What is the correct way to sign mail on a relay MTA

cn flag

I have a setup where outbound mail from an internal mail server (lets call it System A) is relayed to a smart host (we will call this System B) which then sends it out to the Internet and eventually the receiving end's MTA (System C). I have full control of both System A and System B, but they need to be kept as separate systems due to some architectural requirements.

On System A, I am using OpenDKIM for my DKIM solution and Postfix as the MTA solution. OpenDKIM is setup as a milter listening on port 8891 and Mode is set to s. System B is also using Postfix and OpenDKIM.

I am unsure how to setup OpenDKIM on System B so that System C does not complain that the DKIM signature is broken. Do I set its Mode only to v? Or must it be sv?

What if there is a content filter being used on System B that is modifying headers or the message body? Would I need to also incorporate OpenARC into the mix (for ARC signatures)?

I've seen some people run two instances of OpenDKIM on a single system. One for verification and the other for signing after the content filter re-injects the message back to Postfix. This to me seems incorrect? Especially since the official OpenDKIM package does not include out of the box functionality to run multiple instances.

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.