my first approach with "opendkim" does not work as "opendkim" uses
milter and Ciphermail is a content filter. Milters are applied before
content filters and the s/Mime signature modifies the body of the mail
with the signature. This invalidates the DKIM signature. Took ma a day
to figure this out as I was not aware of the described processing order.
Finally I found this out just by reading the (previously ignored)
headlines of Postfix After-Queue Content Filter and
www.postfix.org/MILTER_README.html
Adding the DKIM milter on the reinjection port(s) should work. After
handling the mail (i.e., encryption/decryption etc), the back-end sends
the mail back to postfix on a "reinjection port" (port 10026).
I haven't tested it but the following might work:
See the following line in master under the 127.0.0.1:10026 section:
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
You should change this line to something like:
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks,smtpd_milters=REPLACEWITHDKIMMILTER
This should enable the DKIM milet after the message has been
encryped/decrypted/signed.
Again, I have not tested this but this should work (might some minimal
changes though)
Then again, you suggestion of using dkimproxy is also a good alternative
until DKIM support has been added to CipherMail*.
Kind regards,
Martijn Brinkers
* "native" DKIM support is basically working but not enabled for all
SMTP outgoing mail. We will see whether we can make it possible to
enable this for all outgoing email.
···
On 03/27/2016 04:07 PM, Matthias Henze wrote:
See postfix_dkim_support [MHC SoftWare Wiki] (sorry, German) for
details.
cheers
Matthias
Am 24.03.2016 um 20:35 schrieb Matthias Henze:
Hi,
my mail server (Kerio) can apply DKIM signatures. Piping DKIM signed
mails through Ciphermail disrupts the validity of the DKIM signatures.
Postfix on the Ciphermail server has to apply the DKIM signature after
the mail was processd by Ciphermail. This could be achieved by following
these howtos:
How To Install and Configure DKIM with Postfix on Debian Wheezy | DigitalOcean
Record of the UNIX Wars: Email fun: 8BITMIME and DKIM body authentication failure
The second is required at my site because without it mails sent by
Thunderbird fail validation by remote servers. My master.cf now looks
like this:
smtp inet n - - - - smtpd
-o
message_size_limit=${djigzo_before_filter_message_size_limit}
-o content_filter=smtp-downconvert:127.0.0.1:10026
pickup fifo n - - 60 1 pickup
...
...
...
# cleanup for reinject so we can set the hopcount_limit differently for
the reinjection port
cleanup_reinject unix n - - - 0 cleanup
-o hopcount_limit=100
smtp-downconvert unix - - - - 2 smtp
-o smtp_discard_ehlo_keywords=8bitmime,silent-discard
127.0.0.1:10026 inet n - n - 10 smtpd
-o content_filter=
...
...
...
Suggestion: Add a DKIM config option to Ciphermail
cheers
Matthias
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
Twitter: http://twitter.com/CipherMail