From 203a7da3f4f888c86fa9eb98e0cce1ac67e4a8d9 Mon Sep 17 00:00:00 2001
From: Mark Felder <feld@feld.me>
Date: Tue, 13 Jan 2026 13:26:08 -0800
Subject: [PATCH] Strip DKIM-Signature header before LMTP

Currently we strip the DKIM-Signature header in the OpenDKIM final.lua
script after validation of the signature. We sign all messages upon
submission, but we do not verify messages which are from a local account
and delivered to another local account.

This corrects the problem and ensures that the plaintext headers of a
local to local delivery are sanitized the same as a message received
from another server.

The functionality in final.lua to strip the DKIM-Signature header can
now be retired.
---
 cmdeploy/src/cmdeploy/postfix/deployer.py         | 9 +++++++++
 cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup | 1 +
 cmdeploy/src/cmdeploy/postfix/main.cf.j2          | 1 +
 3 files changed, 11 insertions(+)
 create mode 100644 cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup

diff --git a/cmdeploy/src/cmdeploy/postfix/deployer.py b/cmdeploy/src/cmdeploy/postfix/deployer.py
index c9079c9c..035bfbb5 100644
--- a/cmdeploy/src/cmdeploy/postfix/deployer.py
+++ b/cmdeploy/src/cmdeploy/postfix/deployer.py
@@ -52,6 +52,15 @@ class PostfixDeployer(Deployer):
         )
         need_restart |= header_cleanup.changed
 
+        lmtp_header_cleanup = files.put(
+            src=get_resource("postfix/lmtp_header_cleanup"),
+            dest="/etc/postfix/lmtp_header_cleanup",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= lmtp_header_cleanup.changed
+
         # Login map that 1:1 maps email address to login.
         login_map = files.put(
             src=get_resource("postfix/login_map"),
diff --git a/cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup b/cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup
new file mode 100644
index 00000000..d7389122
--- /dev/null
+++ b/cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup
@@ -0,0 +1 @@
+/^DKIM-Signature:/            IGNORE
diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
index 2a1867cf..8fee07f2 100644
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -77,6 +77,7 @@ inet_protocols = all
 
 virtual_transport = lmtp:unix:private/dovecot-lmtp
 virtual_mailbox_domains = {{ config.mail_domain }}
+lmtp_header_checks = regexp:/etc/postfix/lmtp_header_cleanup
 
 mua_client_restrictions = permit_sasl_authenticated, reject
 mua_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject