I have a setup where outbound mail from an internal mail server (lets call it System A) is relayed to a smart host (we will call this System B) which then sends it out to the Internet and eventually the receiving end's MTA (System C). I have full control of both System A and System B, but they need to be kept as separate systems due to some architectural requirements.
On System A, I am using OpenDKIM for my DKIM solution and Postfix as the MTA solution. OpenDKIM is setup as a milter listening on port 8891 and Mode is set to s. System B is also using Postfix and OpenDKIM.
I am unsure how to setup OpenDKIM on System B so that System C does not complain that the DKIM signature is broken. Do I set its Mode only to v? Or must it be sv?
What if there is a content filter being used on System B that is modifying headers or the message body? Would I need to also incorporate OpenARC into the mix (for ARC signatures)?
I've seen some people run two instances of OpenDKIM on a single system. One for verification and the other for signing after the content filter re-injects the message back to Postfix. This to me seems incorrect? Especially since the official OpenDKIM package does not include out of the box functionality to run multiple instances.
