amavis-user March 2012 archive
Main Archive Page > Month Archives  > amavis-user archives
amavis-user: Re: DKIM and Amavis

Re: DKIM and Amavis

From: Mark Martinec <Mark.Martinec+amavis_at_nospam>
Date: Tue Mar 06 2012 - 14:17:37 GMT
To: amavis-users@amavis.org

> Is it possible to handle DKIM via amavis?

Yes, since version 2.6.0, with some improvements in later versions.

> If so, is it possible to sign only SASL authenticated outgoing messages?
> My setup is postfix + Amavis +opendkim.

Signing can be enabled/disabled by a policy bank, so the idea is to let
an MTA route messages which should be signed to a dedicated content
filtering port, where the policy bank can adjust the settings accordingly.

With version 2.7.0 the $enable_dkim_signing can be adjusted
by a policy bank:

- settings $enable_dkim_verification and $enable_dkim_signing are now
  dynamic, i.e. became members of policy banks, thus facilitating
  selectively enabling or disabling these features on a policy bank basis;

For example:

$enable_dkim_signing = 0;

$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {
  originating => 1,
  enable_dkim_signing => 1,
}

With earlier versions the same can be accomplished through
a @dkim_signature_options_bysender_maps setting, which was
always dynamic (i.e. configurable through policy banks).

> If so, is it possible to sign only SASL authenticated outgoing messages?

Btw, even without any special settings, amavisd generates DKIM signatures
only for non-spam messages with $originating flag on, which (depending
on an MTA setup) only applies to authorized mail submission, either
through client's IP address being in @mynetworks, or for authenticated
(e.g. SASL) roaming users.

  Mark