On Thu, 1 May 2008, Erik Lotspeich wrote:
> Thanks for your quick response -- and the patch. The patch works great.
> I recognized the mistake as the
> copy-and-paste-forget-to-change-something variety that I've made in my
> own code at times.
>> You could accomplish (2) by running one instance that signs and one that
> I thought of this as a possible solution as well, though I'm not sure
> how to implement it in Sendmail. Clearly, setting up two dkim-filter
> processes on different ports with two different configuration files is
Essentially you would have two INPUT_MAIL_FILTER lines that define the two
filters (on different ports, of course), and then start those filters with
different options as needed.
In your double-signer example, one of them might show 127.0.0.1 as a
"peer" so that SMTP connections from those sources are ignored entirely.
> Although I'm learning sendmail, I'm by no means an expert. It seems like
> I'll need a custom set of mail rules to handle the various cases and to
> invoke one dkim-milter or the other, right? I can see the following
> 1. Verify: Incoming mail from non-lotspeich.org addresses.
You get that for free. :-)
> 2. Verify: Incoming mail from lotspeich.org addresses: Since the running
> sendmail is the MTA & MDA on my server, it seems like we have to splice
> into the mail handling in Sendmail. The MTA will sign the mail and the
> MDA should verify, it seems. I'm really not clear on how this would work
> or how to configure it.
The MDA you're using is not necessarily DKIM-aware, although free ones
that are can be found (e.g. I think procmail has DKIM plugins).
I think waiting for that feature request to be resolved might be the
simpler solution, though it won't be available for a while.