OpenDKIM and Postfix configuration question
Postfix is configured on my server to use SASL authentication for messages submitted via port 587. OpenDKIM has been set up for both signing and verification. In /etc/opendkim.conf, InternalHosts refers to a file that lists various addresses, including the IPv6 range of my home network, as well as my domain name (".jasonjgw.net"). Consequently, messages submitted by hosts on my home network are signed by OpenDKIM. However, if, for example, I take a laptop to a different network and then attempt to send mail from it via port 587 on the server, it isn't signed, even though it has been authenticated with SASL in the Postfix session. Obviously, it doesn't match any of the addresses given in the InternalHosts file. Is there a way to configure OpenDKIM to sign messages from hosts that have SASL credentials, regardless of which network they're on?
Hi Jason, On Thu, Dec 15, 2016 at 1:37 PM, Jason White via luv-main <luv-main@luv.asn.au> wrote:
Is there a way to configure OpenDKIM to sign messages from hosts that have SASL credentials, regardless of which network they're on?
Did you find a solution?
B.1.3 Roaming Users Roaming users often find themselves in circumstances where it is convenient or necessary to use an SMTP server other than their home server; examples are conferences and many hotels. In such circumstances, a signature that is added by the submission service will use an identity that is different from the user's home system. Ideally, roaming users would connect back to their home server using either a VPN or a SUBMISSION server running with SMTP AUTHentication on port 587. If the signing can be performed on the roaming user's laptop, then they can sign before submission, although the risk of further modification is high. If neither of these are possible, these roaming users will not be able to send mail signed using their own domain key. --- I thought of the same, signing on the laptop or using VPN (so you have a fixed address). Both of them may be considered if everything else fails. However, I read the opendkim.conf manpage back and forth and cannot find a way of trusting SASL submissions. However, there is dkimproxy (I have not used yet, I have to say). It looks to me as it could do the job for you, if you want to "mask" all mail authenticated by SASL. Cheers Peter
Peter Ross via luv-main <luv-main@luv.asn.au> wrote:
I thought of the same, signing on the laptop or using VPN (so you have a fixed address). Both of them may be considered if everything else fails.
This is indeed an option. Mobile phones and tablets make this more complicated of course.
However, I read the opendkim.conf manpage back and forth and cannot find a way of trusting SASL submissions.
However, there is dkimproxy (I have not used yet, I have to say). It looks to me as it could do the job for you, if you want to "mask" all mail authenticated by SASL.
Thank you - I'll look at it when time permits. This may be a solution.
From a laptop, my current solution is to access the server via ssh, run Mutt (which is what I would be using anyway), and write the mail directly on the server - again, not good for mobile devices unless I find an accessible ssh client for them that works with my assistive technologies (another challenge).
participants (2)
-
Jason White -
Peter Ross