amavis-user March 2012 archive
Main Archive Page > Month Archives  > amavis-user archives
amavis-user: Re: DKIM and Amavis

Re: DKIM and Amavis

From: Mark Martinec <Mark.Martinec+amavis_at_nospam>
Date: Wed Mar 07 2012 - 15:03:56 GMT


> Let me put it in a simpler context, in order to see
> if I understood that correctly.
> 1. It is possible
> 2. In order to do so, I need to copy/paste your example

Yes, assuming you are using 2.7.0.

You also need to prepare DKIM keys, publish their public component,
and let amavisd know where to find a private key.


This is also documented in release notes, search for:
in the 2.6.0 section.

> And finally (I need your help here):
> 3. Configure Postfix to write the ORIGINATING header?

Actually: configure Postfix to use a content filter on port 10026
for authenticated mail, and on port 10024 otherwise
(or pick any two unused port numbers to your liking).

Something like the setup described here should do:

If for some reason you don't like a mail originating from mynetworks
to count as authenticated, just move the permit_mynetworks up to the
first position in the smtpd_sender_restrictions (referring to the
example in the amavisd-new-docs.html#dkim-postfix-dual-path section).

Btw, if using amavisd as a pre-queue content filter (smtpd_proxy_filter),
things can get more complicated, as it is prudent to DKIM-sign mail
late in the mail processing, after an MTA does its job on mail
sanitation (adding missing header fields like Date and Message-ID,
or QP-encoding nonencoded 8-bit mail parts), and canonicalizations
(like adjusting domains in a From header field). To accomplish
this, a pre-queue filter should only do its contents filtering
and DKIM signature validation, but no signing. A clean mail
which needs to be signed can at the end be fed to a dedicated
content filtering port where amavisd would only do its DKIM
signing, with all other contents checking disabled.