DKIM signature only for a certain login - sender domain combination

Hi,
Is there a possibility to provide outgoing mails with a DKIM signature only for a certain login - sender domain combination?
The background to this is: With the sender_maps it is possible to allow different senders for a login.
The mail may only be signed for those where the login and sender domain match.

Thanks,
André

On 19 Nov 2020, at 5:44, [hidden email] wrote:

> Hi, Is there a possibility to provide outgoing mails with a DKIM
> signature only for a certain login - sender domain combination? The
> background to this is: With the sender_maps it is possible to allow
> different senders for a login. The mail may only be signed for those
> where the login and sender domain match. Thanks, André

Because Postfix does not implement DKIM signing itself, the answer is
dependent on what software you use for DKIM signing. If your signing is
done in a milter, Postfix cannot select which mail is signed and which
is not. That must be done in the milter itself. For example, I work with
systems that use the MIMEDefang milter for signing (using the Perl
Mail::DKIM module) where the decision of whether and how to sign mail is
made based on the sender.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Am 19.11.2020 um 15:44 schrieb Bill Cole:
As a milter I use OpenDKIM. The user is not transferred to the milter
itself, so I have no way of deciding what should be signed there. Only
Postfix knows the user, so a decision would have to be made already
there what is passed on to the milter and what is not.

>>On 19 Nov 2020, at 5:44, [hidden email] wrote:
>>>Hi, Is there a possibility to provide outgoing mails with a DKIM
>>>signature only for a certain login - sender domain combination? The
>>>background to this is: With the sender_maps it is possible to allow
>>>different senders for a login. The mail may only be signed for those
>>>where the login and sender domain match. Thanks, André

>Am 19.11.2020 um 15:44 schrieb Bill Cole:
>>Because Postfix does not implement DKIM signing itself, the answer is
>>dependent on what software you use for DKIM signing. If your signing
>>is done in a milter, Postfix cannot select which mail is signed and
>>which is not. That must be done in the milter itself. For example, I
>>work with systems that use the MIMEDefang milter for signing (using
>>the Perl Mail::DKIM module) where the decision of whether and how to
>>sign mail is made based on the sender.

On 22.11.20 09:07, [hidden email] wrote:
>As a milter I use OpenDKIM. The user is not transferred to the milter
>itself, so I have no way of deciding what should be signed there. Only
>Postfix knows the user, so a decision would have to be made already
>there what is passed on to the milter and what is not.

domains are signed, not users.

If you want to verify user matches login, you can use
smtpd_sender_login_maps and reject*sender_login_mismatch directives.  That
way, users won't be allowed to send from addresses they don't have enabled.


you can make only some senders signed, by putting their addresses to access
map with a FILTER: destination:

http://www.postfix.org/access.5.html


However, since signing is based on From: address and directives above use
envelope address (mail from:), you should verify that they match before you
sign.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]