Geert Hendrickx via Postfix-users:
> Hi
>
> We have few different sets of Postfix mailservers with different roles;
> inbound servers, outbound servers that DKIM sign outgoing mail with a
> milter, and some other servers that just relay mail that is already signed
> elsewhere.
>
> The first and third types of mailservers don't need to sign mail passing
> through them, but we are looking for a way to sign their locally generated
> mail (bounces or DSN's), preferably without having to setup and maintain
> DKIM milters (and corresponding private keys) on all those servers.
So you're looking at setting up a host that will sign bounces that were
generated on those machines and not elsewhere.
And "those machines" could be back-end hosts that deliver to a
message store.
Fortunately, there is a way to distinguish between locally- and
remotely-generated bounces.
Locally-generated bounces are generated by the Postfix bounce daemon
which talks to a cleanup service to queue a message. One could run
bounce daemons with a cleanup_service override in master.cf:
(Postfix 3.0 long parameter syntax)
bounce ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }
defer ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }
trace ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }
This approach is reatively safe, because it is unlikely to clash
with bounce parameter settings in main.cf. Such main.cf settings
are extremely rare.
To queue the messages, configure a clone of the cleanup service
with a content_filter override that forces delivery to an ndr-signer
host.
ndr-cleanup ... ... ... ... ... ... ... cleanup
-o {content_filter = smtp:[ndr-signer] }
This approach may conflict with main.cf parameters that target the
"normal" cleanup service. If that is the case then you can override
the conflicting main.cf setting with a ndr-cleanup master.cf override
for that parameter.
A long list is at https://www.postfix.org/cleanup.8.html.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org