Henrik, > My users ARE identifyied by either locally trusted IPS or pop-before-smtp, > i.e. thery end up in mynetworks, but they are STILL verified by the > incoming filter.. And I'm using your suggested setup very strictly..?!
> As far as I can see, the incoming milter(s) DOES get invoked for ALL > incoming mail on port 25.. Am I missing something? I see, you are quite right. I haven't noticed it because no header fields are inserted by these two verifying milters when there is no signature present and dk policy does not claim that a domain is signing all mail. A solution would be to separate mail submission from MX, e.g. by providing another dedicated IP alias address on a mailer for mail submission (or keeping existing address for submission, and pointing MX to a new IP alias). > But I have found out that adding -d mydomain.net to the incoming filter > actually solved this issue, as this means that my own mail does not get > verified.. But neither will anyone spoofing being from my own doamin.. Good. A waste of resources is still there, but at least the verification does not fail. Something still needs to be done to prevent SA plugins DK and DKIM from complaining about non-signed mail from local users. Mark
