DKIM signing of bounce back messages

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

DKIM signing of bounce back messages

J Doe
Hello,

I have a question regarding DKIM signing on Postfix bounce back messages.

I was tuning my Dovecot installation around quotas.  I sent a test message from Hotmail to a test account on my server to test generation of a bounce back when a user exceeds their quota.  The message was successfully generated and then relayed via Postfix back to the Hotmail account, but I noticed the bounce back message went into the Hotmail junk folder.

Inspecting the message I saw that I was not DKIM signing messages generated by Postfix or via sendmail.  I changed my Postfix config to include:

    /etc/postfix/main.cf
        internal_mail_filter_classes = bounce
        non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

Generating a new test message confirmed that bounce back messages are now DKIM signed . . . BUT I noticed this line in: man 5 postconf

    internal_mail_filter_classes
        NOTE: It's generally not safe to enable content inspection of Postfix-generated email messages.

My question is - will enabling DKIM on bounce back messages cause me problems or is that warning more for content filters that attempt to mangle/modify the bounce back messages ?

Thanks,

- J

Reply | Threaded
Open this post in threaded view
|

Re: DKIM signing of bounce back messages

Wietse Venema
J Doe:

> Hello,
>
> I have a question regarding DKIM signing on Postfix bounce back messages.
>
> I was tuning my Dovecot installation around quotas.  I sent a test message from Hotmail to a test account on my server to test generation of a bounce back when a user exceeds their quota.  The message was successfully generated and then relayed via Postfix back to the Hotmail account, but I noticed the bounce back message went into the Hotmail junk folder.
>
> Inspecting the message I saw that I was not DKIM signing messages generated by Postfix or via sendmail.  I changed my Postfix config to include:
>
>     /etc/postfix/main.cf
>         internal_mail_filter_classes = bounce
>         non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

That's similar to what I have.

> Generating a new test message confirmed that bounce back messages are now DKIM signed . . . BUT I noticed this line in: man 5 postconf
>
>     internal_mail_filter_classes
>         NOTE: It's generally not safe to enable content inspection of Postfix-generated email messages.

This depends on what the mail inspecting software does. If it creates
more email, then the worst-case result would be an email explosion.
Otherwise, the worst-case result would be an email loop.

        Wietse

> My question is - will enabling DKIM on bounce back messages cause me problems or is that warning more for content filters that attempt to mangle/modify the bounce back messages ?
>
> Thanks,
>
> - J
>
>