Struggling with DKIM signing
Matus UHLAR - fantomas
uhlar at fantomas.sk
Tue Nov 5 16:25:06 CET 2024
>>>>Thanks very much. I had tried adding "-o
>>>>content_filter=smtp-amavis: [127.0.0.1]:10024" to master.cf but
>>>>only reloaded postfix. I removed it when it didn't work.
>>On 05/11/2024 14:27, Damian wrote:
>>>Are you sure about the 10024? That is the standard Amavis port. If
>>>you use the same port for externally inbound emails, they will be
>>>falsely declared as originating.
>On 05/11/2024 14:39, Nick Howitt wrote:
>>Ok, I have more studying to do. I see there is a Configuring
>>Multiple Paths section which I guess I'll have to read.
On 05.11.24 15:00, Nick Howitt wrote:
>For the Postfix bit, I already have:
>#=====================================================================
># Global antivirus/antispam pre-filter (Amavis)
>#=====================================================================
This configures how postfix feeds data to amavis:
>smtp-amavis unix - - n - 5 smtp
> -o smtp_data_done_timeout=1200
> -o smtp_send_xforward_command=yes
> -o disable_dns_lookups=yes
> -o max_use=20
This configures incoming data on port 10025:
># SMTP interface for injecting mail into Amavis
>127.0.0.1:10025 inet n - n - - smtpd
> -o content_filter=smtp-amavis:[127.0.0.1]:10024
and feeds it to amavis on port 10024 via service above.
But this only applies to mail accepted on port 10025
- who sends mail to port 10025?
I guess this is your problem, you should use content_filter in main.cf and
disable it here, port 10024 should process mail that came from amavis.
> -o smtpd_restriction_classes=
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks=127.0.0.0/8
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> -o strict_rfc821_envelopes=yes
> -o smtpd_error_sleep_time=0
> -o smtpd_soft_error_limit=1001
> -o smtpd_hard_error_limit=1000
And this configures incoming mail incoming via port 10026, but who sends you
mail there?
>#=====================================================================
># Mail re-injection (after pre-filtering)
>#=====================================================================
>127.0.0.1:10026 inet n - n - - smtpd
> -o content_filter=
> -o smtpd_restriction_classes=
> -o smtpd_delay_reject=no
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions=reject_unauth_pipelining
> -o smtpd_end_of_data_restrictions=
> -o mynetworks=127.0.0.0/8
> -o smtpd_error_sleep_time=0
> -o smtpd_soft_error_limit=1001
> -o smtpd_hard_error_limit=1000
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
>
>
>Do I just duplicate the two sections starting 127.0.0.1, changing the
>ports but leave the first smtp-amavis section?
This is hard to say without knowing how you process incoming mail.
As I mentioned in my former mail:
Services like Zimbra and ISPConfig feed internal mail via SMTP to port 10026
where amavis receives mail into "ORIGINATING" bank and processes it as
outgoing, thus signing with DKIM, returning it to port 10027.
They also feed other e-mail as incoming to amavis on port 10024 where amavis
processes it as incoming (no dkim signing), returning mail back to port
10025.
- you would create loop here.
Note. I have added:
-o syslog_name=postfix-filtered
onto service 10025 (and possibly 10027 if I used it), to prevent pflogsumm
script which processes postfix logs from duplicitly parsing mail coming from
amavis as new.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
More information about the amavis-users
mailing list