I have a private postfix server that uses dovecot sasl to optionally authenticate submission clients, and I'm trying to set it up to also accept client certificates to allow it to act as a relay host for certain specific origin servers.
I've got it mostly working, but ran into a hiccup where the opendkim milter doesn't recognize the certificate-authenticated relay connections as internal or authenticated, so it does not add a DKIM signature.
in main.cf:
milter_default_action = accept
smtpd_milters = inet:opendkim:8891
non_smtpd_milters = inet:opendkim:8891
smtpd_tls_CAfile = /path/to/private-ca-cert.pem
tls_append_default_CA = no
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,permit_tls_all_clientcerts,reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,permit_tls_all_clientcerts,reject_unauth_destination
and in master.cf under submission/inet:
-o smtpd_client_restrictions=permit_sasl_authenticated,permit_tls_all_clientcerts,reject
-o smtpd_tls_ask_ccert=yes
All of the above is working, and connections that present a valid cert signed by my private CA are allowed relay access.
However, these relayed emails are not signed by opendkim - instead, the opendkim milter logs this:
external host [host.that.connected.with.cert] attempted to send as [mydomain.com]
I know I could use the opendkim ExternalIgnoreList config, but since these hosts are on dynamic IPs, that's not an ideal solution, and I'm looking for a solution that accepts any host just like it accepts mail sent through a SASL-authenticated submission connection from any mail client.
I believe I've traced it to the {auth_authen} macro that the milter uses to determine whether the mail came from an authenticated connection... postfix is only setting that macro to the sasl username.
Is there any way I can expand the functionality of {auth_authen} or add a new macro (using opendkim's MacroList config) in order to indicate that a valid client certificate was used?
