Postfix+DKIM email signatures in amavisd-new
DKIM is a system to verify the sender and integrity of emails.
A DKIM standard (RFC 4871) states the following, which applies to its predecessor DomainKeys (historical: RFC 4870) as well:
DomainKeys Identified Mail (DKIM) defines a mechanism by which email messages can be cryptographically signed, permitting a signing domain to claim responsibility for the introduction of a message into the mail stream. Message recipients can verify the signature by querying the signer’s domain directly to retrieve the appropriate public key, and thereby confirm that the message was attested to by a party in possession of the private key for the signing domain.
The DomainKeys specification was a primary source from which the DomainKeys Identified Mail [DKIM] specification has been derived. The purpose in submitting the RFC 4870 document is as an historical reference for deployed implementations written prior to the DKIM specification.
Implementation and mail flow
+------+
|verify| (verify)
+--+---+ | (by amavisd and/or SA)
^^^ milter |
incoming: ||| +---v-------+
MX ----> 25 smtpd ---> 10024 > >---> 10025 smtpd -->
|| | |
SASL --> 25 smtpd \ | amavisd | (notifications)
submission | +-> | >--->_
mynets-> 25 smtpd ---> 10026 >ORIGINATING>---> 10027 smtpd -->
submission +-> +-------^---+ |
--> 587 smtpd / : | v milter
(convert | +------+
to 7-bit) (sign) | sign |
+------+
