Amavis Signing Incoming Mail

Mark Martinec Mark.Martinec+amavis at
Fri May 18 19:21:09 CEST 2012


> I have Amavis-new setup with Postfix, ClamAV, and spamassassin. I have
> it verifying and signing emails using dkim.
> I noticed that when I send myself an email from an off-server account,
> amavis adds a dkim signature to that email, then maildrop delivers it.
> An example:
> This is in the headers of an email sent to my server running
> amavis-new, from a third party email provider.
> Authentication-Results: domain.tld (amavisd-new);
>      dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
> As you can see, it says "just generated, assumed good." I want to sign
> all outgoing mail, but what is the point of signing incoming mail as
> well? Is there a way to prevent this?

Amavisd only considers DKIM-signing when a message has the $originating
flag set. This flag is supposed to be set only for mail originating from
internal IP clients, or from authenticated roaming users.

If you see a signature added to an incoming message from a
non-authenticated remote client, you have a misconfiguration:
either the @mynetworks list includes foreign IP addresses,
or (as Klaus Tachtler described) you are NATing foreign IP addresses
to a private address range, or you have the $originating unconditionally
set to true, or some policy bank is setting it to true but is being
loaded when it shouldn't be.

Levi wrote:
> Well, is there a case when I send as authenticated user from outside
> through this server, so I want to be signed my mails.

Certainly. The solution is to configure you MSA to pass submitted
mail message from local, or from remote authenticated users
to amavisd on a dedicated TCP port, then associate some policy bank
with this port (often named 'ORIGINATING'), which can then turn on
the originating flag.

Something like the following:


  $inet_socket_port = [10024,10026];

  $interface_policy{'10026'} = 'ORIGINATING';

  $policy_bank{'ORIGINATING'} = {
    originating => 1,

submission  inet n - n - 50 smtpd
    -o content_filter=[]:10026

or use some hack using FILTER on smtpd_client_restrictions or
smtpd_sender_restrictions in Some ideas are documented

Btw, if mail submission from roaming authenticated users
is not needed, a simple solution with @mynetworks suffices,
which implicitly turns on the $originating flag. No need for
a policy bank or separate TCP ports for such a simple setup.


More information about the amavis-users mailing list