diff --git a/chatmaild/src/chatmaild/filtermail.py b/chatmaild/src/chatmaild/filtermail.py index cd0a4e1d..43c51674 100644 --- a/chatmaild/src/chatmaild/filtermail.py +++ b/chatmaild/src/chatmaild/filtermail.py @@ -307,12 +307,9 @@ class IncomingBeforeQueueHandler: return error log_info("re-injecting the mail that passed checks") - # the smtp daemon on reinject_port_incoming gives it to dkim milter - # which looks at source address to determine whether to verify or sign client = SMTPClient( "localhost", self.config.postfix_reinject_port_incoming, - source_address=("127.0.0.2", 0), ) client.sendmail( envelope.mail_from, envelope.rcpt_tos, envelope.original_content diff --git a/cmdeploy/src/cmdeploy/opendkim/final.lua b/cmdeploy/src/cmdeploy/opendkim/final.lua index ce909f01..2779e38d 100644 --- a/cmdeploy/src/cmdeploy/opendkim/final.lua +++ b/cmdeploy/src/cmdeploy/opendkim/final.lua @@ -1,4 +1,5 @@ -if odkim.internal_ip(ctx) == 1 then +mtaname = odkim.get_mtasymbol(ctx, "{daemon_name}") +if mtaname == "ORIGINATING" then -- Outgoing message will be signed, -- no need to look for signatures. return nil diff --git a/cmdeploy/src/cmdeploy/opendkim/opendkim.conf b/cmdeploy/src/cmdeploy/opendkim/opendkim.conf index 188d69da..cfa654b4 100644 --- a/cmdeploy/src/cmdeploy/opendkim/opendkim.conf +++ b/cmdeploy/src/cmdeploy/opendkim/opendkim.conf @@ -65,3 +65,9 @@ PidFile /run/opendkim/opendkim.pid # The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided # by the package dns-root-data. TrustAnchorFile /usr/share/dns/root.key + +# Sign messages when `-o milter_macro_daemon_name=ORIGINATING` is set. +MTA ORIGINATING + +# No hosts are treated as internal, ORIGINATING daemon name should be set explicitly. +InternalHosts - diff --git a/cmdeploy/src/cmdeploy/postfix/master.cf.j2 b/cmdeploy/src/cmdeploy/postfix/master.cf.j2 index 6dc03ed8..3f3a3a07 100644 --- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2 +++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2 @@ -31,7 +31,6 @@ submission inet n - y - 5000 smtpd -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING -o smtpd_client_connection_count_limit=1000 -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }} smtps inet n - y - 5000 smtpd @@ -49,7 +48,6 @@ smtps inet n - y - 5000 smtpd -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_client_connection_count_limit=1000 - -o milter_macro_daemon_name=ORIGINATING -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }} #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup @@ -81,6 +79,7 @@ filter unix - n n - - lmtp # Local SMTP server for reinjecting outgoing filtered mail. 127.0.0.1:{{ config.postfix_reinject_port }} inet n - n - 100 smtpd -o syslog_name=postfix/reinject + -o milter_macro_daemon_name=ORIGINATING -o smtpd_milters=unix:opendkim/opendkim.sock -o cleanup_service_name=authclean