On 2/3/2014 5:31 AM, Solk Maaker wrote: >> From DKIM's perspective it really makes no sense to validate a >> signature generated by yourself. >> ( How often do you check your own identity card to prove that you >> are you? ) > > Yes, that is true, there is no point to verify my own signature, but > in case of virtual domains, if domain1 does not belong to same user > as domain2, it would be nice if domain1 signature could be verified. > >> But I assume your problem is consistent behaviour. >> If that is the point you have to split mail flows: >> * separate system signing all submitted messages >> * separate system validating any inbound messages. > > Current setup that i have has separate signing machine (relay), so > if domain1 sends mail do domain2, mail goes from machine1 to relay > (that will sign mail), and since domain2 MX record points to > machine1, relay sends it back and mail gets verified. > I'm wondering, is it possible to do it in same machine, so i can > exlude relay machine witch only purpose is signing. > > My goal would be: verification is done in part of mail flow that > handles delivery to virtual user, but not in part that handles > sending mail out to Internet. > Is it possible, or should i just forget about it and stay with > separate machine for signing? > >
You can do both on one machine using multiple postfix instances, one for incoming mail and another for outgoing mail, each running on its own IP. But since you already have multiple postfix instances on two machines it seems silly to complicate a working setup for little gain, unless you're trying to get rid of the second machine. -- Noel Jones
