spam: Enable DKIM processing

- Add OpenDKIM as a milter to do signing and verification
- Switch to after-queue filtering (content_filter), because apparently
  smtpd_proxy_filter prevents milters from getting the message DATA[1]. This
  means if the spam filter rejects the message, we need to send a bounce,
  rather than returning it in the same session, but I don't think I currently
  have SpamAssassin rejecting anything, so that seems okay.

[1] https://mailing.postfix.users.narkive.com/8CT5J48q/milter-and-smtpd-proxy-filter

diff --git a/main.cf b/main.cf
index c068fdccd36b6710bd09ab4e65a111d00b845b99..52386e961b74f0ddebd38d1744fedb628b84f1e8 100644 (file)
--- a/main.cf
+++ b/main.cf
@@ -278,6 +278,17 @@ smtpd_tls_auth_only = yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
+# Milter configuration
+# Based on https://www.linode.com/docs/guides/configure-spf-and-dkim-in-postfix-on-debian-9/#testing-postfix-dkim-on-debian-9-with-a-gmail-test
+# http://www.opendkim.org/opendkim-README
+# http://www.postfix.org/MILTER_README.html
+# OpenDKIM
+milter_default_action = accept
+# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2
+milter_protocol = 6
+smtpd_milters = unix:opendkim/opendkim.sock
+non_smtpd_milters = $smtpd_milters
+
 # Alex Dehnert, 2017-11-01
 # Based on https://serverfault.com/questions/663979/virtual-alias-domains-how-to-use-different-ip-addresses-when-forwarding-mail
 

diff --git a/master.cf b/master.cf
index 139b297f2843d784b26d1a3e09f9d79af294ea30..9a30e9adb20b05d154b74617ae5e019dab40f731 100644 (file)
--- a/master.cf
+++ b/master.cf
@@ -19,7 +19,7 @@ submission inet  n       -       y       -       -       smtpd
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
     -o milter_macro_daemon_name=ORIGINATING
-    -o smtpd_proxy_filter=127.0.0.1:10025
+    -o content_filter=smtp:127.0.0.1:10025
     -o smtpd_client_connection_count_limit=15
 pickup     fifo  n       -       y       60      1       pickup
 cleanup    unix  n       -       y       -       0       cleanup
@@ -35,6 +35,7 @@ flush      unix  n       -       y       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 #smtp      inet  n       -       -       -       -       smtpd
+
 #
 # Before-filter SMTP server. Receive mail from the network and
 # pass it to the content filter on localhost port 10025.
@@ -48,7 +49,7 @@ smtp       unix  -       -       y       -       -       smtp
 # on localhost port 10026.
 #
 smtp       inet  n       -       y       -       5       smtpd
-    -o smtpd_proxy_filter=127.0.0.1:10025
+    -o content_filter=smtp:127.0.0.1:10025
     -o smtpd_client_connection_count_limit=15
 127.0.0.1:10026 inet n  -       n       -        -      smtpd
         -o smtpd_authorized_xforward_hosts=127.0.0.0/8
@@ -58,7 +59,7 @@ smtp       inet  n       -       y       -       5       smtpd
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o smtpd_data_restrictions=
         -o mynetworks=127.0.0.0/8
-        -o receive_override_options=no_unknown_recipient_checks
+        -o receive_override_options=no_unknown_recipient_checks,no_milters
 
 smtp-forward    unix  -  -   n       -       -       smtp -o smtp_bind_address=18.102.208.11
 smtp-local      unix  -  -   n       -       -       smtp -o smtp_bind_address=18.102.208.44