my first approach with "opendkim" does not work as "opendkim" uses
milter and Ciphermail is a content filter. Milters are applied before
content filters and the s/Mime signature modifies the body of the mail
with the signature. This invalidates the DKIM signature. Took ma a day
to figure this out as I was not aware of the described processing order.
Finally I found this out just by reading the (previously ignored)
headlines of http://www.postfix.org/FILTER_README.html and
Adding the DKIM milter on the reinjection port(s) should work. After
handling the mail (i.e., encryption/decryption etc), the back-end sends
the mail back to postfix on a "reinjection port" (port 10026).
I haven't tested it but the following might work:
See the following line in master under the 127.0.0.1:10026 section:
You should change this line to something like:
This should enable the DKIM milet after the message has been
Again, I have not tested this but this should work (might some minimal
Then again, you suggestion of using dkimproxy is also a good alternative
until DKIM support has been added to CipherMail*.
* "native" DKIM support is basically working but not enabled for all
SMTP outgoing mail. We will see whether we can make it possible to
enable this for all outgoing email.
On 03/27/2016 04:07 PM, Matthias Henze wrote:
See https://wiki.mhcsoftware.de/postfix_dkim_support (sorry, German) for
Am 24.03.2016 um 20:35 schrieb Matthias Henze:
my mail server (Kerio) can apply DKIM signatures. Piping DKIM signed
mails through Ciphermail disrupts the validity of the DKIM signatures.
Postfix on the Ciphermail server has to apply the DKIM signature after
the mail was processd by Ciphermail. This could be achieved by following
The second is required at my site because without it mails sent by
Thunderbird fail validation by remote servers. My master.cf now looks
smtp inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
# cleanup for reinject so we can set the hopcount_limit differently for
the reinjection port
cleanup_reinject unix n - - - 0 cleanup
smtp-downconvert unix - - - - 2 smtp
127.0.0.1:10026 inet n - n - 10 smtpd
Suggestion: Add a DKIM config option to Ciphermail
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.