feat: use daemon_name for OpenDKIM sign-verify decision instead of IP

On FreeBSD 127.0.0.2 is not assigned to any interface by default, so 127.0.0.2 source address hack cannot be used to make OpenDKIM verify the signature instead of signing. This change sets InternalHosts to `-` so no IP addresses make OpenDKIM sign the message. Instead of IP address, OpenDKIM in the outgoing pipeline is explicitly told to sign messages by setting `{daemon_name}` macro to `ORIGINATING`.
2026-05-15 02:14:36 +00:00 · 2025-12-18 00:12:25 +00:00
parent 7191329a9f
commit 0d890274fd
4 changed files with 9 additions and 6 deletions
--- a/chatmaild/src/chatmaild/filtermail.py
+++ b/chatmaild/src/chatmaild/filtermail.py
@@ -307,12 +307,9 @@ class IncomingBeforeQueueHandler:
            return error
        log_info("re-injecting the mail that passed checks")

-        # the smtp daemon on reinject_port_incoming gives it to dkim milter
-        # which looks at source address to determine whether to verify or sign
        client = SMTPClient(
            "localhost",
            self.config.postfix_reinject_port_incoming,
-            source_address=("127.0.0.2", 0),
        )
        client.sendmail(
            envelope.mail_from, envelope.rcpt_tos, envelope.original_content