rmilter icon indicating copy to clipboard operation
rmilter copied to clipboard

Published 20 hours ago verified publisher icon vstakhov

DKIM auth_only

Open Safari77 opened this issue 10 years ago • 3 comments

with "auth_only = yes", rmilter does not add dkim in these cases:

  1. user connects to postfix submission port and authenticates using certificate
  2. local user executes /usr/sbin/sendmail.postfix (e.g., using mutt)

For 1) , can a feature in rmilter be implemented that checks {cert_subject}, since postfix does not write {auth_authen} into milter? I have allowed only postfix to access rmilter at 127.0.0.1:6666 .

  1. ... this sucks, milter protocol sucks

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Safari77 avatar Nov 08 '15 15:11 Safari77

Cert subject might be setup by a remote connection as well if it is trusted (e.g. by means of DANE or PKI). Hence, this value cannot be used. Moreover, the auth_ssf macro that specifies some mystery 'encryption bits' by sendmail, is not presented in Postfix. Therefore, I see no ways how to solve your problem without deep patching of MTA. The only thing I do is to setup special map of ip networks for which all mail should be signed regardless authentication.

vstakhov avatar Nov 10 '15 15:11 vstakhov

I had the same problem – took me some time to figure out that I could try auth_only = no; Logging would be appreciated

basbebe avatar Dec 25 '15 11:12 basbebe

There is now option called sign_networks which is intended to contain IP or networks for which rmilter should perform DKIM signing.

vstakhov avatar Jan 18 '16 13:01 vstakhov