[pfx] Re: non_smtpd relayhost ?

2024-06-21 Thread Geert Hendrickx via Postfix-users 
On Fri, Jun 21, 2024 at 16:22:24 -0400, Wietse Venema wrote:
> Locally-generated bounces are generated by the Postfix bounce
> daemon which talks to a cleanup service to queue a message.
> One could run bounce daemons with a cleanup_service override
> in master.cf:



Thanks Wietse, that makes sense.   I'll try your approach.


Geert



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: non_smtpd relayhost ?

2024-06-21 Thread Wietse Venema via Postfix-users 
Geert Hendrickx via Postfix-users:
> Hi
> 
> We have few different sets of Postfix mailservers with different roles;
> inbound servers, outbound servers that DKIM sign outgoing mail with a
> milter, and some other servers that just relay mail that is already signed
> elsewhere.
> 
> The first and third types of mailservers don't need to sign mail passing
> through them, but we are looking for a way to sign their locally generated
> mail (bounces or DSN's), preferably without having to setup and maintain
> DKIM milters (and corresponding private keys) on all those servers.

So you're looking at setting up a host that will sign bounces that were
generated on those machines and not elsewhere.

And "those machines" could be back-end hosts that deliver to a
message store.

Fortunately, there is a way to distinguish between locally- and
remotely-generated bounces.

Locally-generated bounces are generated by the Postfix bounce daemon
which talks to a cleanup service to queue a message. One could run
bounce daemons with a cleanup_service override in master.cf:

(Postfix 3.0 long parameter syntax)

bounce ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }
defer ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }
trace ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }

This approach is reatively safe, because it is unlikely to clash
with bounce parameter settings in main.cf. Such main.cf settings
are extremely rare.

To queue the messages, configure a clone of the cleanup service
with a content_filter override that forces delivery to an ndr-signer
host.

ndr-cleanup ... ... ... ... ... ... ... cleanup
-o {content_filter = smtp:[ndr-signer] }

This approach may conflict with main.cf parameters that target the
"normal" cleanup service. If that is the case then you can override
the conflicting main.cf setting with a ndr-cleanup master.cf override
for that parameter.

A long list is at https://www.postfix.org/cleanup.8.html.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org