Discussion:
DKIM and Amavis
Peter Tselios
2012-03-06 06:44:04 UTC
Permalink
Is it possible to handle DKIM via amavis?

If so, is it possible to sign only SASL authenticated outgoing messages? 
My setup is postfix + Amavis +opendkim.

B/R
Peter
Mark Martinec
2012-03-06 14:17:37 UTC
Permalink
Post by Peter Tselios
Is it possible to handle DKIM via amavis?
Yes, since version 2.6.0, with some improvements in later versions.
Post by Peter Tselios
If so, is it possible to sign only SASL authenticated outgoing messages?
My setup is postfix + Amavis +opendkim.
Signing can be enabled/disabled by a policy bank, so the idea is to let
an MTA route messages which should be signed to a dedicated content
filtering port, where the policy bank can adjust the settings accordingly.

With version 2.7.0 the $enable_dkim_signing can be adjusted
by a policy bank:

- settings $enable_dkim_verification and $enable_dkim_signing are now
dynamic, i.e. became members of policy banks, thus facilitating
selectively enabling or disabling these features on a policy bank basis;


For example:

$enable_dkim_signing = 0;

$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {
originating => 1,
enable_dkim_signing => 1,
}


With earlier versions the same can be accomplished through
a @dkim_signature_options_bysender_maps setting, which was
always dynamic (i.e. configurable through policy banks).
Post by Peter Tselios
If so, is it possible to sign only SASL authenticated outgoing messages?
Btw, even without any special settings, amavisd generates DKIM signatures
only for non-spam messages with $originating flag on, which (depending
on an MTA setup) only applies to authorized mail submission, either
through client's IP address being in @mynetworks, or for authenticated
(e.g. SASL) roaming users.

Mark
Peter Tselios
2012-03-06 19:51:38 UTC
Permalink
________________________________
Áðï: Mark Martinec <Mark.Martinec+***@ijs.si>
Ðñïò: amavis-***@amavis.org
ÓôÜëèçêå: 4:17 ì.ì. Ôñßôç, 6 Ìáñôßïõ 2012
Èåìá: Re: DKIM and Amavis
Post by Peter Tselios
Is it possible to handle DKIM via amavis?
Yes, since version 2.6.0, with some improvements in later versions.
Post by Peter Tselios
If so, is it possible to sign only SASL authenticated outgoing messages?
My setup is postfix + Amavis +opendkim.
Signing can be enabled/disabled by a policy bank, so the idea is to let
an MTA route messages which should be signed to a dedicated content
filtering port, where the policy bank can adjust the settings accordingly.

With version 2.7.0 the $enable_dkim_signing can be adjusted
by a policy bank:

- settings $enable_dkim_verification and $enable_dkim_signing are now
  dynamic, i.e. became members of policy banks, thus facilitating
  selectively enabling or disabling these features on a policy bank basis;


For example:

$enable_dkim_signing = 0;

$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {
  originating => 1,
  enable_dkim_signing => 1,
}


With earlier versions the same can be accomplished through
a @dkim_signature_options_bysender_maps setting, which was
always dynamic (i.e. configurable through policy banks).
Post by Peter Tselios
If so, is it possible to sign only SASL authenticated outgoing messages?
Btw, even without any special settings, amavisd generates DKIM signatures
only for non-spam messages with $originating flag on, which (depending
on an MTA setup) only applies to authorized mail submission, either
through client's IP address being in @mynetworks, or for authenticated
(e.g. SASL) roaming users.

  Mark

Mark, I am impressed...
Let me put it in a simpler context, in order to see if I understood that correctly.
1. It is possible
2. In order to do so, I need to copy/paste your example

And finally (I need your help here):
3. Configure Postfix to write the ORIGINATING header?
Mark Martinec
2012-03-07 15:03:56 UTC
Permalink
Peter,
Post by Peter Tselios
Let me put it in a simpler context, in order to see
if I understood that correctly.
1. It is possible
2. In order to do so, I need to copy/paste your example
Yes, assuming you are using 2.7.0.

You also need to prepare DKIM keys, publish their public component,
and let amavisd know where to find a private key.

See
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim

This is also documented in release notes, search for:
"QUICK START TO DKIM SIGNING" (and "QUICK START TO DKIM VERIFICATION")
in the 2.6.0 section.
Post by Peter Tselios
3. Configure Postfix to write the ORIGINATING header?
Actually: configure Postfix to use a content filter on port 10026
for authenticated mail, and on port 10024 otherwise
(or pick any two unused port numbers to your liking).

Something like the setup described here should do:
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-postfix-dual-path

If for some reason you don't like a mail originating from mynetworks
to count as authenticated, just move the permit_mynetworks up to the
first position in the smtpd_sender_restrictions (referring to the
example in the amavisd-new-docs.html#dkim-postfix-dual-path section).


Btw, if using amavisd as a pre-queue content filter (smtpd_proxy_filter),
things can get more complicated, as it is prudent to DKIM-sign mail
late in the mail processing, after an MTA does its job on mail
sanitation (adding missing header fields like Date and Message-ID,
or QP-encoding nonencoded 8-bit mail parts), and canonicalizations
(like adjusting domains in a From header field). To accomplish
this, a pre-queue filter should only do its contents filtering
and DKIM signature validation, but no signing. A clean mail
which needs to be signed can at the end be fed to a dedicated
content filtering port where amavisd would only do its DKIM
signing, with all other contents checking disabled.

Mark

Loading...