> On Sep 26, 2019, at 1:00 PM, Jaroslaw Rafa <r...@rafa.eu.org> wrote: > > And here is where the trouble comes. When a mail arrives to my server with > my own address as the sender (for example, my emails coming back from a > mailing list), the content filter script also calls /usr/lib/sendmail to put > the message back in the queue, and hence the message is again signed by > DKIM. I want to avoid this. > > I tried to run /usr/lib/sendmail which gets called by filter script with > another main.cf file (specified by "-C" parameter), that doesn't include the > above milter lines, but, on the other hand, does include > "receive_override_options = no_milters". However, this doesn't help - the > second signature still appears. Looks like the "no_milters" parametr is not > passed to pickup daemon this way.
The most robust approach that comes to mind is a multi-instance configuration: http://www.postfix.org/MULTI_INSTANCE_README.html#quick in which local submission is handled by a null-client Postfix that forwards to an outbound Postfix instance that signs with DKIM, while inbound SMTP is handled by a separate Postfix instance that verifies DKIM, and where the pickup service is statically defined to not use any milters, or use only the appropriate milters. Alternatively, use SMTP content filters, where multiple parallel channels are possible. There is only one pickup(8) and maildrop queue directory in each Postfix instance. -- Viktor.
