DKIM auth_only

[Safari77]

with "auth_only = yes", rmilter does not add dkim in these cases:

1. user connects to postfix submission port and authenticates using certificate
2. local user executes /usr/sbin/sendmail.postfix (e.g., using mutt)

For 1) , can a feature in rmilter be implemented that checks {cert_subject}, since postfix does not write
{auth_authen} into milter? I have allowed only postfix to access rmilter at 127.0.0.1:6666 .

2. ... this sucks, milter protocol sucks

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[vstakhov]

Cert subject might be setup by a remote connection as well if it is trusted (e.g. by means of DANE or PKI). Hence, this value cannot be used. Moreover, the auth_ssf macro that specifies some mystery 'encryption bits' by sendmail, is not presented in Postfix. Therefore, I see no ways how to solve your problem without deep patching of MTA. The only thing I do is to setup special map of ip networks for which all mail should be signed regardless authentication.

[basbebe]

I had the same problem – took me some time to figure out that I could try auth_only = no;
Logging would be appreciated

[vstakhov]

There is now option called sign_networks which is intended to contain IP or networks for which rmilter should perform DKIM signing.