Home / server / Questions / 1060672
Accepted
jcsanyi
Asked: 2021-04-17 20:29:30 +0800 CST

Postfix client cert info not being passed to opendkim milter

  • 772

I have a private postfix server that uses dovecot sasl to optionally authenticate submission clients, and I'm trying to set it up to also accept client certificates to allow it to act as a relay host for certain specific origin servers.

I've got it mostly working, but ran into a hiccup where the opendkim milter doesn't recognize the certificate-authenticated relay connections as internal or authenticated, so it does not add a DKIM signature.

in main.cf:

milter_default_action = accept
smtpd_milters = inet:opendkim:8891
non_smtpd_milters = inet:opendkim:8891

smtpd_tls_CAfile = /path/to/private-ca-cert.pem
tls_append_default_CA = no
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,permit_tls_all_clientcerts,reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,permit_tls_all_clientcerts,reject_unauth_destination

and in master.cf under submission/inet:

-o smtpd_client_restrictions=permit_sasl_authenticated,permit_tls_all_clientcerts,reject
-o smtpd_tls_ask_ccert=yes

All of the above is working, and connections that present a valid cert signed by my private CA are allowed relay access.

However, these relayed emails are not signed by opendkim - instead, the opendkim milter logs this:

external host [host.that.connected.with.cert] attempted to send as [mydomain.com]

I know I could use the opendkim ExternalIgnoreList config, but since these hosts are on dynamic IPs, that's not an ideal solution, and I'm looking for a solution that accepts any host just like it accepts mail sent through a SASL-authenticated submission connection from any mail client.

I believe I've traced it to the {auth_authen} macro that the milter uses to determine whether the mail came from an authenticated connection... postfix is only setting that macro to the sasl username.

Is there any way I can expand the functionality of {auth_authen} or add a new macro (using opendkim's MacroList config) in order to indicate that a valid client certificate was used?

postfix client-certificate milter

1 Answers

  1. Best Answer

    Because you only accept authenticated mail anyway, you do not need to pass information about which method was used to opendkim - only the (boolean) distinction between ports that have mandatory authentication (sign) and ports that do not offer authentication (verify).

    You can set -o milter_macro_daemon_name=whatever in master.cf to let opendkim know which mail should be signed. That macro would otherwise default to $myhostname, but by using (arbitrary, opendkim does not care) different values for verifying-only and for mandatory-auth ports you can distinguish them.

    Docs recommend using ORIGINATING and VERIFYING to make it super obvious. MacroList in your opendkim.conf can then check whether daemon_name is equal to whatever you set.

    • 2