DKIM and Amavis

[Mark Martinec]

Peter,

> Let me put it in a simpler context, in order to see
> if I understood that correctly.
> 1. It is possible
> 2. In order to do so, I need to copy/paste your example

Yes, assuming you are using 2.7.0.

You also need to prepare DKIM keys, publish their public component,
and let amavisd know where to find a private key.

See
  http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim

This is also documented in release notes, search for:
"QUICK START TO DKIM SIGNING" (and "QUICK START TO DKIM VERIFICATION")
in the 2.6.0 section.

> And finally (I need your help here):
> 3. Configure Postfix to write the ORIGINATING header?

Actually: configure Postfix to use a content filter on port 10026
for authenticated mail, and on port 10024 otherwise
(or pick any two unused port numbers to your liking).

Something like the setup described here should do:
  http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-postfix-dual-path

If for some reason you don't like a mail originating from mynetworks
to count as authenticated, just move the permit_mynetworks up to the
first position in the smtpd_sender_restrictions (referring to the
example in the amavisd-new-docs.html#dkim-postfix-dual-path section).


Btw, if using amavisd as a pre-queue content filter (smtpd_proxy_filter),
things can get more complicated, as it is prudent to DKIM-sign mail
late in the mail processing, after an MTA does its job on mail
sanitation (adding missing header fields like Date and Message-ID,
or QP-encoding nonencoded 8-bit mail parts), and canonicalizations
(like adjusting domains in a From header field). To accomplish
this, a pre-queue filter should only do its contents filtering
and DKIM signature validation, but no signing. A clean mail
which needs to be signed can at the end be fed to a dedicated
content filtering port where amavisd would only do its DKIM
signing, with all other contents checking disabled.

  Mark