Amavis Signing Incoming Mail
Mark Martinec
Mark.Martinec+amavis at ijs.si
Fri May 18 19:21:09 CEST 2012
Stephen,
> I have Amavis-new setup with Postfix, ClamAV, and spamassassin. I have
> it verifying and signing emails using dkim.
>
> I noticed that when I send myself an email from an off-server account,
> amavis adds a dkim signature to that email, then maildrop delivers it.
> An example:
>
> This is in the headers of an email sent to my server running
> amavis-new, from a third party email provider.
>
> Authentication-Results: domain.tld (amavisd-new);
> dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
[...]
> As you can see, it says "just generated, assumed good." I want to sign
> all outgoing mail, but what is the point of signing incoming mail as
> well? Is there a way to prevent this?
Amavisd only considers DKIM-signing when a message has the $originating
flag set. This flag is supposed to be set only for mail originating from
internal IP clients, or from authenticated roaming users.
If you see a signature added to an incoming message from a
non-authenticated remote client, you have a misconfiguration:
either the @mynetworks list includes foreign IP addresses,
or (as Klaus Tachtler described) you are NATing foreign IP addresses
to a private address range, or you have the $originating unconditionally
set to true, or some policy bank is setting it to true but is being
loaded when it shouldn't be.
Levi wrote:
> Well, is there a case when I send as authenticated user from outside
> through this server, so I want to be signed my mails.
Certainly. The solution is to configure you MSA to pass submitted
mail message from local, or from remote authenticated users
to amavisd on a dedicated TCP port, then associate some policy bank
with this port (often named 'ORIGINATING'), which can then turn on
the originating flag.
Something like the following:
amavisd.conf:
$inet_socket_port = [10024,10026];
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
originating => 1,
};
master.cf:
submission inet n - n - 50 smtpd
-o content_filter=[127.0.0.1]:10026
[...]
or use some hack using FILTER on smtpd_client_restrictions or
smtpd_sender_restrictions in main.cf. Some ideas are documented
in:
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-postfix-dual-path
Btw, if mail submission from roaming authenticated users
is not needed, a simple solution with @mynetworks suffices,
which implicitly turns on the $originating flag. No need for
a policy bank or separate TCP ports for such a simple setup.
Mark
More information about the amavis-users
mailing list