Content filter after DKIM proxy

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Content filter after DKIM proxy

Simon Brereton-2
Hi

I expect that this is not recommended practice, but before I implemented DKIM signing, Amavis used to scan ALL mail - incoming and outgoing - and I was happy with that.

If I want Amavis to scan and rate the mail after dkim proxy has signed it, is that as simple as adding the content filter to the incoming socket? Curently when dkim returns the mail it looks like this (in master.cf)..

### local TCP socket for relay with dkimproxy.out
127.0.0.1:10029 inet n - n - 10 smtpd
 -o content_filter=
 -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o smtpd_authorized_xforward_hosts=127.0.0.0/8

If I add smtp-amavis:[127.0.0.1]:10024 (as it is in my main.cf, will this pass it off to amavis to be scanned?

Is there a good reason to not do this?  Is there a better way to do this?

Thanks for any advice/pointers.

Simon


Reply | Threaded
Open this post in threaded view
|

Re: Content filter after DKIM proxy

Simon Deziel
On 10/18/2011 01:12 PM, Simon Brereton wrote:
> Hi
>
> I expect that this is not recommended practice, but before I implemented DKIM signing, Amavis used to scan ALL mail - incoming and outgoing - and I was happy with that.

I don't know if that's would suites you but Amavis is capable of
performing the DKIM verification/signature steps as well.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Content filter after DKIM proxy

Simon Brereton-2
On 18 October 2011 13:27, Simon Deziel <[hidden email]> wrote:
> On 10/18/2011 01:12 PM, Simon Brereton wrote:
>> Hi
>>
>> I expect that this is not recommended practice, but before I implemented DKIM signing, Amavis used to scan ALL mail - incoming and outgoing - and I was happy with that.
>
> I don't know if that's would suites you but Amavis is capable of
> performing the DKIM verification/signature steps as well.

Thanks.  Yup,  Amavis is checking DKIM signatures, but that's not what
I was getting at.  I want Amavis to scan and rate my users out-going
mails as well as the incoming ones.  Prior to me implementing
dkimproxy, it was doing that.  I've added the amavis content filter to
the socket and so far it's doing what I want (i.e. rating out-going
mails) but it would be nice to have a sanity check as to whether
that's the right way to do it.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Content filter after DKIM proxy

Noel Jones-2
In reply to this post by Simon Brereton-2
On 10/18/2011 12:12 PM, Simon Brereton wrote:

> Hi
>
> I expect that this is not recommended practice, but before I implemented DKIM signing, Amavis used to scan ALL mail - incoming and outgoing - and I was happy with that.
>
> If I want Amavis to scan and rate the mail after dkim proxy has signed it, is that as simple as adding the content filter to the incoming socket? Curently when dkim returns the mail it looks like this (in master.cf)..
>
> ### local TCP socket for relay with dkimproxy.out
> 127.0.0.1:10029 inet n - n - 10 smtpd
>  -o content_filter=
>  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
>  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
>  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>
> If I add smtp-amavis:[127.0.0.1]:10024 (as it is in my main.cf, will this pass it off to amavis to be scanned?

that looks OK, but see below.


>
> Is there a good reason to not do this?  Is there a better way to do this?

Yes and yes.  Rather than using dkim-proxy, I strongly recommend
using the amavisd-new built-in DKIM signing and verifying.  If you
can't use that for some reason, the other excellent choice is the
OpenDKIM milter.  Using dkim-proxy is a distant third.

Reasons include simpler setup and reliability.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Content filter after DKIM proxy

Simon Brereton-2
On 18 October 2011 13:52, Noel Jones <[hidden email]> wrote:

> On 10/18/2011 12:12 PM, Simon Brereton wrote:
>> Hi
>>
>> I expect that this is not recommended practice, but before I implemented DKIM signing, Amavis used to scan ALL mail - incoming and outgoing - and I was happy with that.
>>
>> If I want Amavis to scan and rate the mail after dkim proxy has signed it, is that as simple as adding the content filter to the incoming socket? Curently when dkim returns the mail it looks like this (in master.cf)..
>>
>> ### local TCP socket for relay with dkimproxy.out
>> 127.0.0.1:10029 inet n - n - 10 smtpd
>>  -o content_filter=
>>  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
>>  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
>>  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>>
>> If I add smtp-amavis:[127.0.0.1]:10024 (as it is in my main.cf, will this pass it off to amavis to be scanned?
>
> that looks OK, but see below.
>
>
>>
>> Is there a good reason to not do this?  Is there a better way to do this?
>
> Yes and yes.  Rather than using dkim-proxy, I strongly recommend
> using the amavisd-new built-in DKIM signing and verifying.  If you
> can't use that for some reason, the other excellent choice is the
> OpenDKIM milter.  Using dkim-proxy is a distant third.
>
> Reasons include simpler setup and reliability.

Thanks Noel.  Clarity is not my strong point this week :(

I already use amavis to do the dkim checking on incoming mails.  I'm
using dkimproxy to sign outgoing mails (and I confess I only found out
about opendkim after I'd set it up, so I'm not keen to change it at
the moment - though of course, your vote carries significant weight.

What I was trying to do, and what've you confirmed works, and what
I've since tested is to get amavis to scan for spam/viruses on
outgoing mail.  Since I'm only using dkimproxy to sign outgoing mails
I can't have it sign them after they've been scanned by amavis
(although I admit this would make more sense), since I would have to
add the dkimproxy filter to the incoming amavis socket and then it
would try to sign mails it has no business signing.

Currently what I have - and I'm okay is:

mail comes in on the submission port after auth and with enforced TLS.
 It is passed to dkimproxy to sign.  Dkimproxy passes it to amavis to
check for spam/viri and then passes it back to postfix who sends it
out.

(The fact that doing it this way means that amavis verifies the
signature dkim JUST added is not optimal but acceptable).  The main
thing is that all outgoing mail (not just the ones clients or sendmail
submit on port 25 have X-Scanned-by headers and a spam rating.  I'm
aware some hosts will strip those and replace them with their own, but
I'd prefer they leave my site with them, than with not.

Cheers

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Content filter after DKIM proxy

Noel Jones-2
On 10/18/2011 1:20 PM, Simon Brereton wrote:

> I already use amavis to do the dkim checking on incoming mails.  I'm
> using dkimproxy to sign outgoing mails (and I confess I only found out
> about opendkim after I'd set it up, so I'm not keen to change it at
> the moment - though of course, your vote carries significant weight.

I think the hour or less it would take to get amavisd-new to sign
outgoing mail would be well spent.

I think the hour or less it would take to replace dkimproxy with
OpenDKIM would be well spent.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Content filter after DKIM proxy

Simon Deziel
In reply to this post by Simon Brereton-2
On 10/18/2011 01:41 PM, Simon Brereton wrote:

> On 18 October 2011 13:27, Simon Deziel <[hidden email]> wrote:
>> On 10/18/2011 01:12 PM, Simon Brereton wrote:
>>> Hi
>>>
>>> I expect that this is not recommended practice, but before I implemented DKIM signing, Amavis used to scan ALL mail - incoming and outgoing - and I was happy with that.
>>
>> I don't know if that's would suites you but Amavis is capable of
>> performing the DKIM verification/signature steps as well.
>
> Thanks.  Yup,  Amavis is checking DKIM signatures, but that's not what
> I was getting at.  I want Amavis to scan and rate my users out-going
> mails as well as the incoming ones.

Amavisd-new can do DKIM *signature* too, no need to add another content
filter for that.

Once properly configured Amavisd-new will perform DKIM verification for
incoming emails and will DKIM sign your outgoing emails. This goes
without saying that Amavisd-new will do the usual virus/spam scoring on
both ways.

> Prior to me implementing
> dkimproxy, it was doing that.  I've added the amavis content filter to
> the socket and so far it's doing what I want (i.e. rating out-going
> mails) but it would be nice to have a sanity check as to whether
> that's the right way to do it.

As outlined by Noel, the best setup is to have Amavisd-new doing all the
DKIM related checks and signatures.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Content filter after DKIM proxy

Simon Brereton-2
On 18 October 2011 15:01, Simon Deziel <[hidden email]> wrote:

> On 10/18/2011 01:41 PM, Simon Brereton wrote:
>> On 18 October 2011 13:27, Simon Deziel <[hidden email]> wrote:
>>> On 10/18/2011 01:12 PM, Simon Brereton wrote:
>>>> Hi
>>>>
>>>> I expect that this is not recommended practice, but before I implemented DKIM signing, Amavis used to scan ALL mail - incoming and outgoing - and I was happy with that.
>>>
>>> I don't know if that's would suites you but Amavis is capable of
>>> performing the DKIM verification/signature steps as well.
>>
>> Thanks.  Yup,  Amavis is checking DKIM signatures, but that's not what
>> I was getting at.  I want Amavis to scan and rate my users out-going
>> mails as well as the incoming ones.
>
> Amavisd-new can do DKIM *signature* too, no need to add another content
> filter for that.
>
> Once properly configured Amavisd-new will perform DKIM verification for
> incoming emails and will DKIM sign your outgoing emails. This goes
> without saying that Amavisd-new will do the usual virus/spam scoring on
> both ways.
>
>> Prior to me implementing
>> dkimproxy, it was doing that.  I've added the amavis content filter to
>> the socket and so far it's doing what I want (i.e. rating out-going
>> mails) but it would be nice to have a sanity check as to whether
>> that's the right way to do it.
>
> As outlined by Noel, the best setup is to have Amavisd-new doing all the
> DKIM related checks and signatures.

Thanks both of you.  I had no idea.  I'll look into it - it would
certainly make admin easier.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Content filter after DKIM proxy

Steve Jenkins-3
In reply to this post by Noel Jones-2
I think the hour or less it would take to replace dkimproxy with
OpenDKIM would be well spent.


A big +1 on this. I wrestled with DKIM-Proxy for a couple of afternoons before stumbling upon OpenDKIM. I had it up and running and playing nicely with Amavis-new in under an hour.

The following isn't one of my normal walkthrough HowTo blog posts, but it does contain some notes I wrote to myself about things to consider when deploying OpenDKIM with Amavis-new. I've also got additional stuff there detailing how to configure OpenDKIM, too (disclosure: I'm the maintainer of the Fedora / EPEL OpenDKIM package).

The OpenDKIM developer announced the newest beta yesterday, including "An experimental implementation of a DKIM-based reputation system is present, and support for it as a reputation client (in the filter) and as a server are present in the package."

The main reason I'm a fan of using OpenDKIM over Amavis-new's for signing is that OpenDKIM keeps pace more rapidly with changes to the DKIM standards, and is looking forward to reputation-based decision making based on DKIM signatures. Most Postfix admins could get OpenDKIM up and running on their lunch break, and still have time to eat. :)

SteveJ
Reply | Threaded
Open this post in threaded view
|

Re: Content filter after DKIM proxy

Steve Jenkins-3
On Wed, Oct 19, 2011 at 12:03 PM, Steve Jenkins <[hidden email]> wrote:
The following isn't one of my normal walkthrough HowTo blog posts, but it does contain some notes I wrote to myself about things to consider when deploying OpenDKIM with Amavis-new. I've also got additional stuff there detailing how to configure OpenDKIM, too (disclosure: I'm the maintainer of the Fedora / EPEL OpenDKIM package).

Drat - forgot the link. Sorry. :)


SteveJ 
Reply | Threaded
Open this post in threaded view
|

Re: Content filter after DKIM proxy

Simon Brereton-2
On 19 October 2011 14:04, Steve Jenkins <[hidden email]> wrote:

> On Wed, Oct 19, 2011 at 12:03 PM, Steve Jenkins <[hidden email]>
> wrote:
>>>
>>> The following isn't one of my normal walkthrough HowTo blog posts, but it
>>> does contain some notes I wrote to myself about things to consider when
>>> deploying OpenDKIM with Amavis-new. I've also got additional stuff there
>>> detailing how to configure OpenDKIM, too (disclosure: I'm the maintainer of
>>> the Fedora / EPEL OpenDKIM package).
>
> Drat - forgot the link. Sorry. :)
> http://stevejenkins.com/blog/2011/02/tips-for-installing-amavis-new-clamav-and-spamassassin-using-postfix-on-fedora-12/
> SteveJ


Cheers

The biggest issue I had setting up dkimproxy wasn't dkimproxy - it was
getting bind9 to behave.

That said, I enjoyed your site.  Some useful stuff there.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Content filter after DKIM proxy

Simon Brereton-2
In reply to this post by Noel Jones-2
On 18 October 2011 14:27, Noel Jones <[hidden email]> wrote:

> On 10/18/2011 1:20 PM, Simon Brereton wrote:
>
>> I already use amavis to do the dkim checking on incoming mails.  I'm
>> using dkimproxy to sign outgoing mails (and I confess I only found out
>> about opendkim after I'd set it up, so I'm not keen to change it at
>> the moment - though of course, your vote carries significant weight.
>
> I think the hour or less it would take to get amavisd-new to sign
> outgoing mail would be well spent.
>
> I think the hour or less it would take to replace dkimproxy with
> OpenDKIM would be well spent.

Awww..  But I just go it working!

Seriously, I will take a look at the amavis idea.  I had no idea
amavis could do that.  However, Steve made a good point - a standalone
package might update and keep pace with standards.  So I might
investigate opendkim when I get the chance (I have a bunch of things
to do with dovecot and procmail first.  And I'd like to implement
dnssec as well).

Thanks for all the advice and feedback Noel.

Simon
Reply | Threaded
Open this post in threaded view
|

RE: Content filter after DKIM proxy

Murray S. Kucherawy-2
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Simon Brereton
> Sent: Wednesday, October 19, 2011 2:36 PM
> To: postfix users
> Subject: Re: Content filter after DKIM proxy
>
> And I'd like to implement
> dnssec as well).

OpenDKIM supports DNSSEC (via libunbound).  You're set!  :-)