On 03/27/2016 04:07 PM, Matthias Henze wrote: > my first approach with "opendkim" does not work as "opendkim" uses > milter and Ciphermail is a content filter. Milters are applied before > content filters and the s/Mime signature modifies the body of the mail > with the signature. This invalidates the DKIM signature. Took ma a day > to figure this out as I was not aware of the described processing order. > Finally I found this out just by reading the (previously ignored) > headlines of http://www.postfix.org/FILTER_README.html and > www.postfix.org/MILTER_README.html :-)
Adding the DKIM milter on the reinjection port(s) should work. After handling the mail (i.e., encryption/decryption etc), the back-end sends the mail back to postfix on a "reinjection port" (port 10026). I haven't tested it but the following might work: See the following line in master under the 127.0.0.1:10026 section: -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters You should change this line to something like: -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,smtpd_milters=REPLACEWITHDKIMMILTER This should enable the DKIM milet after the message has been encryped/decrypted/signed. Again, I have not tested this but this should work (might some minimal changes though) Then again, you suggestion of using dkimproxy is also a good alternative until DKIM support has been added to CipherMail*. Kind regards, Martijn Brinkers * "native" DKIM support is basically working but not enabled for all SMTP outgoing mail. We will see whether we can make it possible to enable this for all outgoing email. > > See https://wiki.mhcsoftware.de/postfix_dkim_support (sorry, German) for > details. > > cheers > Matthias > > > > Am 24.03.2016 um 20:35 schrieb Matthias Henze: >> Hi, >> >> my mail server (Kerio) can apply DKIM signatures. Piping DKIM signed >> mails through Ciphermail disrupts the validity of the DKIM signatures. >> Postfix on the Ciphermail server has to apply the DKIM signature after >> the mail was processd by Ciphermail. This could be achieved by following >> these howtos: >> >> https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy >> >> >> >> http://unixwars.blogspot.de/2015/01/8bitmime-and-dkim-body-authentication.html >> >> >> >> The second is required at my site because without it mails sent by >> Thunderbird fail validation by remote servers. My master.cf now looks >> like this: >> >> >> smtp inet n - - - - smtpd >> -o >> message_size_limit=${djigzo_before_filter_message_size_limit} >> -o content_filter=smtp-downconvert:127.0.0.1:10026 >> pickup fifo n - - 60 1 pickup >> ... >> ... >> ... >> # cleanup for reinject so we can set the hopcount_limit differently for >> the reinjection port >> cleanup_reinject unix n - - - 0 cleanup >> -o hopcount_limit=100 >> >> smtp-downconvert unix - - - - 2 smtp >> -o smtp_discard_ehlo_keywords=8bitmime,silent-discard >> >> 127.0.0.1:10026 inet n - n - 10 smtpd >> -o content_filter= >> ... >> ... >> ... >> >> >> Suggestion: Add a DKIM config option to Ciphermail :-) >> >> cheers >> Matthias >> >> > > -- CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull. https://www.ciphermail.com Twitter: http://twitter.com/CipherMail _______________________________________________ Users mailing list Users@lists.djigzo.com https://lists.djigzo.com/lists/listinfo/users
