Saturday, February 17, 2018

postfix - Effective configuration of dkimproxy in multiple-domain scenario




I have a postfix/dkimproxy setup that doesn't work the way I like.



I have exampledomain.org with SPF allowing mail only from server.exampledomain.org (rDNS mapped correctly) which is also aliased by smtp.exampledomain.org.



Currently, web applications running on the server use Postfix's builtin sendmail command when sending outbound emails. These emails come from wwwrun@server.exampledomain.org and they are properly DKIM-signed. That is correct!



When a user with @exampledomain.org (me!!) sends mail from Outlook it connects to smtp.exampledomain.org and authenticates after STARTTLS command. Unfortunately, emails are not DKIM signed. Logs show that the email is automatically relayed and doesn't go through dkimproxy. dkimproxy is configured as follows



# specify what address/port DKIMproxy should listen on
listen    127.0.0.1:10027


# specify what address/port DKIMproxy forwards mail to
relay     127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain    server.exampledomain.org,exampledomain.org

# specify what signatures to add
signature dkim(c=simple)
signature domainkeys(c=nofws)


# specify location of the private key
keyfile   /etc/ssl/private/dkim_server/dkim_server.key


# specify the selector (i.e. the name of the key record put in DNS)
selector  server


DNS TXT records are already set.




Postfix is configured with a large master.cf file that I won't paste in its entirety. The relevant lines are



#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes

    -o content_filter=dksign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

#
# specify the location of the DomainKeys signing filter
#
dksign    unix  -       -       n       -       10      smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls


#
# service for accepting messages FROM the DomainKeys signing filter
#
127.0.0.1:10028 inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8


The question is



Why doesn't mail coming from the external get processed by dkimproxy?


Answer



You need to make sure that Outlook is connecting to the submission port (port 587), instead of port 25. This is because the Postfix configuration works by signing mail received on port 587 (i.e. from your clients sending outgoing mail), but not mail received on port 25 (because this is mail being delivered to your server by other MTAs). This is implemented by the content_filter line in main.cf, which you'll note is present in the submission inet definition, but not the smtp inet definition.



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...