DKIM signing

[Jason Ede]

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rick Cooper
Sent: 22 June 2009 20:35
To: 'MailScanner discussion'
Subject: RE: DKIM signing

I am not sure how sendmail does things but I use two instances of exim as well,

    eximIN (check DKIM)----------------->INqueue--> MailScanner(Do MS Stuff)---->OUTQueue-----> EximOut(Sign DKIM and other out stuff)

The only difference between the exim instance is the config(s) the use. I have no recpt,data,ehlo acls in the outbound and I have no domainkey/DKIM signing in the inbound

Rick

________________________________
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Alex Neuman
Sent: Monday, June 22, 2009 2:58 PM
To: MailScanner discussion
Subject: Re: DKIM signing
The point I was trying to make is that MailScanner works like this (oversimplifying, I know, but bear with me):

1. First instance of sendmail grabs e-mail after milters and such, and deposits in an incoming queue
2. MailScanner grabs, scans, deals with messages in the queue and places them in the outgoing (final) queue
3. Second instance of sendmail grabs e-mail from outgoing (final) queue and delivers them to their final destination.

In order to DKIM-sign things it would have to be done using the second instance. Since MailScanner basically runs the same instance of sendmail using a command line parameter to distinguish the two, there would have to be a slight change to the way step 3 is done if you wanted to do it on one machine. Otherwise step 4 would be to have the outgoing MTA (separate machine) do the DKIM signing.

Please correct me if I'm looking at this the wrong way.
On Mon, Jun 22, 2009 at 1:42 PM, Rick Cooper <rcooper at dwford.com<mailto:rcooper at dwford.com>> wrote:
I don't use sendmail (exim no milters required) but I am sure there is a way to handle it easily in sendmail. Be advised however that when I first implemented domainkeys the test server at sendmail.net<http://sendmail.net> was the only domainkeys test server (of 4) to state that my keys were invalid. It does pass my DKIM keys but still doesn't pass the domainkeys.

Rick

________________________________
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Alex Neuman
Sent: Monday, June 22, 2009 12:02 PM
To: MailScanner discussion
Subject: Re: DKIM signing
Any chance of someone thinking up a way to fire up a third instance of sendmail on one machine to do something like this?
On Mon, Jun 22, 2009 at 10:38 AM, Rick Cooper <rcooper at dwford.com<mailto:rcooper at dwford.com>> wrote:
You don't want to sign dkim or domainkeys until the last thing before the
message is "place on the wire". Any modification made after the signing
with, of course make the signature invalid. This means the outbound MTA has
to be the signing agent.

Rick

Does anyone have some information on how to do this with postfix? I've 1 instance of postfix running that uses Julian's hold queue method.

Jason

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/99b37d47/attachment.html