I am signing all the emails for all domains that goes through my postfix MTA, but I need to custom sign some emails for some domain from my application, is it possible to stop opendkim from signing emails if it already has signature?
Asked
Active
Viewed 323 times
0
-
caz that emails wiil be signed the client's domain d tag will be client's domain, so currently their emails gets via mydomain.com in the head of the email! – Anil Bind Oct 05 '20 at 07:17
-
I understand *which* emails you with to exclude from your own signing, but not *why*. Do you realize that multiple signatures, such as one from client and one from the service provider (you) are typically strictly value *added*? – anx Oct 05 '20 at 20:09
2 Answers
2
There might be a way with OpenDKIM but you can at least do it in postfix with header_checks.
Create /etc/postfix/header_checks with:
/^DKIM-Signature: / FILTER smtp:127.0.0.1:10025
Then in /etc/postfix/master.cf make two changes. First duplicate the SMTP listener so that it also listens on port 10025 but exclude the OpenDKIM milter. To the listen port, add the -o header_checks=regexp:/etc/postfix/header_checks option, e.g.
10025 inet n - n - - smtpd
smtp inet n - n - - smtpd
-o header_checks=regexp:/etc/postfix/header_checks
-o smtpd_milters=inet:localhost:8891
Obviously change this to the submission port (587) and preserve any other flags, as appropriate to your situation.
tater
- 1,395
- 2
- 9
- 12
0
The way with OpenDKIM is using the parameter PeerList
From http://www.opendkim.org/opendkim.conf.5.html: Identifies a set of "peers" that identifies clients whose connections should be accepted without processing by this filter.
My /etc/opendkim.conf contains
PeerList refile:/etc/opendkim/trusted
ExternalIgnoreList refile:/etc/opendkim/trusted
InternalHosts refile:/etc/opendkim/trusted
And the file /etc/opendkim/trusted contains:
127.0.0.1
::1
localhost
This way, locally delivered mails e.g. via fetchmail are not signed.
Florian
- 1
- 1