wallace breaks dkim signature

Jan Kowalsky jankow at datenkollektiv.net
Tue Jun 5 11:44:21 CEST 2018


Hi Jupiter,

thanks for your hint. In fact this was the second consideration to
change the order of content filtes.

But in our specific setup this seems not so easy - at least not for me.
But maybe you've an idea.

As far as I see: the difference from your setup is that we use milter
for spam detection _and_ for signing. Until now we used amavis (as proxy
filter) and opendkim.

So situation is, that we have an prequeue content filter (rspamd) which
also sign's outgoing mails - if they come from an internal domain.

For dkim signing we can address rspamd also to act as a content_filter.
So I tried the following.

On normal smtpd everything goes first to the prequeue milter and
afterwards to wallaces. Everything is fine.

For submission my idea was to ignore the prequeue content filter and go
directly to wallace:


submission          inet        n       -       n       -       -
smtpd
    -o cleanup_service_name=cleanup_submission
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_authenticated_header=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_helo_restrictions=$mua_helo_restrictions
    -o smtpd_data_restrictions=$submission_data_restrictions
    -o smtpd_recipient_restrictions=$submission_recipient_restrictions
    -o smtpd_sender_restrictions=$submission_sender_restrictions
    # overwrite the default miter - we can't do that on submission,
      because we have first go to wallace
    -o smtpd_milters=
    -o content_filter=smtp-wallace:[127.0.0.1]:10026


Similar as you, on reinjection from wallace to postfix now I implement
the rspamd as a content_filter for dkim signing.


127.0.0.1:10027     inet        n       -       n       -       100
smtpd
    -o cleanup_service_name=cleanup_internal
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_milters=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o content_filter=smtp:[127.0.0.1]:2525

But now every mail incoming on smtpd is going to rspamd two times. Once
as a milter (prequeue) and a second time after wallace.

I would need a possibility to only send mails to a content filter e.g.
if they come from internal domains - or not if they came from smtpd.

Is there any such possibility in postfix? I didn't find out yet, if
there is a configuration option in rspamd to avoid checking again and
only do dkim signing.

Best regards
Jan


Am 03.06.2018 um 09:49 schrieb Vuorikoski, Jupiter:
> Hi.
> 
> You just need to make sure that signing happens _/LAST/_ in the milter chain 
> configured in master.cf, and if you want the header signing to not be broken, 
> cleanup any headers added _/after/_ signing (the fact that it arrives on the 
> 10029 smtp socket from amavis before submission to the final destination adds a 
> localhost received from header). Heres an example of my setup signing with 
> amavis built-in dkim capability. I have configured some magic for amavis to not 
> inject any headers itself in the signing listener so that they don’t hit the 
> cleanup_internal header purge and thus break signing again. This way Wallace 
> does its thing way before the signing even happens so the body and headers are 
> intact from DKIMs point of view when transmitting the message (iirc my settings 
> are simple/simple and all of this works flawlessly).
> 
> # Filter email through Amavisd
> 
> smtp-amavis         unix        -       -       n       -       3       smtp
> 
>      -o smtp_data_done_timeout=1800
> 
>      -o disable_dns_lookups=yes
> 
>      -o smtp_send_xforward_command=yes
> 
>      -o max_use=20
> 
>      -o smtp_bind_address=127.0.0.1
> 
> # Listener to re-inject email from Amavisd into Postfix
> 
> 127.0.0.1:10025     inet        n       -       n       -       100     smtpd
> 
>      -o cleanup_service_name=cleanup_internal
> 
>      -o content_filter=smtp-wallace:[127.0.0.1]:10026
> 
>      -o local_recipient_maps=
> 
>      -o relay_recipient_maps=
> 
>      -o smtpd_restriction_classes=
> But since I can't 
>      -o smtpd_client_restrictions=
> 
>      -o smtpd_helo_restrictions=
> 
>      -o smtpd_sender_restrictions=
> 
>      -o smtpd_recipient_restrictions=permit_mynetworks,reject
> 
>      -o mynetworks=127.0.0.0/8
> 
>      -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> 
> # Filter email through Wallace
> 
> smtp-wallace        unix        -       -       n       -       3       smtp
> 
>      -o smtp_data_done_timeout=1800
> 
>      -o disable_dns_lookups=yes
> 
>      -o smtp_send_xforward_command=yes
> 
>      -o max_use=20
> 
> # Listener to re-inject email from Wallace into Postfix
> 
> 127.0.0.1:10027     inet        n       -       n       -       100     smtpd
> 
>      -o cleanup_service_name=cleanup_internal
> 
>      -o content_filter=smtp-amavis-dkim:[127.0.0.1]:10028
> 
>      -o local_recipient_maps=
> 
>      -o relay_recipient_maps=
> 
>      -o smtpd_restriction_classes=
> 
>      -o smtpd_client_restrictions=
> 
>      -o smtpd_helo_restrictions=
> 
>      -o smtpd_sender_restrictions=
> 
>      -o smtpd_recipient_restrictions=permit_mynetworks,reject
> 
>      -o mynetworks=127.0.0.0/8
> 
>      -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> 
> # Send mail second time to amavis for DKIM
> 
> smtp-amavis-dkim         unix        -       -       n       -       3       smtp
> 
>      -o smtp_data_done_timeout=1800
> 
>      -o disable_dns_lookups=yes
> 
>      -o smtp_send_xforward_command=yes
> 
>      -o max_use=20
> 
>      -o smtp_bind_address=127.0.0.1
> 
> # Listener to re-inject email from DKIM signing
> 
> 127.0.0.1:10029     inet        n       -       n       -       100     smtpd
> 
>      -o cleanup_service_name=cleanup_internal
> 
>      -o content_filter=
> 
>      -o local_recipient_maps=
> 
>      -o relay_recipient_maps=
> 
>    -o smtpd_restriction_classes=
> 
>      -o smtpd_client_restrictions=
> 
>      -o smtpd_helo_restrictions=
> 
>      -o smtpd_sender_restrictions=
> 
>      -o smtpd_recipient_restrictions=permit_mynetworks,reject
> 
>      -o mynetworks=127.0.0.0/8
> 
>      -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> 


More information about the users mailing list