DKIM without a dedicated port/ip listener?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

DKIM without a dedicated port/ip listener?

Paul Hutchings
I've picked through the dkimproxy guide at
http://dkimproxy.sourceforge.net/ and have got it working, but not in
the manner I'd have liked.

We have our box setup so that it only listens on port 25, and nothing is
accepted from an @ourdomain email address unless it's either from a host
in mynetworks or passes our spf policy i.e. a host on the internet can't
throw spoofed mail at us as someone@ourdomain.

I'd sooner not have to setup a dedicated IP or port for all our machines
to use solely so mail can be signed by dkimproxy.

Is there any way I can configure postfix to only pass mail with an
@ourdomain address to it?

I see if I simply add content_filter=dksign:[127.0.0.1]:10027 to main.cf
then all mail seems to get signed with our key despite having configured
it to sign for our domain in
/usr/local/dkimproxy/etc/dkimproxy_out.conf.

I've been testing and I can do it with a check_sender_access hash table
to call the filter, but of course this has to be before
permit_mynetworks.

Relevent (I think) bits of main.cf:

smtpd_recipient_restrictions =
 check_sender_access hash:/etc/postfix/dkim_test, <-- testing
 check_client_access hash:/etc/postfix/client_blacklist,
 check_sender_access hash:/etc/postfix/sender_blacklist,
 check_recipient_maps,
 permit_mynetworks,
 reject_unauth_destination,
 check_client_access hash:/etc/postfix/client_whitelist,
 check_sender_access hash:/etc/postfix/sender_whitelist,
 check_helo_access regexp:/etc/postfix/helo_checks.regexp,
 reject_invalid_helo_hostname,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unknown_sender_domain,
 reject_unauth_pipelining,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client list.dsbl.org,
 reject_rbl_client spamsources.fabel.dk,
 check_policy_service unix:private/spf,
 check_client_access regexp:/etc/postfix/greylist_dyn_fqdn.regexp,
 check_client_access regexp:/etc/postfix/greylist_hosts.regexp,
 permit

Thanks in advance for any pointers/tips.

--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.


Reply | Threaded
Open this post in threaded view
|

Re: DKIM without a dedicated port/ip listener?

Brian Evans - Postfix List
Paul Hutchings wrote:

> I've picked through the dkimproxy guide at
> http://dkimproxy.sourceforge.net/ and have got it working, but not in
> the manner I'd have liked.
>
> We have our box setup so that it only listens on port 25, and nothing is
> accepted from an @ourdomain email address unless it's either from a host
> in mynetworks or passes our spf policy i.e. a host on the internet can't
> throw spoofed mail at us as someone@ourdomain.
>
> I'd sooner not have to setup a dedicated IP or port for all our machines
> to use solely so mail can be signed by dkimproxy.
>
> Is there any way I can configure postfix to only pass mail with an
> @ourdomain address to it?
>
> I see if I simply add content_filter=dksign:[127.0.0.1]:10027 to main.cf
> then all mail seems to get signed with our key despite having configured
> it to sign for our domain in
> /usr/local/dkimproxy/etc/dkimproxy_out.conf.
>  
This is because you set it on all smtpd processes.
Content filters that you want to sign from your own domain/system should
be configured on the submission port only.
Mail clients will have to submit to port 587 in order for this to work
as well.

If there are ways of getting a restriction class or similar to work, I'm
sure someone on this list will comment on that.
Personally, I did not see any documentation to limit a content_filter
beyond master.cf.

Brian

> I've been testing and I can do it with a check_sender_access hash table
> to call the filter, but of course this has to be before
> permit_mynetworks.
>
> Relevent (I think) bits of main.cf:
>
> smtpd_recipient_restrictions =
>  check_sender_access hash:/etc/postfix/dkim_test, <-- testing
>  check_client_access hash:/etc/postfix/client_blacklist,
>  check_sender_access hash:/etc/postfix/sender_blacklist,
>  check_recipient_maps,
>  permit_mynetworks,
>  reject_unauth_destination,
>  check_client_access hash:/etc/postfix/client_whitelist,
>  check_sender_access hash:/etc/postfix/sender_whitelist,
>  check_helo_access regexp:/etc/postfix/helo_checks.regexp,
>  reject_invalid_helo_hostname,
>  reject_non_fqdn_sender,
>  reject_non_fqdn_recipient,
>  reject_unknown_sender_domain,
>  reject_unauth_pipelining,
>  reject_rbl_client zen.spamhaus.org,
>  reject_rbl_client bl.spamcop.net,
>  reject_rbl_client list.dsbl.org,
>  reject_rbl_client spamsources.fabel.dk,
>  check_policy_service unix:private/spf,
>  check_client_access regexp:/etc/postfix/greylist_dyn_fqdn.regexp,
>  check_client_access regexp:/etc/postfix/greylist_hosts.regexp,
>  permit
>
> Thanks in advance for any pointers/tips.
>
>  
Reply | Threaded
Open this post in threaded view
|

Re: DKIM without a dedicated port/ip listener?

Noel Jones-2
In reply to this post by Paul Hutchings
Paul Hutchings wrote:

> I've picked through the dkimproxy guide at
> http://dkimproxy.sourceforge.net/ and have got it working, but not in
> the manner I'd have liked.
>
> We have our box setup so that it only listens on port 25, and nothing is
> accepted from an @ourdomain email address unless it's either from a host
> in mynetworks or passes our spf policy i.e. a host on the internet can't
> throw spoofed mail at us as someone@ourdomain.
>
> I'd sooner not have to setup a dedicated IP or port for all our machines
> to use solely so mail can be signed by dkimproxy.
>
> Is there any way I can configure postfix to only pass mail with an
> @ourdomain address to it?
>
> I see if I simply add content_filter=dksign:[127.0.0.1]:10027 to main.cf
> then all mail seems to get signed with our key despite having configured
> it to sign for our domain in
> /usr/local/dkimproxy/etc/dkimproxy_out.conf.
>
> I've been testing and I can do it with a check_sender_access hash table
> to call the filter, but of course this has to be before
> permit_mynetworks.

It's reasonable to use a check_sender_access table that
returns FILTER ...  for your domain.  To simplify the setup,
put this check (and only this check) under
smtpd_sender_restrictions.  Leave your
smtpd_recipient_restrictions as they are, and of course remove
the content_filter setting from main.cf.

Note that if you use dkim-milter with the postfix milter
interface, you don't need to jump through these hoops.  Mail
from {defined networks or authenticated users} that also match
the signing domain are signed.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: DKIM without a dedicated port/ip listener?

mouss-2
In reply to this post by Paul Hutchings
Paul Hutchings wrote:

> I've picked through the dkimproxy guide at
> http://dkimproxy.sourceforge.net/ and have got it working, but not in
> the manner I'd have liked.
>
> We have our box setup so that it only listens on port 25, and nothing is
> accepted from an @ourdomain email address unless it's either from a host
> in mynetworks or passes our spf policy i.e. a host on the internet can't
> throw spoofed mail at us as someone@ourdomain.
>
> I'd sooner not have to setup a dedicated IP or port for all our machines
> to use solely so mail can be signed by dkimproxy.
>
> Is there any way I can configure postfix to only pass mail with an
> @ourdomain address to it?
>  
> I see if I simply add content_filter=dksign:[127.0.0.1]:10027 to main.cf
> then all mail seems to get signed with our key despite having configured
> it to sign for our domain in
> /usr/local/dkimproxy/etc/dkimproxy_out.conf.
>  

try passing --domain= as an argument.

> I've been testing and I can do it with a check_sender_access hash table
> to call the filter, but of course this has to be before
> permit_mynetworks.
>  

the filter has to be specified before any OK. note that FILTER does not
cause postfix to skip subsequent checks. It just sets the content filter
that will be used.

but as Noel said, consider doing the check in sender restrictions
instead. This way errors will not make you an open relay.

> Relevent (I think) bits of main.cf:
>
> smtpd_recipient_restrictions =
>  check_sender_access hash:/etc/postfix/dkim_test, <-- testing
>  check_client_access hash:/etc/postfix/client_blacklist,
>  check_sender_access hash:/etc/postfix/sender_blacklist,
>  check_recipient_maps,
>  permit_mynetworks,
>  reject_unauth_destination,
>  check_client_access hash:/etc/postfix/client_whitelist,
>  check_sender_access hash:/etc/postfix/sender_whitelist,
>  check_helo_access regexp:/etc/postfix/helo_checks.regexp,
>  reject_invalid_helo_hostname,
>  reject_non_fqdn_sender,
>  reject_non_fqdn_recipient,
>  reject_unknown_sender_domain,
>  reject_unauth_pipelining,
>  reject_rbl_client zen.spamhaus.org,
>  reject_rbl_client bl.spamcop.net,
>  reject_rbl_client list.dsbl.org,
>  reject_rbl_client spamsources.fabel.dk,
>  check_policy_service unix:private/spf,
>  check_client_access regexp:/etc/postfix/greylist_dyn_fqdn.regexp,
>  check_client_access regexp:/etc/postfix/greylist_hosts.regexp,
>  permit
>
> Thanks in advance for any pointers/tips.
>
>  

Reply | Threaded
Open this post in threaded view
|

RE: DKIM without a dedicated port/ip listener?

Paul Hutchings
In reply to this post by Noel Jones-2
Thanks for that Noel, trying it now and it appears to work just fine.

I did try dkim-milter but havn't had much luck, not sure if it's my
relative lack of knowledge of linux or because we're also using
mailscanner and maybe it doesn't play nice with milters but using a
sender restrictions seems to work and seems to give me a fairly granular
way of specifying what mail to pass to the filter.

Thanks,
Paul

Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 44 (0)24 7635 5378
Fax: 44 (0)24 7635 8378
mailto:[hidden email]


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Noel Jones
Sent: 23 May 2008 21:57
To: [hidden email]
Subject: Re: DKIM without a dedicated port/ip listener?

Paul Hutchings wrote:
> I've picked through the dkimproxy guide at
> http://dkimproxy.sourceforge.net/ and have got it working, but not in
> the manner I'd have liked.
>
> We have our box setup so that it only listens on port 25, and nothing
is
> accepted from an @ourdomain email address unless it's either from a
host
> in mynetworks or passes our spf policy i.e. a host on the internet
can't
> throw spoofed mail at us as someone@ourdomain.
>
> I'd sooner not have to setup a dedicated IP or port for all our
machines
> to use solely so mail can be signed by dkimproxy.
>
> Is there any way I can configure postfix to only pass mail with an
> @ourdomain address to it?
>
> I see if I simply add content_filter=dksign:[127.0.0.1]:10027 to
main.cf
> then all mail seems to get signed with our key despite having
configured
> it to sign for our domain in
> /usr/local/dkimproxy/etc/dkimproxy_out.conf.
>
> I've been testing and I can do it with a check_sender_access hash
table
> to call the filter, but of course this has to be before
> permit_mynetworks.

It's reasonable to use a check_sender_access table that
returns FILTER ...  for your domain.  To simplify the setup,
put this check (and only this check) under
smtpd_sender_restrictions.  Leave your
smtpd_recipient_restrictions as they are, and of course remove
the content_filter setting from main.cf.

Note that if you use dkim-milter with the postfix milter
interface, you don't need to jump through these hoops.  Mail
from {defined networks or authenticated users} that also match
the signing domain are signed.

--
Noel Jones

--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.


Reply | Threaded
Open this post in threaded view
|

Re: DKIM without a dedicated port/ip listener?

Robert Schetterer
Paul Hutchings schrieb:

> Thanks for that Noel, trying it now and it appears to work just fine.
>
> I did try dkim-milter but havn't had much luck, not sure if it's my
> relative lack of knowledge of linux or because we're also using
> mailscanner and maybe it doesn't play nice with milters but using a
> sender restrictions seems to work and seems to give me a fairly granular
> way of specifying what mail to pass to the filter.
>
> Thanks,
> Paul

Hi Paul,
dkim-milter works like charme here
so i has to be a problem at your setup
try asking dkim-milter mailing list
look i.e here for more info

http://www.elandsys.com/resources/sendmail/dkim.html

Best Regards

>
> Paul Hutchings
> Network Administrator, MIRA Ltd.
> Tel: 44 (0)24 7635 5378
> Fax: 44 (0)24 7635 8378
> mailto:[hidden email]
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Noel Jones
> Sent: 23 May 2008 21:57
> To: [hidden email]
> Subject: Re: DKIM without a dedicated port/ip listener?
>
> Paul Hutchings wrote:
>> I've picked through the dkimproxy guide at
>> http://dkimproxy.sourceforge.net/ and have got it working, but not in
>> the manner I'd have liked.
>>
>> We have our box setup so that it only listens on port 25, and nothing
> is
>> accepted from an @ourdomain email address unless it's either from a
> host
>> in mynetworks or passes our spf policy i.e. a host on the internet
> can't
>> throw spoofed mail at us as someone@ourdomain.
>>
>> I'd sooner not have to setup a dedicated IP or port for all our
> machines
>> to use solely so mail can be signed by dkimproxy.
>>
>> Is there any way I can configure postfix to only pass mail with an
>> @ourdomain address to it?
>>
>> I see if I simply add content_filter=dksign:[127.0.0.1]:10027 to
> main.cf
>> then all mail seems to get signed with our key despite having
> configured
>> it to sign for our domain in
>> /usr/local/dkimproxy/etc/dkimproxy_out.conf.
>>
>> I've been testing and I can do it with a check_sender_access hash
> table
>> to call the filter, but of course this has to be before
>> permit_mynetworks.
>
> It's reasonable to use a check_sender_access table that
> returns FILTER ...  for your domain.  To simplify the setup,
> put this check (and only this check) under
> smtpd_sender_restrictions.  Leave your
> smtpd_recipient_restrictions as they are, and of course remove
> the content_filter setting from main.cf.
>
> Note that if you use dkim-milter with the postfix milter
> interface, you don't need to jump through these hoops.  Mail
> from {defined networks or authenticated users} that also match
> the signing domain are signed.
>


--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria