View Single Post
Old 2nd September 2009, 07:42
atjensen11 atjensen11 is offline
Senior Member
Join Date: Dec 2007
Posts: 199
Thanks: 9
Thanked 6 Times in 6 Posts


I can assure you that I did not do any additional configuration of the SASL port...primarily because I have no idea how to do it now, let alone two years ago when the old production server was configured.

The only difference is that the old production server was an Ubuntu 7.04 machine upgraded to 7.10 and eventually to 8.04 LTS. The new production server is Debian Lenny.

As a side note, I would like to know how the bigger providers are handling DKIM and domainkeys signatures, if at all.

Here is the portion of my /etc/postfix/ file that deals with dkimproxy and the signing of outgoing emails:

### dkimproxy filter - see
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[]:10028
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

# specify the location of the DKIM signing proxy
# Note: the smtp_discard_ehlo_keywords option requires a recent version of
# Postfix. Leave it off if your version does not support it.
dksign    unix  -       -       n       -       10      smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls

# service for accepting messages FROM the DKIM signing proxy inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=
    -o smtpd_authorized_xforward_hosts=
As I understand the message flow, an outgoing email enters the Postfix server from an email client on the submission port. Then, the message is forward to the dkimproxy signing service on port 10028. Once signed, dkimproxy reinjects the message to Postfix on port 10029. From there, the message is sent out to the recipient.

If email clients are configured to use port 25 for SMTP, they bypass this whole logic since it relies on incoming messages on the submission port (587).

Currently, two of the three email clients I have configured to sent SMTP mail on the submission port generate the error posted previously. Only Squirrelmail is signing email messages through dkimproxy on the submission port.
Reply With Quote