I'm signing email just fine, but I don't want to sign relayed email when the "From" address is one of the domains I'm signing.
What's the right way to configure Postfix/OpenDKIM to sign only from these sources?
- localhost
- traffic via the submission port (which only allows SASL-authenticated sources)
- backup MX servers (authenticated with relay_clientcert)
I can imagine a solution by installing two instances of OpenDKIM, one for a verifying pipeline and another for signing, but I'm hoping there's a simpler and more direct solution.
A strong caveat - I haven't done this, but it's what I'd try first.
You should probably start by making sure your sending MUAs don't use port 25. eg require that submissions be made on ports 465 or 587. You should configure things such that mail received on port 25 is never relayed outwards.
You can then configure the master.cf file such that 'submission' is handled differently than 'smtp'. Those entries can include many of the settings you'd otherwise put in the main.cf file, and I'm thinking you could set smtpd_milters and/or non_smtpd_milters in the master.cf file.