Rick rather correctly pointed out:
shell pipelines in /etc/aliases are so notoriously a security hazard
that modern MTAs of my experience disable parsing them by default, and you re-enable that parsing at your peril.
I completely agree with that! I'd imagined, perhaps erroneously, that this query was about a local system over which posters have ~exclusive control and thus some confidence of security, rather than work or some multi-user system.
You can probably configure a milter to strip pre-existing DKIM on outbound. I haven't tried. Maybe the milter stretches that way, maybe you need to hack it. opendkim seems to have a config switch, RemoveOldSignatures.
But as I mentioned, you may have to go a little further than just the proper DKIM headers, eg non-standard DKIM and other provenance headers. Google seems to be trying to hard to catch removal of DKIM .. there are more than a couple of X-G* and other headers in there that will give away that they've seen the message before. I don't immediately see a way to remove those trivially in opendkim milter.
Unforseen consequences notwithstanding, I haven't had a complaint from my recipients for a while, neither for something going missing, nor for the flag of shame on my list messages, so I guess it is working. Part of it might just be that I have a somewhat working DKIM, DMARC, SPF, etc alphabet soup. :)
HTH
glen
On 8/12/2017 5:28 PM, Rick Moen wrote:
Quoting Glen Martin (glen@glen-martin.com):
MLMs can achieve this, imperfectly, and are overkill. But they're not magic, they just screw with the headers so downstream can't detect the envelope or body changes.
What you call screwing with the headers is, in my experience, the only way that retransmitted mail is going to arrive at its end-destination not seeming like an attempt to forge the upstream sender's domain.
Have you tried to use the pipe syntax of aliases, eg don@linuxmafia.org: | /usr/sbin/DKIMstripper-sendmail.sh donmarti@whereever.com // I just made this up, don't shoot me
Alas, shell pipelines in /etc/aliases are so notoriously a security hazard that modern MTAs of my experience disable parsing them by default, and you re-enable that parsing at your peril.
Of course, there are other ways of stripping DKIM headers, and that's tempting. I can imagine any number of reasons why this action might end up having adverse consequences, though.
BALUG-Talk mailing list BALUG-Talk@temp.balug.org https://temp.balug.org/cgi-bin/mailman/listinfo/balug-talk