DKIM verification vith virtual domains in same machine

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

DKIM verification vith virtual domains in same machine

Solk Maaker
Hi

Problem description:
If user sends mail out (to Internet) from domain1 (virtual domain),
mail is signed and in receiver side mail is verified - everything is OK.
If mail comes in (from Internet) to domain1 (virtual domain) wiht DKIM
signature, signature is verified - everything is OK.
If user sends mail from domain1 (virtual domain) to domain2 (virtual
domain) in same machine, mail is signed but signature is not verified  -
not OK.

As i understand opendkim cannot do both in same time, mail is either
signed on verified, depending on opendkim configuration.
(might be wrong on this one)

I can let opendkim do both (create 2 instances of opendkim with
different conf), or use dkimproxy to verify and opendkim to sign, but
problem is that if i let machine to do both, outgoing mail gets out vith
Authentication-Results header and that is wrong, since verification is
supposed to be done only once by receiver machine.

Is it possible to do both, sign and verify DKIM signature in same
machine while using virtual domains IF mail receiver is virtual user?
(maybe add verification filter to somewhere that it is affected only by
delivering mail to virtual user? i'm pretty much guessing here)


Reply | Threaded
Open this post in threaded view
|

Re: DKIM verification vith virtual domains in same machine

A. Schulze

Solk Maaker:

> If user sends mail from domain1 (virtual domain) to domain2 (virtual  
> domain) in same machine, mail is signed but signature is not  
> verified  - not OK.

 From DKIM's perspective it really makes no sense to validate a  
signature generated by yourself.
( How often do you check your own identity card to prove that you are you? )

But I assume your problem is consistent behaviour.
If that is the point you have to split mail flows:
  * separate system signing all submitted messages
  * separate system validating any inbound messages.

Andreas

Reply | Threaded
Open this post in threaded view
|

Re: DKIM verification vith virtual domains in same machine

Solk Maaker
> From DKIM's perspective it really makes no sense to validate a
> signature generated by yourself.
> ( How often do you check your own identity card to prove that you are
> you? )

Yes, that is true, there is no point to verify my own signature, but in
case of virtual domains, if domain1 does not belong to same user as
domain2, it would be nice if domain1 signature could be verified.

> But I assume your problem is consistent behaviour.
> If that is the point you have to split mail flows:
>  * separate system signing all submitted messages
>  * separate system validating any inbound messages.

Current setup that i have has separate signing machine (relay), so if
domain1 sends mail do domain2, mail goes from machine1 to relay (that
will sign mail), and since domain2 MX record points to machine1, relay
sends it back and mail gets verified.
I'm wondering, is it possible to do it in same machine, so i can exlude
relay machine witch only purpose is signing.

My goal would be: verification is done in part of mail flow that
handles delivery to virtual user, but not in part that handles sending
mail out to Internet.
Is it possible, or should i just forget about it and stay with separate
machine for signing?


Reply | Threaded
Open this post in threaded view
|

Re: DKIM verification vith virtual domains in same machine

Noel Jones-2
On 2/3/2014 5:31 AM, Solk Maaker wrote:

>> From DKIM's perspective it really makes no sense to validate a
>> signature generated by yourself.
>> ( How often do you check your own identity card to prove that you
>> are you? )
>
> Yes, that is true, there is no point to verify my own signature, but
> in case of virtual domains, if domain1 does not belong to same user
> as domain2, it would be nice if domain1 signature could be verified.
>
>> But I assume your problem is consistent behaviour.
>> If that is the point you have to split mail flows:
>>  * separate system signing all submitted messages
>>  * separate system validating any inbound messages.
>
> Current setup that i have has separate signing machine (relay), so
> if domain1 sends mail do domain2, mail goes from machine1 to relay
> (that will sign mail), and since domain2 MX record points to
> machine1, relay sends it back and mail gets verified.
> I'm wondering, is it possible to do it in same machine, so i can
> exlude relay machine witch only purpose is signing.
>
> My goal would be: verification is done in part of mail flow that
> handles delivery to virtual user, but not in part that handles
> sending mail out to Internet.
> Is it possible, or should i just forget about it and stay with
> separate machine for signing?
>
>


You can do both on one machine using multiple postfix instances, one
for incoming mail and another for outgoing mail, each running on its
own IP. But since you already have multiple postfix instances on two
machines it seems silly to complicate a working setup for little
gain, unless you're trying to get rid of the second machine.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: DKIM verification vith virtual domains in same machine

Solk Maaker
>
> You can do both on one machine using multiple postfix instances, one
> for incoming mail and another for outgoing mail, each running on its
> own IP. But since you already have multiple postfix instances on two
> machines it seems silly to complicate a working setup for little
> gain, unless you're trying to get rid of the second machine.
>

Thank You for Your answer, that is exactly what i did, for now.
My goal was to get rid of separate machine for signing, so i made
second postfix instance that will handle submission and signing, leaving
first instance to incoming mail and verification. Only downside is that
this setup needs two ip addresses.
Reply | Threaded
Open this post in threaded view
|

Re: DKIM verification vith virtual domains in same machine

Benny Pedersen-2
On 2014-02-04 07:53, Solk Maaker wrote:
> Only downside is that this setup needs two ip addresses.

use 127.0.0.0/8 range for signers, and for wan only do verifying, this
only need opendkim-verify.conf and opendkim-signer.conf with is binded
in master.cf as services where it fit
Reply | Threaded
Open this post in threaded view
|

Re: DKIM verification vith virtual domains in same machine

Solk Maaker
> use 127.0.0.0/8 range for signers, and for wan only do verifying,
> this only need opendkim-verify.conf and opendkim-signer.conf with is
> binded in master.cf as services where it fit

For some reason second postfix refused to route mail out to wan ip
(loops back to myself) when i binded it only to 127.0.0.1, besides,
submission port must be on public ip to enable users to send mail with
mail clients. After i changed ip address to public ip for second postfix
to bind, everything works as supposed to.
Current setup i have is: postfix1(wan ip1 port 25 for incoming mail),
postfix2 (127.0.0.1:765 for webmail, and wan ip2 ports 465 and 587 for
mail clients).
Opendkim is also running with two instances where first (used by
postfix1) is configured to verify regardless of mail origin, and second
is configured only to sign.

Do you have a working configuration that uses only one public ip?