DevHeads.net

Outbound DKIM signing milter options for Postfix?

I'm setting up outbound DKIM signing for a Postfix instance.

I'd prefer something other that OpenDKIM or Amavisd.

Other than DIY, is there a solid/stable milter for outbound signing folks are successfully using with Postfix?

Appreciate any references!

Comments

Re: Outbound DKIM signing milter options for Postfix?

By =?UTF-8?B?0JjQu... at 10/11/2018 - 03:35

we use opendkim (somehow it does not crash for us, yes, I seen many
unresolved issues).
however, I'd like to raise another question :)

opendkim is attached to postfix via milter. it is pain.
under high load (when lots of marketing letters are sent) we have to choose
between

1) if milter is unaccessible, send without DKIM signature
2) if milter is unaccessible, reject

what I really like to have, is a way to execute dkim sign and wait for a
child until it sign. no milter.
is it avalable ?

чт, 11 окт. 2018 г. в 7:11, <pg151@dev-mail.net>:

Re: Outbound DKIM signing milter options for Postfix?

By Matus UHLAR - f... at 10/11/2018 - 03:51

On 11.10.18 13:35, Илья Шипицин wrote:
I believe this could be done by using post-queue content filter:
<a href="http://www.postfix.org/postconf.5.html#content_filter" title="http://www.postfix.org/postconf.5.html#content_filter">http://www.postfix.org/postconf.5.html#content_filter</a>

Re: Outbound DKIM signing milter options for Postfix?

By Robert Schetterer at 10/11/2018 - 04:37

Am 11.10.2018 um 10:51 schrieb Matus UHLAR - fantomas:
<a href="http://dkimproxy.sourceforge.net/" title="http://dkimproxy.sourceforge.net/">http://dkimproxy.sourceforge.net/</a> "may"
help for this case

Re: Outbound DKIM signing milter options for Postfix?

By pg151 at 10/11/2018 - 10:47

On Thu, Oct 11, 2018, at 2:37 AM, Robert Schetterer wrote:
In principle. Tho, not clear yet on whether I want/prefer a milter or proxy. Leaning to milter ...

But last release in 2010-11-14 sounds 'pretty dead' to me!

Re: Outbound DKIM signing milter options for Postfix?

By Robert Schetterer at 10/11/2018 - 12:47

Am 11.10.2018 um 17:47 schrieb pg151@dev-mail.net:
yeah, but the question was for a special case and not using a milter
just for signing only it should work

Best Regards
MfG Robert Schetterer

Re: Outbound DKIM signing milter options for Postfix?

By B. Reino at 10/11/2018 - 02:48

On 2018-10-11 04:08, <a href="mailto:pg151@dev-mail.net">pg151@dev-mail.net</a> wrote:
I can recommend rspamd. The DKIM module is very flexible, supports
multiple domains, etc.

Cheers.

Re: Outbound DKIM signing milter options for Postfix?

By pg151 at 10/11/2018 - 10:44

On Thu, Oct 11, 2018, at 12:48 AM, B. Reino wrote:
rspamd is in the same bucket as amavis from my perspective.

I prefer a single-function/focus tool rather than a 'swiss-army knife' approach

Re: Outbound DKIM signing milter options for Postfix?

By Benny Pedersen at 10/11/2018 - 09:51

B. Reino skrev den 2018-10-11 09:48:

rspamd is a bit of overkill for dkim signing

with well supported ucl its easy to configure it

xml was hard to manage

Re: Outbound DKIM signing milter options for Postfix?

By B. Reino at 10/11/2018 - 13:28

If you only want DKIM signing, then yes.

In my case, rspamd does DKIM signing, DKIM/SPF/DMARC checking (+ DMARC
Reporting), plus of course its core task of spam filtering.

One milter to rule them all, so to speak :)

Cheers.

Re: Outbound DKIM signing milter options for Postfix?

By Dominic Raferd at 10/11/2018 - 03:21

I have had no problems with opendkim and I like that it plays well with
opendmarc. 'do one thing and do it well' + 'programs should work together'.
YMMV.

Re: Outbound DKIM signing milter options for Postfix?

By pg151 at 10/11/2018 - 10:54

On Thu, Oct 11, 2018, at 1:21 AM, Dominic Raferd wrote:
I didn't either. Do now. Consistent crashing whether distro-installed or DIY-builds.

Crashes appear malloc related; reported to upstream. Unfortunately, LOTS of bugs there with very little, if any, response from the dev(s?).

It's just my opinion, based on my experience, but, for me, the "TrustedDomainProject" ... isn't. Which is why I'm in here asking/learning about alternatives.

Agree with both *principles*.

Along those lines, for inbound verification, I'm watching/trying

<a href="https://github.com/fastmail/authentication_milter" title="https://github.com/fastmail/authentication_milter">https://github.com/fastmail/authentication_milter</a>

with some interest. It's "one person" (afaict), but it's used by FastMail in production ... which in my book, is a big, testimonial thumbs-up. Proof's in the pudding, of course.

That it does, that it does ...

Re: Outbound DKIM signing milter options for Postfix?

By Scott Kitterman at 10/10/2018 - 21:16

On October 11, 2018 2:08:09 AM UTC, <a href="mailto:pg151@dev-mail.net">pg151@dev-mail.net</a> wrote:
I gave up on OpenDKIM and wrote my own:

<a href="https://launchpad.net/dkimpy-milter" title="https://launchpad.net/dkimpy-milter">https://launchpad.net/dkimpy-milter</a>

I need to update the readme. The ed25119 signature version it supports is what ended up in RFC 8463.

Scott K

Re: Outbound DKIM signing milter options for Postfix?

By pg151 at 10/10/2018 - 21:23

On Wed, Oct 10, 2018, at 7:16 PM, Scott Kitterman wrote:
Same here. Too many crashes, and too little response. Moved on.

Gr8, thx. I've used a number of your products (thx agn!), but missed this completly!

Now to trundle off to see if your dkimpy supports/uses Signing/Key tables for multi-domain support ...

Re: Outbound DKIM signing milter options for Postfix?

By pg151 at 10/10/2018 - 22:52

On Wed, Oct 10, 2018, at 7:23 PM, <a href="mailto:pg151@dev-mail.net">pg151@dev-mail.net</a> wrote:
appears that's a "no" for now ...

"...
domains is implied by the lines in that file. [SigningTable NOT IMPLEMENTED] <<<<<<

This parameter is ignored if a KeyTable is defined. [KeyTable NOT IMPLEMENTED] <<<<<<
..."