From 86afbcb7ac76b8a0cbc993c993a58da3591b3a69 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Sun, 10 Jul 2022 19:08:39 -0400 Subject: [PATCH] spam: Enable DKIM processing - Add OpenDKIM as a milter to do signing and verification - Switch to after-queue filtering (content_filter), because apparently smtpd_proxy_filter prevents milters from getting the message DATA[1]. This means if the spam filter rejects the message, we need to send a bounce, rather than returning it in the same session, but I don't think I currently have SpamAssassin rejecting anything, so that seems okay. [1] https://mailing.postfix.users.narkive.com/8CT5J48q/milter-and-smtpd-proxy-filter --- main.cf | 11 +++++++++++ master.cf | 7 ++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/main.cf b/main.cf index c068fdc..52386e9 100644 --- a/main.cf +++ b/main.cf @@ -278,6 +278,17 @@ smtpd_tls_auth_only = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +# Milter configuration +# Based on https://www.linode.com/docs/guides/configure-spf-and-dkim-in-postfix-on-debian-9/#testing-postfix-dkim-on-debian-9-with-a-gmail-test +# http://www.opendkim.org/opendkim-README +# http://www.postfix.org/MILTER_README.html +# OpenDKIM +milter_default_action = accept +# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2 +milter_protocol = 6 +smtpd_milters = unix:opendkim/opendkim.sock +non_smtpd_milters = $smtpd_milters + # Alex Dehnert, 2017-11-01 # Based on https://serverfault.com/questions/663979/virtual-alias-domains-how-to-use-different-ip-addresses-when-forwarding-mail diff --git a/master.cf b/master.cf index 139b297..9a30e9a 100644 --- a/master.cf +++ b/master.cf @@ -19,7 +19,7 @@ submission inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING - -o smtpd_proxy_filter=127.0.0.1:10025 + -o content_filter=smtp:127.0.0.1:10025 -o smtpd_client_connection_count_limit=15 pickup fifo n - y 60 1 pickup cleanup unix n - y - 0 cleanup @@ -35,6 +35,7 @@ flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap #smtp inet n - - - - smtpd + # # Before-filter SMTP server. Receive mail from the network and # pass it to the content filter on localhost port 10025. @@ -48,7 +49,7 @@ smtp unix - - y - - smtp # on localhost port 10026. # smtp inet n - y - 5 smtpd - -o smtpd_proxy_filter=127.0.0.1:10025 + -o content_filter=smtp:127.0.0.1:10025 -o smtpd_client_connection_count_limit=15 127.0.0.1:10026 inet n - n - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 @@ -58,7 +59,7 @@ smtp inet n - y - 5 smtpd -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o mynetworks=127.0.0.0/8 - -o receive_override_options=no_unknown_recipient_checks + -o receive_override_options=no_unknown_recipient_checks,no_milters smtp-forward unix - - n - - smtp -o smtp_bind_address=18.102.208.11 smtp-local unix - - n - - smtp -o smtp_bind_address=18.102.208.44 -- 2.34.1