[Rspamd-Users] First Time: DKIM Signing Only

[Allen, Norton T.]

On 1/25/2024 11:07 PM, Gerald Galster wrote:
>>> ... is there some way I can pass in an argument via sendmail that I
>>> can use to identify outbound mailing list messages? If so, I could
>>> use that to enable DKIM signing and ideally DMARC munging as well.
>> Presumably your mailing list software adds headers to mail it sends
>> out.  Could they not identify your "outbound mailing list messages"?
>>
>> If I understand what you want, then if I were doing this I'd just look
>> for the list header with a milter and sign it if the header is there.
> Depending on your setup that could be a simple solution but you should
> make sure that mails with non-mailinglist origin do not contain that
> header. Otherwise this could lead to rspamd signing unwanted mails.
>
> As not all headers are considered for dkim-signing it might be
> possible to remove that line with (milter_)header_checks and the
> IGNORE action.
>
> https://www.postfix.org/postconf.5.html#header_checks
> https://www.postfix.org/postconf.5.html#milter_header_checks
> https://www.postfix.org/header_checks.5.html

Yes, that sounds like an excellent plan for identifying the mailing list 
mail. I have already made customizations to the mailing list software, 
so I could probably add my own custom header that would not be likely to 
occur in inbound mail, but the header_checks safeguard would certainly 
make sense.

I think the only real sticking point I am having trouble with now is how 
to identify the mail that doesn't match either of these conditions: not 
authenticated and doesn't include the mailing list header. In the "User 
settings" documentation, there is reference to an 'inverse' syntax: "- 
inverse match (e.g. it will NOT match when all elements are matched and 
vice-versa)". This sounds like exactly what I am looking for. 
Unfortunately, there are no examples, and I haven't been able to get it 
to work in trivial tests. Any ideas on that?