>>>> failure, but it didn't do anything. >>>> >>>> First, you can add -o content_filter to the pickup daemon >>>> only if your content filter is based on SMTP otherwise you >>>> get an infinite loop. >>>> >>>> Second, you need to add the same -o content_filter >>>> information as with the smtpd line. There is nothing magical >>>> about filters, except perhaps that DKIMPROXY expects to see >>>> message headers that the pickup daemon cannot provide. >>>> >>>> Wietse >>>> >>>>> If anyone has any pointers on how to do this (or if you'd >>>>> like to tell me it's not possible and why) that would be >>>>> great. >>> >>> >>> I don't think this is your fault - but that went completely >>> over my level of smtp understanding. >>> >>> Putting the content filter in the pickup (exactly as it is in >>> in the smtpd) doesn't appear to do anything. But then I expect >>> that's related to your comment about the content-filter being >>> based on smtp.. I don't get an infinite loop. I don't get >>> anything. >>> >>> I think I'll have to wait until I start running separate >>> amavis/postfix processes to figure this out. >>> >>> Simon >> >> >> I think you should spend 15 minutes to get amavisd-new to do your >> DKIM signing and drop dkimproxy. Better performance, simpler >> setup, one less critical component in the mail path. See the >> amavisd-new release notes and docs for further info. >> > > > Noel, you're almost always right - but I'm so proud of my dkim setup :) > > Probably this is in the documentation, but since amavis checks ALL > mail (incoming and outgoing) doesn't that mean it would try to sign > incoming mail? > > Actually that can't be right. Most people use amavis to check > outgoing mail only, so for it to do dkim signing it must be able to > tell what's going in and what's going out. > > I'll RTFM. >
didn't try dkim-proxy since a long long time. - as Noel says, amavisd-new can do all that. yes, you can tell it to sign what you want. it's easy to setup. - as I prefer to separate functions, I use milter-dkim KeyList /path/to/milter-dkim_keylist.conf #cat /path/to/milter-dkim_keylist.conf *:example.com:/path/to/privatekey ...
