Outbound DKIM signing milter options for Postfix?

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Outbound DKIM signing milter options for Postfix?

pg151
I'm setting up outbound DKIM signing for a Postfix instance.

I'd prefer something other that OpenDKIM or Amavisd.

Other than DIY, is there a solid/stable milter for outbound signing folks are successfully using with Postfix?

Appreciate any references!
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

Scott Kitterman-4


On October 11, 2018 2:08:09 AM UTC, [hidden email] wrote:
>I'm setting up outbound DKIM signing for a Postfix instance.
>
>I'd prefer something other that OpenDKIM or Amavisd.
>
>Other than DIY, is there a solid/stable milter for outbound signing
>folks are successfully using with Postfix?
>
>Appreciate any references!

I gave up on OpenDKIM and wrote my own:

https://launchpad.net/dkimpy-milter

I need to update the readme.  The ed25119 signature version it supports is what ended up in RFC 8463.

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

pg151


On Wed, Oct 10, 2018, at 7:16 PM, Scott Kitterman wrote:
> I gave up on OpenDKIM

Same here.  Too many crashes, and too little response.  Moved on.

>  and wrote my own:
> https://launchpad.net/dkimpy-milter

Gr8, thx. I've used a number of your products (thx agn!), but missed this completly!

> I need to update the readme.  The ed25119 signature version it supports
> is what ended up in RFC 8463.

Now to trundle off to see if your dkimpy supports/uses Signing/Key tables for multi-domain support ...
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

pg151
On Wed, Oct 10, 2018, at 7:23 PM, [hidden email] wrote:
> Now to trundle off to see if your dkimpy supports/uses Signing/Key
> tables for multi-domain support ...

appears that's a "no" for now ...

"...
              domains is implied by the lines in that file. [SigningTable NOT IMPLEMENTED]  <<<<<<

              This parameter is ignored if a KeyTable is defined. [KeyTable NOT IMPLEMENTED]  <<<<<<
..."
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

B. Reino
In reply to this post by pg151
On 2018-10-11 04:08, [hidden email] wrote:
> I'm setting up outbound DKIM signing for a Postfix instance.
>
> I'd prefer something other that OpenDKIM or Amavisd.
>
> Other than DIY, is there a solid/stable milter for outbound signing
> folks are successfully using with Postfix?
>
> Appreciate any references!

I can recommend rspamd. The DKIM module is very flexible, supports
multiple domains, etc.

Cheers.
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

Dominic Raferd
On Thu, 11 Oct 2018 at 08:49, B. Reino <[hidden email]> wrote:
On 2018-10-11 04:08, [hidden email] wrote:
> I'm setting up outbound DKIM signing for a Postfix instance.
>
> I'd prefer something other that OpenDKIM or Amavisd.
>
> Other than DIY, is there a solid/stable milter for outbound signing
> folks are successfully using with Postfix?
>
> Appreciate any references!

I can recommend rspamd. The DKIM module is very flexible, supports
multiple domains, etc.

I have had no problems with opendkim and I like that it plays well with opendmarc. 'do one thing and do it well' + 'programs should work together'. YMMV.
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

Илья Шипицин
In reply to this post by pg151
we use opendkim (somehow it does not crash for us, yes, I seen many unresolved issues).
however, I'd like to raise another question :)

opendkim is attached to postfix via milter. it is pain.
under high load (when lots of marketing letters are sent) we have to choose between

1) if milter is unaccessible, send without DKIM signature
2) if milter is unaccessible, reject

what I really like to have, is a way to execute dkim sign and wait for a child until it sign. no milter.
is it avalable ?

чт, 11 окт. 2018 г. в 7:11, <[hidden email]>:
I'm setting up outbound DKIM signing for a Postfix instance.

I'd prefer something other that OpenDKIM or Amavisd.

Other than DIY, is there a solid/stable milter for outbound signing folks are successfully using with Postfix?

Appreciate any references!
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

Matus UHLAR - fantomas
On 11.10.18 13:35, Илья Шипицин wrote:

>we use opendkim (somehow it does not crash for us, yes, I seen many
>unresolved issues).
>however, I'd like to raise another question :)
>
>opendkim is attached to postfix via milter. it is pain.
>under high load (when lots of marketing letters are sent) we have to choose
>between
>
>1) if milter is unaccessible, send without DKIM signature
>2) if milter is unaccessible, reject
>
>what I really like to have, is a way to execute dkim sign and wait for a
>child until it sign. no milter.
>is it avalable ?

I believe this could be done by using post-queue content filter:
http://www.postfix.org/postconf.5.html#content_filter


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

Robert Schetterer-2
Am 11.10.2018 um 10:51 schrieb Matus UHLAR - fantomas:

> On 11.10.18 13:35, Илья Шипицин wrote:
>> we use opendkim (somehow it does not crash for us, yes, I seen many
>> unresolved issues).
>> however, I'd like to raise another question :)
>>
>> opendkim is attached to postfix via milter. it is pain.
>> under high load (when lots of marketing letters are sent) we have to
>> choose
>> between
>>
>> 1) if milter is unaccessible, send without DKIM signature
>> 2) if milter is unaccessible, reject
>>
>> what I really like to have, is a way to execute dkim sign and wait for a
>> child until it sign. no milter.
>> is it avalable ?
>
> I believe this could be done by using post-queue content filter:
> http://www.postfix.org/postconf.5.html#content_filter
>
>

http://dkimproxy.sourceforge.net/ "may"
help for this case

--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

Benny Pedersen-2
In reply to this post by B. Reino
B. Reino skrev den 2018-10-11 09:48:

> I can recommend rspamd. The DKIM module is very flexible, supports
> multiple domains, etc.

rspamd is a bit of overkill for dkim signing

with well supported ucl its easy to configure it

xml was hard to manage
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

pg151
In reply to this post by B. Reino
On Thu, Oct 11, 2018, at 12:48 AM, B. Reino wrote:
> I can recommend rspamd. The DKIM module is very flexible, supports
> multiple domains, etc.

rspamd is in the same bucket as amavis from my perspective.

I prefer a single-function/focus tool rather than a 'swiss-army knife' approach
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

pg151
In reply to this post by Robert Schetterer-2
On Thu, Oct 11, 2018, at 2:37 AM, Robert Schetterer wrote:
> http://dkimproxy.sourceforge.net/ "may"
> help for this case

In principle.  Tho, not clear yet on whether I want/prefer a milter or proxy.  Leaning to milter ...

But last release in 2010-11-14 sounds 'pretty dead' to me!
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

pg151
In reply to this post by Dominic Raferd


On Thu, Oct 11, 2018, at 1:21 AM, Dominic Raferd wrote:
> I have had no problems with opendkim

I didn't either.  Do now.  Consistent crashing whether distro-installed or DIY-builds.

Crashes appear malloc related; reported to upstream.  Unfortunately, LOTS of bugs there with very little, if any, response from the dev(s?).

It's just my opinion, based on my experience, but, for me, the "TrustedDomainProject" ... isn't.  Which is why I'm in here asking/learning about alternatives.

>  and I like that it plays well with opendmarc. 'do one thing and do it well' + 'programs should work together'.

Agree with both *principles*.

Along those lines, for inbound verification, I'm watching/trying

  https://github.com/fastmail/authentication_milter

with some interest.  It's "one person" (afaict), but it's used by FastMail in production ... which in my book, is a big, testimonial thumbs-up.  Proof's in the pudding, of course.

> YMMV.

That it does, that it does ...
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

Robert Schetterer-2
In reply to this post by pg151
Am 11.10.2018 um 17:47 schrieb [hidden email]:
> On Thu, Oct 11, 2018, at 2:37 AM, Robert Schetterer wrote:
>> http://dkimproxy.sourceforge.net/ "may"
>> help for this case
>
> In principle.  Tho, not clear yet on whether I want/prefer a milter or proxy.  Leaning to milter ...
>
> But last release in 2010-11-14 sounds 'pretty dead' to me!
>

yeah, but the question was for a special case and not using a milter
just for signing only it should work


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: Outbound DKIM signing milter options for Postfix?

B. Reino
In reply to this post by Benny Pedersen-2
On Thu, 11 Oct 2018, Benny Pedersen wrote:

> B. Reino skrev den 2018-10-11 09:48:
>
>> I can recommend rspamd. The DKIM module is very flexible, supports
>> multiple domains, etc.
>
> rspamd is a bit of overkill for dkim signing

If you only want DKIM signing, then yes.

In my case, rspamd does DKIM signing, DKIM/SPF/DMARC checking (+ DMARC
Reporting), plus of course its core task of spam filtering.

One milter to rule them all, so to speak :)

Cheers.