DKIM on submission

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

DKIM on submission

Alice Wonder
Hello,

currently I enable OpenDKIM vi main.cf :

# OpenDKIM
smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept

Since that server is both MX and Submission for the mailbox domain I am
tempted to instead define those parameters via

     -o key=value

in master.cf for the smtps / submission service.

Is that advisable or is it not a good idea?

I realize it would mean mail sent by the host itself via sendmail
command is not DKIM signed but I'm not really worried about that.

It appears that when e-mail is sent from a user to a mail list that is
set up in a way to break DKIM (as many are), the mail from the list to
the user that comes in via the MX on port 25 then gets signed again even
though it was technically sent by the list and not the user.

That itself probably isn't bad but I still don't like the idea of DKIM
signing happening on mail that comes in on port 25 even if the From:
header matches.
Reply | Threaded
Open this post in threaded view
|

Re: DKIM on submission

Viktor Dukhovni
> On Nov 26, 2018, at 8:44 AM, Alice Wonder <[hidden email]> wrote:
>
> I realize it would mean mail sent by the host itself via sendmail command is not DKIM signed but I'm not really worried about that.
>
> It appears that when e-mail is sent from a user to a mail list that is set up in a way to break DKIM (as many are), the mail from the list to the user that comes in via the MX on port 25 then gets signed again even though it was technically sent by the list and not the user.
>
> That itself probably isn't bad but I still don't like the idea of DKIM signing happening on mail that comes in on port 25 even if the From: header matches.

With DKIM, you typically arrange to *verify* email that comes in on port 25,
and sign email that originates locally or comes in on 587.

On dedicated relays whose port 25 traffic is outbound, you'd also sign port
25 traffic.

The purpose of the "-o milter_macro_daemon_name=ORIGINATING" in the master.cf
submission service (commented out by default) is to inform the milter that
mail arriving on that port is outbound.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: DKIM on submission

Alice Wonder
On 11/26/2018 07:46 AM, Viktor Dukhovni wrote:

>> On Nov 26, 2018, at 8:44 AM, Alice Wonder <[hidden email]> wrote:
>>
>> I realize it would mean mail sent by the host itself via sendmail command is not DKIM signed but I'm not really worried about that.
>>
>> It appears that when e-mail is sent from a user to a mail list that is set up in a way to break DKIM (as many are), the mail from the list to the user that comes in via the MX on port 25 then gets signed again even though it was technically sent by the list and not the user.
>>
>> That itself probably isn't bad but I still don't like the idea of DKIM signing happening on mail that comes in on port 25 even if the From: header matches.
>
> With DKIM, you typically arrange to *verify* email that comes in on port 25,
> and sign email that originates locally or comes in on 587.
>
> On dedicated relays whose port 25 traffic is outbound, you'd also sign port
> 25 traffic.
>
> The purpose of the "-o milter_macro_daemon_name=ORIGINATING" in the master.cf
> submission service (commented out by default) is to inform the milter that
> mail arriving on that port is outbound.
>

Okay I see that and will uncomment. Thank you.

I'll have to look again at the OpenDKIM conf/documentation to see how to
make sure it only signs with that flag as it seems to be signing
anything where the From: matches the Domain = pattern regardless of
originating or incoming now.
Reply | Threaded
Open this post in threaded view
|

Re: DKIM on submission

Scott Kitterman-4
On Monday, November 26, 2018 08:24:29 AM Alice Wonder wrote:

> On 11/26/2018 07:46 AM, Viktor Dukhovni wrote:
> >> On Nov 26, 2018, at 8:44 AM, Alice Wonder <[hidden email]> wrote:
> >>
> >> I realize it would mean mail sent by the host itself via sendmail command
> >> is not DKIM signed but I'm not really worried about that.
> >>
> >> It appears that when e-mail is sent from a user to a mail list that is
> >> set up in a way to break DKIM (as many are), the mail from the list to
> >> the user that comes in via the MX on port 25 then gets signed again even
> >> though it was technically sent by the list and not the user.
> >>
> >> That itself probably isn't bad but I still don't like the idea of DKIM
> >> signing happening on mail that comes in on port 25 even if the From:
> >> header matches.>
> > With DKIM, you typically arrange to *verify* email that comes in on port
> > 25, and sign email that originates locally or comes in on 587.
> >
> > On dedicated relays whose port 25 traffic is outbound, you'd also sign
> > port
> > 25 traffic.
> >
> > The purpose of the "-o milter_macro_daemon_name=ORIGINATING" in the
> > master.cf submission service (commented out by default) is to inform the
> > milter that mail arriving on that port is outbound.
>
> Okay I see that and will uncomment. Thank you.
>
> I'll have to look again at the OpenDKIM conf/documentation to see how to
> make sure it only signs with that flag as it seems to be signing
> anything where the From: matches the Domain = pattern regardless of
> originating or incoming now.

See MacroList in opendkim.conf (5) [1].

Scott K

[1] http://www.opendkim.org/opendkim.conf.5.html
Reply | Threaded
Open this post in threaded view
|

Re: DKIM on submission

Alice Wonder
On 11/26/2018 08:40 AM, Scott Kitterman wrote:

> On Monday, November 26, 2018 08:24:29 AM Alice Wonder wrote:
>> On 11/26/2018 07:46 AM, Viktor Dukhovni wrote:
>>>> On Nov 26, 2018, at 8:44 AM, Alice Wonder <[hidden email]> wrote:
>>>>
>>>> I realize it would mean mail sent by the host itself via sendmail command
>>>> is not DKIM signed but I'm not really worried about that.
>>>>
>>>> It appears that when e-mail is sent from a user to a mail list that is
>>>> set up in a way to break DKIM (as many are), the mail from the list to
>>>> the user that comes in via the MX on port 25 then gets signed again even
>>>> though it was technically sent by the list and not the user.
>>>>
>>>> That itself probably isn't bad but I still don't like the idea of DKIM
>>>> signing happening on mail that comes in on port 25 even if the From:
>>>> header matches.>
>>> With DKIM, you typically arrange to *verify* email that comes in on port
>>> 25, and sign email that originates locally or comes in on 587.
>>>
>>> On dedicated relays whose port 25 traffic is outbound, you'd also sign
>>> port
>>> 25 traffic.
>>>
>>> The purpose of the "-o milter_macro_daemon_name=ORIGINATING" in the
>>> master.cf submission service (commented out by default) is to inform the
>>> milter that mail arriving on that port is outbound.
>>
>> Okay I see that and will uncomment. Thank you.
>>
>> I'll have to look again at the OpenDKIM conf/documentation to see how to
>> make sure it only signs with that flag as it seems to be signing
>> anything where the From: matches the Domain = pattern regardless of
>> originating or incoming now.
>
> See MacroList in opendkim.conf (5) [1].
>
> Scott K
>
> [1] http://www.opendkim.org/opendkim.conf.5.html
>

Thank you! That clarifies it.