From 0d890274fda0ada70e19740df192c2e38cac69d2 Mon Sep 17 00:00:00 2001 From: link2xt Date: Thu, 18 Dec 2025 00:12:25 +0000 Subject: [PATCH] feat: use daemon_name for OpenDKIM sign-verify decision instead of IP On FreeBSD 127.0.0.2 is not assigned to any interface by default, so 127.0.0.2 source address hack cannot be used to make OpenDKIM verify the signature instead of signing. This change sets InternalHosts to `-` so no IP addresses make OpenDKIM sign the message. Instead of IP address, OpenDKIM in the outgoing pipeline is explicitly told to sign messages by setting `{daemon_name}` macro to `ORIGINATING`. --- chatmaild/src/chatmaild/filtermail.py | 3 --- cmdeploy/src/cmdeploy/opendkim/final.lua | 3 ++- cmdeploy/src/cmdeploy/opendkim/opendkim.conf | 6 ++++++ cmdeploy/src/cmdeploy/postfix/master.cf.j2 | 3 +-- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/chatmaild/src/chatmaild/filtermail.py b/chatmaild/src/chatmaild/filtermail.py index cd0a4e1d..43c51674 100644 --- a/chatmaild/src/chatmaild/filtermail.py +++ b/chatmaild/src/chatmaild/filtermail.py @@ -307,12 +307,9 @@ class IncomingBeforeQueueHandler: return error log_info("re-injecting the mail that passed checks") - # the smtp daemon on reinject_port_incoming gives it to dkim milter - # which looks at source address to determine whether to verify or sign client = SMTPClient( "localhost", self.config.postfix_reinject_port_incoming, - source_address=("127.0.0.2", 0), ) client.sendmail( envelope.mail_from, envelope.rcpt_tos, envelope.original_content diff --git a/cmdeploy/src/cmdeploy/opendkim/final.lua b/cmdeploy/src/cmdeploy/opendkim/final.lua index ce909f01..2779e38d 100644 --- a/cmdeploy/src/cmdeploy/opendkim/final.lua +++ b/cmdeploy/src/cmdeploy/opendkim/final.lua @@ -1,4 +1,5 @@ -if odkim.internal_ip(ctx) == 1 then +mtaname = odkim.get_mtasymbol(ctx, "{daemon_name}") +if mtaname == "ORIGINATING" then -- Outgoing message will be signed, -- no need to look for signatures. return nil diff --git a/cmdeploy/src/cmdeploy/opendkim/opendkim.conf b/cmdeploy/src/cmdeploy/opendkim/opendkim.conf index 188d69da..cfa654b4 100644 --- a/cmdeploy/src/cmdeploy/opendkim/opendkim.conf +++ b/cmdeploy/src/cmdeploy/opendkim/opendkim.conf @@ -65,3 +65,9 @@ PidFile /run/opendkim/opendkim.pid # The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided # by the package dns-root-data. TrustAnchorFile /usr/share/dns/root.key + +# Sign messages when `-o milter_macro_daemon_name=ORIGINATING` is set. +MTA ORIGINATING + +# No hosts are treated as internal, ORIGINATING daemon name should be set explicitly. +InternalHosts - diff --git a/cmdeploy/src/cmdeploy/postfix/master.cf.j2 b/cmdeploy/src/cmdeploy/postfix/master.cf.j2 index 6dc03ed8..3f3a3a07 100644 --- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2 +++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2 @@ -31,7 +31,6 @@ submission inet n - y - 5000 smtpd -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING -o smtpd_client_connection_count_limit=1000 -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }} smtps inet n - y - 5000 smtpd @@ -49,7 +48,6 @@ smtps inet n - y - 5000 smtpd -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_client_connection_count_limit=1000 - -o milter_macro_daemon_name=ORIGINATING -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }} #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup @@ -81,6 +79,7 @@ filter unix - n n - - lmtp # Local SMTP server for reinjecting outgoing filtered mail. 127.0.0.1:{{ config.postfix_reinject_port }} inet n - n - 100 smtpd -o syslog_name=postfix/reinject + -o milter_macro_daemon_name=ORIGINATING -o smtpd_milters=unix:opendkim/opendkim.sock -o cleanup_service_name=authclean