Monday, July 27, 2015

Configure postfix to DKIM-sign emails generated from the system




My web hosting server features a Postfix setup up and running. That postfix is also open with STARTTLS on port 587 for authorized users (only me, myself and I right now) to send emails to any domain after signing it with DKIM.



Every email I send via Outlook authenticating myself is fine. All DMARC reports display no error. The problem is when web applications send email via that Postfix.



Since I use Apache's mod-itk for PHP hosting, all emails are generated by username@host.mydomain.com and submitted to Postfix via standard means (sendmail???).



But in that way they are not DKIM-signed. Consider the following:



$ mail check-auth@verifier.port25.com

Subject: Test DKIM
Hello
.
EOT


Port25 responded:



----------------------------------------------------------
DomainKeys check details:

----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=djechelon@host.mydomain.com
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified:



Postfix logs don't show dkimproxy interaction.



Before posting my configuration, let's repeat the situation and ask the question.



Currently, when I send an email via SMTP/TLS on port 587 it gets DKIM-signed. When a process on the server sends an email using mail command or PHP builtin mail function, the mail dorsn't get signed by dkimproxy.



The question is: how to sign every email coming from the server itself with dkimproxy?




Configuration is pasted to http://pastebin.ca/2374363. Please note that I have only dkimproxy.out enabled for the moment


Answer



You added dkim SIGNING to submission port only.



Postfix handles smtp separatly submission from pickup (mails submited by sendmail command are entering postfix via pickup)



In postfix You should use dkim milter in main.cf



smtpd_milters = inet:localhost:10027
non_smtpd_milters = inet:localhost:10027



First line is for SMTP submission (port 587)



Second line is for mails entering via pickup



One thing to note is that bounce messages and NDR reports generated internally by postfix will not be DKIM signed



Reference http://www.postfix.org/MILTER_README.html


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...