3

Im kind of staring myself blind in how get ActiveSync to work correctly with my mailserver, so maybe anybody here have an idea?

The deal is mailserver is hosting four domains and I want that all sent mails have DKIM signature.

I have gotten it to work when sending via SMTP, but it fails signing when the client uses ActiveSync to send the email.

Anyway here is a diagram on how it works for SMTP:

Flowchart for mail handling in Postfix together with Amavis

Most of the magic in how Postfix descides how to identify mail sent from an authenticated user, which belongs to one of my hosted domains vs a mail from somewhere on the Internet comes from this line in /etc/postfix/main.cf:

smtpd_sender_restrictions = 
    check_sender_access regexp:/etc/postfix/tag_as_originating.re, 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, 
    check_sender_access regexp:/etc/postfix/tag_as_foreign.re

content_filter = amavis:[127.0.0.1]:10024

The content of /etc/postfix/tag_as_foreign.re:

/^/ FILTER amavis:[127.0.0.1]:10024

Amavis sent the result back to Postfix using port 10025 which is handled by /etc/postfix/master.cf with this configuration:

127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks, reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes

The content of /etc/postfix/tag_as_originating.re:

/^/ FILTER amavis:[127.0.0.1]:10026

The result is sent back to Postfix using port 10027 and handled by this code in /etc/postfix/master.cf:

127.0.0.1:10027 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks, reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks
    -o smtp_send_xforward_command=yes
    -o milter_default_action=accept
    -o milter_macro_daemon_name=ORIGINATING
    -o disable_dns_lookups=yes

Finally here is the relevant lines in master.cf on how mails get introduced to Postfix in first place:

smtp      inet  n       -       y       -       -       smtpd

pickup    unix  n       -       y       60      1       pickup

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated, reject

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated, reject

I am using Z-push to handle connections via ActiveSync, but my issue is a follows:

I have noticed in the mail.log that even though stated in z-push config files that it should pass incomming mails to postfix via SMTP it still insist on putting incomming mails directly into maildrop directory which in turn is handled by Postfix pickup deamon.

From there the mail is either forwarded directly to destination address without even being DKIM signed by Amavis.

The question is: How can I get Postfix to pass mails from pickup daemon on to Amavis, so it can get a DKIM signature, before being forwarded to destination?

Is it as simple as just insert a line underneath pickup in master.cf with the text:

-o content_filter = amavis:[127.0.0.1]:10026

... or does the conflict with already existing setup? :-)

Lasse Michael Mølgaard
  • 947
  • 10
  • 27
  • I'm not sure what you are hinting at? The page basically contains all options available for main.cf file, what I am getting is that the pickup daemon basically ignores the whole config file. – Lasse Michael Mølgaard Oct 07 '19 at 14:34
  • 1
    For a quick reference: http://www.postfix.org/OVERVIEW.html. This page shows how mail is introduced to postfix. It can either receive it through SMTP or fed from the pickup daemon. The next step is "cleanup", before the mail is sent to it's final destination. I gather that I should not introduce DKIM signature in the cleanup part of the process, since all mails go through this part no matter where mail was produced to begin with. I'm only interested in signing emails if they were sent by my clients. – Lasse Michael Mølgaard Oct 07 '19 at 14:43

1 Answers1

1

After a bit of more tweaking I finnally got it to work.

Here is an explanation of what is going on.

Z-push is written in PHP and what I could find on the Internet, was that PHP mail settings is controlled via php.ini.

In php-ini-file you will be told that the only option available when sending mail is through sendmail and therefore all received mails received from Z-push will always be sent to maildrop folder, which the Postfix pickup deamon then handles.

SMTP settings only works if installed on a Windows host.

That is a bit stupid if you ask me, but anyway I need to take another route if I want to sign mails with DKIM signature received via ActiveSync protocol (aka from Z-push).

I needed as suspected to add content_filter to the line following the pickup line in /etc/postfix/master.cf, but I also needed to tweak my Amavis config file a tiny bit.

The file /etc/postfix/master.cf is basically as before, except when you go to pickup line it now states:

amavis unix - - y - 2 smtp 
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o smtp_bind_address=

pickup    unix  n       -       y       60      1       pickup
   -o content_filter=amavis:[127.0.0.1]:10026

I added the amavis section, since I discovered that if it is commented out then Amavis is never called. Just for completenes of everything. :-)

In /etc/amavis/conf.d/50-user the following config is how Amavis distinquish between inbound mail from anywhere to my mail accounts vs mail sent from one of my accounts to anywhere:

$inet_socket_port = [10024,10026];

$forward_method = 'smtp:[127.0.0.1]:10025';
$notify_method = 'smtp:[127.0.0.1]:10027';

$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
    originating => 1,
    smtpd_discard_ehlo_keywords => ['8BITMIME'],
    forward_method => 'smtp:[127.0.0.1]:10027',
};

# IP-Addresses for internal networks => load policy MYNETS
# - requires -o smtp_send_xforward_command=yes in postfix master.cf
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 
                 [::1] [FE80::]/10 [FEC0::]/10);

# Allow SMTP access from IPs in @inet_acl to amvisd SMTP Port
@inet_acl = qw( 127.0.0.1 [::1] 192.168.0.0/16 );

# DKIM
$enable_dkim_verification = 1; 
$enable_dkim_signing = 1; # load DKIM signing code
$signed_header_fields{'received'} = 0;  # turn off signing of Received
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

Tweaking I mentioned was that before I had the following lines in /etc/amavis/conf.d/50-user:

$forward_method = 'smtp:[127.0.0.1]:*';
$notify_method = 'smtp:[127.0.0.1]:*';

$policy_bank{'ORIGINATING'} = {
    originating => 1,
    smtpd_discard_ehlo_keywords => ['8BITMIME'],
};

The way the * works is that whatever Amavis recieve on a port (e.g. '10025') will be replied back on a port one higher (e.g. '10026').

What I needed was to be a little more explicit - in order to avoid confusion.

I hope this help if there is anybody else cursing at their screen trying to get DKIM to work with Postfix and Amavis. :-)

Lasse Michael Mølgaard
  • 947
  • 10
  • 27