DKIM sign only unsigned
Benny Pedersen
me at junc.eu
Wed Dec 30 16:36:50 CET 2020
On 2020-12-30 12:51, Matus UHLAR - fantomas wrote:
> On 28.12.20 18:20, Benny Pedersen wrote:
>> On 2020-12-28 18:09, Matus UHLAR - fantomas wrote:
>>
>>> we have mail gateway where most of internal mail comes already
>>> signed, and
>>> I'd prefer to sign only mail that is not signed already.
>>
>> +1
>>
>>> can I dkim-sign only mail that is not already signed?
>>
>> with policy banks yes
>
> how?
see ORIGINATING
https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-postfix
have you remote local servers that using submission/smtps where some
mails is already dkim signed ?
>
>> you know how to make that with trusted networks and untrusted
>> networks, and xclient ip
>
> I don't. Advise?
this is part of the problem then
> client IP does not work since the same IP sometimes send signed,
> sometimes
> unsigned mail.
amavisd works better if it knows internal networks aswell same as what
spamassassin knows
make sure this is all in sync
>
> That's why I ask about only signing mail that is not signed, or,
> skipping
> mail that is already signed (with valid signature).
>
>> equal to how milters in postfix/sendmail is only sign submission/smtps
>> and not port 25 this should be easy
>
> it is not due to what I described above.
>
> ... if it was that easy, I would ask different question, or not ask at
> all.
opendkim can have MTA=ORIGINATING in its conf, and only mails that are
ORIGINATING will be signed, even if ips is unknown from internal or
external ip
if amavisd have xclient data it would work on ip level aswell
sorry not using amavisd anymore
More information about the amavis-users
mailing list