DKIM will not sign on port 25


#1

Hi,

Spent this afternoon implementing DKIM Proxy, all with complete success apart from signing DKIM on port 25 outbound. I have a couple of questions, if I may…

Firstly, my {relevant} postfix master.cf configuration.
pastebin.ca/604544

Port 587 and 465 happily accept and sign outgoing SMTP. However, I just cannot get port 25 to sign outbound mail. What am I doing wrong, please?

Secondly, I believe the instructions at
jason.long.name/dkimproxy/faq.html to be critically incorrect with regards to one entry:

Yes. In your master.cf, look at the example for using the submission port, and add those same parameters to the smtp service. E.g. you might have…

smtp inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

The smtpd_recipient_restrictions entry will actually reject all e-mail bar from IPs in my_networks or sasl_authenticated (ie, 99% of e-mailed will be perm failed!!). Can these instructions please be altered to stop anyone experiencing such an outage…

Any advice on my port 25 issue, appreciated.

Thanks,
Chris


#2

If your server is only used for sending outgoing mail, then this shouldn’t be a problem. The point is we don’t want to sign mail from untrusted sources, and that’s what could happen if you direct that mail through dkimproxy.out.


#3

A fair point regarding if the postfix server is purely SMTP outbound. However, there’s one problem with this, surely…

What if the user doesn’t relay through a port that ==25? Their mail would be rejected if my understanding is correct.

Either way, please can the faq be updated to ensure that people who implement both smtp out and inbound postfix daemons are not caught out by this.

Appreciate your reply,
Chris


#4

Sure. I thought it was already clear by stating it in the question, but I added a sentence to the answer which may help.