Signing injected mail

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Signing injected mail

Simon Brereton-2
Hi

Amavis checks both incoming and outgoing mail.  DKIMPROXY signs
outgoing mail (sadly, before Amavis, so amavis verifies the signature
- but I'm okay with that for now) on the submission port.

Mail that is injected (i.e. from CRON, applications, etc), still
passes through amavis (obviously) but doesn't get signed.  I would
like to sign those mails as well.

As I was writing this, it occurred to me that the way to do that is to
add the content filter in master.cf

   -o content_filter=dksign:[127.0.0.1]:10028

I think I need to add that to the pickup line - is that correct?  If
not, where do I add it so that mails that are injected are added?

Thanks.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Signing injected mail

Simon Brereton-2
On 4 November 2011 15:49, Simon Brereton <[hidden email]> wrote:

> Hi
>
> Amavis checks both incoming and outgoing mail.  DKIMPROXY signs
> outgoing mail (sadly, before Amavis, so amavis verifies the signature
> - but I'm okay with that for now) on the submission port.
>
> Mail that is injected (i.e. from CRON, applications, etc), still
> passes through amavis (obviously) but doesn't get signed.  I would
> like to sign those mails as well.
>
> As I was writing this, it occurred to me that the way to do that is to
> add the content filter in master.cf
>
>   -o content_filter=dksign:[127.0.0.1]:10028
>
> I think I need to add that to the pickup line - is that correct?  If
> not, where do I add it so that mails that are injected are added?

Well in the absence of any one telling me not to be stupid, I went
ahead and tried that.  It wasn't a miserable failure, but it didn't do
anything.

If anyone has any pointers on how to do this (or if you'd like to tell
me it's not possible and why) that would be great.

Thanks.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Signing injected mail

Wietse Venema
Simon Brereton:

> On 4 November 2011 15:49, Simon Brereton <[hidden email]> wrote:
> > Hi
> >
> > Amavis checks both incoming and outgoing mail. ?DKIMPROXY signs
> > outgoing mail (sadly, before Amavis, so amavis verifies the signature
> > - but I'm okay with that for now) on the submission port.
> >
> > Mail that is injected (i.e. from CRON, applications, etc), still
> > passes through amavis (obviously) but doesn't get signed. ?I would
> > like to sign those mails as well.
> >
> > As I was writing this, it occurred to me that the way to do that is to
> > add the content filter in master.cf
> >
> > ? -o content_filter=dksign:[127.0.0.1]:10028
> >
> > I think I need to add that to the pickup line - is that correct? ?If
> > not, where do I add it so that mails that are injected are added?
>
> Well in the absence of any one telling me not to be stupid, I went
> ahead and tried that.  It wasn't a miserable failure, but it didn't do
> anything.

First, you can add -o content_filter to the pickup daemon only if
your content filter is based on SMTP otherwise you get an infinite
loop.

Second, you need to add the same -o content_filter information as
with the smtpd line.  There is nothing magical about filters, except
perhaps that DKIMPROXY expects to see message headers that the
pickup daemon cannot provide.

        Wietse

> If anyone has any pointers on how to do this (or if you'd like to tell
> me it's not possible and why) that would be great.
>
> Thanks.
>
> Simon
>
Reply | Threaded
Open this post in threaded view
|

Re: Signing injected mail

Simon Brereton-2
On 8 November 2011 15:30, Wietse Venema <[hidden email]> wrote:

> Simon Brereton:
>> On 4 November 2011 15:49, Simon Brereton <[hidden email]> wrote:
>> > Hi
>> >
>> > Amavis checks both incoming and outgoing mail. ?DKIMPROXY signs
>> > outgoing mail (sadly, before Amavis, so amavis verifies the signature
>> > - but I'm okay with that for now) on the submission port.
>> >
>> > Mail that is injected (i.e. from CRON, applications, etc), still
>> > passes through amavis (obviously) but doesn't get signed. ?I would
>> > like to sign those mails as well.
>> >
>> > As I was writing this, it occurred to me that the way to do that is to
>> > add the content filter in master.cf
>> >
>> > ? -o content_filter=dksign:[127.0.0.1]:10028
>> >
>> > I think I need to add that to the pickup line - is that correct? ?If
>> > not, where do I add it so that mails that are injected are added?
>>
>> Well in the absence of any one telling me not to be stupid, I went
>> ahead and tried that.  It wasn't a miserable failure, but it didn't do
>> anything.
>
> First, you can add -o content_filter to the pickup daemon only if
> your content filter is based on SMTP otherwise you get an infinite
> loop.
>
> Second, you need to add the same -o content_filter information as
> with the smtpd line.  There is nothing magical about filters, except
> perhaps that DKIMPROXY expects to see message headers that the
> pickup daemon cannot provide.
>
>        Wietse
>
>> If anyone has any pointers on how to do this (or if you'd like to tell
>> me it's not possible and why) that would be great.


I don't think this is your fault - but that went completely over my
level of smtp understanding.

Putting the content filter in the pickup (exactly as it is in in the
smtpd) doesn't appear to do anything.  But then I expect that's
related to your comment about the content-filter being based on smtp..
 I don't get an infinite loop.  I don't get anything.

I think I'll have to wait until I start running separate
amavis/postfix processes to figure this out.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Signing injected mail

Noel Jones-2
On 11/8/2011 10:35 PM, Simon Brereton wrote:

> On 8 November 2011 15:30, Wietse Venema <[hidden email]>
> wrote:
>> Simon Brereton:
>>> On 4 November 2011 15:49, Simon Brereton
>>> <[hidden email]> wrote:
>>>> Hi
>>>>
>>>> Amavis checks both incoming and outgoing mail. ?DKIMPROXY
>>>> signs outgoing mail (sadly, before Amavis, so amavis
>>>> verifies the signature - but I'm okay with that for now)
>>>> on the submission port.
>>>>
>>>> Mail that is injected (i.e. from CRON, applications,
>>>> etc), still passes through amavis (obviously) but doesn't
>>>> get signed. ?I would like to sign those mails as well.
>>>>
>>>> As I was writing this, it occurred to me that the way to
>>>> do that is to add the content filter in master.cf
>>>>
>>>> ? -o content_filter=dksign:[127.0.0.1]:10028
>>>>
>>>> I think I need to add that to the pickup line - is that
>>>> correct? ?If not, where do I add it so that mails that
>>>> are injected are added?
>>>
>>> Well in the absence of any one telling me not to be stupid,
>>> I went ahead and tried that.  It wasn't a miserable
>>> failure, but it didn't do anything.
>>
>> First, you can add -o content_filter to the pickup daemon
>> only if your content filter is based on SMTP otherwise you
>> get an infinite loop.
>>
>> Second, you need to add the same -o content_filter
>> information as with the smtpd line.  There is nothing magical
>> about filters, except perhaps that DKIMPROXY expects to see
>> message headers that the pickup daemon cannot provide.
>>
>> Wietse
>>
>>> If anyone has any pointers on how to do this (or if you'd
>>> like to tell me it's not possible and why) that would be
>>> great.
>
>
> I don't think this is your fault - but that went completely
> over my level of smtp understanding.
>
> Putting the content filter in the pickup (exactly as it is in
> in the smtpd) doesn't appear to do anything.  But then I expect
> that's related to your comment about the content-filter being
> based on smtp.. I don't get an infinite loop.  I don't get
> anything.
>
> I think I'll have to wait until I start running separate
> amavis/postfix processes to figure this out.
>
> Simon


I think you should spend 15 minutes to get amavisd-new to do your
DKIM signing and drop dkimproxy.  Better performance, simpler
setup, one less critical component in the mail path.  See the
amavisd-new release notes and docs for further info.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Signing injected mail

Simon Brereton-2
On 9 November 2011 00:48, Noel Jones <[hidden email]> wrote:

> On 11/8/2011 10:35 PM, Simon Brereton wrote:
>> On 8 November 2011 15:30, Wietse Venema <[hidden email]>
>> wrote:
>>> Simon Brereton:
>>>> On 4 November 2011 15:49, Simon Brereton
>>>> <[hidden email]> wrote:
>>>>> Hi
>>>>>
>>>>> Amavis checks both incoming and outgoing mail. ?DKIMPROXY
>>>>> signs outgoing mail (sadly, before Amavis, so amavis
>>>>> verifies the signature - but I'm okay with that for now)
>>>>> on the submission port.
>>>>>
>>>>> Mail that is injected (i.e. from CRON, applications,
>>>>> etc), still passes through amavis (obviously) but doesn't
>>>>> get signed. ?I would like to sign those mails as well.
>>>>>
>>>>> As I was writing this, it occurred to me that the way to
>>>>> do that is to add the content filter in master.cf
>>>>>
>>>>> ? -o content_filter=dksign:[127.0.0.1]:10028
>>>>>
>>>>> I think I need to add that to the pickup line - is that
>>>>> correct? ?If not, where do I add it so that mails that
>>>>> are injected are added?
>>>>
>>>> Well in the absence of any one telling me not to be stupid,
>>>> I went ahead and tried that.  It wasn't a miserable
>>>> failure, but it didn't do anything.
>>>
>>> First, you can add -o content_filter to the pickup daemon
>>> only if your content filter is based on SMTP otherwise you
>>> get an infinite loop.
>>>
>>> Second, you need to add the same -o content_filter
>>> information as with the smtpd line.  There is nothing magical
>>> about filters, except perhaps that DKIMPROXY expects to see
>>> message headers that the pickup daemon cannot provide.
>>>
>>> Wietse
>>>
>>>> If anyone has any pointers on how to do this (or if you'd
>>>> like to tell me it's not possible and why) that would be
>>>> great.
>>
>>
>> I don't think this is your fault - but that went completely
>> over my level of smtp understanding.
>>
>> Putting the content filter in the pickup (exactly as it is in
>> in the smtpd) doesn't appear to do anything.  But then I expect
>> that's related to your comment about the content-filter being
>> based on smtp.. I don't get an infinite loop.  I don't get
>> anything.
>>
>> I think I'll have to wait until I start running separate
>> amavis/postfix processes to figure this out.
>>
>> Simon
>
>
> I think you should spend 15 minutes to get amavisd-new to do your
> DKIM signing and drop dkimproxy.  Better performance, simpler
> setup, one less critical component in the mail path.  See the
> amavisd-new release notes and docs for further info.
>


Noel, you're almost always right - but I'm so proud of my dkim setup :)

Probably this is in the documentation, but since amavis checks ALL
mail (incoming and outgoing) doesn't that mean it would try to sign
incoming mail?

Actually that can't be right.  Most people use amavis to check
outgoing mail only, so for it to do dkim signing it must be able to
tell what's going in and what's going out.

I'll RTFM.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Signing injected mail

Noel Jones-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/9/2011 9:43 AM, Simon Brereton wrote:

> Probably this is in the documentation, but since amavis checks
> ALL mail (incoming and outgoing) doesn't that mean it would try
> to sign incoming mail?

I admit that I'm not particularly familiar with dkimproxy, but so
far I'm not impressed.

amavisd-new has reliable methods to determine which mail to sign
and which to verify, as does the other recommended signer/verifier
OpenDKIM. RTFineM for details.



  -- Noel Jones
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOurjhAAoJEJGRUHb5Oh6g3xQH/0bLezMRjaG85stLuzhwI8nP
If+sLP6ngjP4TgwqyMl9S4vZ+eLrUMguqX2EH7tolAMW9IqSjIPsXl2w2g+E8wRl
6S0tgDNA/NYy1ANZb3rESTISYTJ9yOOBzeTr+0hyi6YPnijcfXq2Mitz98Lc5uR9
/IJMtMrbfNQBpaC7oSxSe8PFXHujOTFa88Ndh+yw/Z6nW6jQGJ3CTNMfJR/Use7A
QFo2NFI8HbacJ3eT+mxSILJPtvnkNOy2k5Bl3340tkaTKp4lDLN+aXy5CnJdZjiP
LwgFWINr7ZMYWtvXOtVOyAvPxAsF7+6UGSDuphw+XnVfzlPJ2GXnK/O5IV5t3ks=
=WM86
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Signing injected mail

mouss-4
In reply to this post by Simon Brereton-2
Le 09/11/2011 16:43, Simon Brereton a écrit :

> On 9 November 2011 00:48, Noel Jones <[hidden email]> wrote:
>> On 11/8/2011 10:35 PM, Simon Brereton wrote:
>>> On 8 November 2011 15:30, Wietse Venema <[hidden email]>
>>> wrote:
>>>> Simon Brereton:
>>>>> On 4 November 2011 15:49, Simon Brereton
>>>>> <[hidden email]> wrote:
>>>>>> Hi
>>>>>>
>>>>>> Amavis checks both incoming and outgoing mail. ?DKIMPROXY
>>>>>> signs outgoing mail (sadly, before Amavis, so amavis
>>>>>> verifies the signature - but I'm okay with that for now)
>>>>>> on the submission port.
>>>>>>
>>>>>> Mail that is injected (i.e. from CRON, applications,
>>>>>> etc), still passes through amavis (obviously) but doesn't
>>>>>> get signed. ?I would like to sign those mails as well.
>>>>>>
>>>>>> As I was writing this, it occurred to me that the way to
>>>>>> do that is to add the content filter in master.cf
>>>>>>
>>>>>> ? -o content_filter=dksign:[127.0.0.1]:10028
>>>>>>
>>>>>> I think I need to add that to the pickup line - is that
>>>>>> correct? ?If not, where do I add it so that mails that
>>>>>> are injected are added?
>>>>>
>>>>> Well in the absence of any one telling me not to be stupid,
>>>>> I went ahead and tried that.  It wasn't a miserable
>>>>> failure, but it didn't do anything.
>>>>
>>>> First, you can add -o content_filter to the pickup daemon
>>>> only if your content filter is based on SMTP otherwise you
>>>> get an infinite loop.
>>>>
>>>> Second, you need to add the same -o content_filter
>>>> information as with the smtpd line.  There is nothing magical
>>>> about filters, except perhaps that DKIMPROXY expects to see
>>>> message headers that the pickup daemon cannot provide.
>>>>
>>>> Wietse
>>>>
>>>>> If anyone has any pointers on how to do this (or if you'd
>>>>> like to tell me it's not possible and why) that would be
>>>>> great.
>>>
>>>
>>> I don't think this is your fault - but that went completely
>>> over my level of smtp understanding.
>>>
>>> Putting the content filter in the pickup (exactly as it is in
>>> in the smtpd) doesn't appear to do anything.  But then I expect
>>> that's related to your comment about the content-filter being
>>> based on smtp.. I don't get an infinite loop.  I don't get
>>> anything.
>>>
>>> I think I'll have to wait until I start running separate
>>> amavis/postfix processes to figure this out.
>>>
>>> Simon
>>
>>
>> I think you should spend 15 minutes to get amavisd-new to do your
>> DKIM signing and drop dkimproxy.  Better performance, simpler
>> setup, one less critical component in the mail path.  See the
>> amavisd-new release notes and docs for further info.
>>
>
>
> Noel, you're almost always right - but I'm so proud of my dkim setup :)
>
> Probably this is in the documentation, but since amavis checks ALL
> mail (incoming and outgoing) doesn't that mean it would try to sign
> incoming mail?
>
> Actually that can't be right.  Most people use amavis to check
> outgoing mail only, so for it to do dkim signing it must be able to
> tell what's going in and what's going out.
>
> I'll RTFM.
>

didn't try dkim-proxy since a long long time.

- as Noel says, amavisd-new can do all that. yes, you can tell it to
sign what you want. it's easy to setup.



- as I prefer to separate functions, I use milter-dkim
KeyList /path/to/milter-dkim_keylist.conf

#cat /path/to/milter-dkim_keylist.conf
*:example.com:/path/to/privatekey
...