If you have set up your Postfix server to sign outgoing messages with DKIM, you may have noticed that non-delivery notifications (NDNs), also known as bounce messages, are not being signed. This can cause problems when forwarding these messages to other recipients, as they may reject them due to missing or invalid DKIM signatures.
In this article, I will explain what NDNs are, why they are not signed by default, and how you can configure Postfix and OpenDKIM to sign them properly. I will also provide some frequently asked questions and answers related to this topic.
Table of Contents
- What are Non-Delivery Notifications?
- Why are NDNs not Signed by Default?
- How to Configure Postfix and OpenDKIM to Sign NDNs
- Step 1: Change the Ownership and Permissions of the OpenDKIM Socket
- Step 2: Add the non_smtpd_milters Parameter to Postfix
- Frequently Asked Questions
- Question: How can I test if my NDNs are signed correctly?
- Question: What are the benefits of signing NDNs with DKIM?
- Question: Are there any drawbacks of signing NDNs with DKIM?
- Conclusion
What are Non-Delivery Notifications?
Non-delivery notifications are messages that are sent automatically by a mail server when it cannot deliver a message to its intended recipient. They usually contain information about the reason for the failure, such as an invalid address, a full mailbox, or a network error. They also include the original message or a part of it as an attachment.
NDNs are useful for informing the sender of a message that it was not delivered and why. However, they can also be abused by spammers and phishers who use them to verify the existence of valid email addresses or to trick recipients into opening malicious attachments or links.
Why are NDNs not Signed by Default?
NDNs are not signed by default because they are not generated by the same process that handles normal outgoing messages. Instead, they are generated by a separate process called the bounce daemon, which runs as a different user and does not have access to the OpenDKIM socket.
The OpenDKIM socket is a file that allows Postfix and OpenDKIM to communicate with each other. Postfix sends outgoing messages to OpenDKIM through the socket, and OpenDKIM signs them and sends them back to Postfix. The socket is usually located in /var/spool/postfix/opendkim/opendkim.sock and is owned by the opendkim user.
The bounce daemon, on the other hand, runs as the postfix user and does not have permission to access the OpenDKIM socket. Therefore, it cannot send NDNs to OpenDKIM for signing. This results in NDNs being sent without DKIM signatures.
How to Configure Postfix and OpenDKIM to Sign NDNs
To make Postfix and OpenDKIM sign NDNs, you need to do two things:
- Change the ownership and permissions of the OpenDKIM socket so that both the opendkim and postfix users can access it.
- Add the non_smtpd_milters parameter to the Postfix configuration file so that Postfix applies milters (mail filters) to NDNs as well as normal messages.
Here are the steps to do this:
Step 1: Change the Ownership and Permissions of the OpenDKIM Socket
To change the ownership and permissions of the OpenDKIM socket, you need to edit the /etc/opendkim.conf file and add the following lines:
UMask 002
Socket local:/var/spool/postfix/opendkim/opendkim.sock
UserID opendkim:postfix
The UMask 002 line sets the umask (a value that determines the default permissions of new files) to 002, which means that new files will be readable and writable by their owner and group, but not by others.
The Socket local:/var/spool/postfix/opendkim/opendkim.sock line specifies the location of the OpenDKIM socket.
The UserID opendkim:postfix line sets the owner and group of the OpenDKIM socket to opendkim and postfix, respectively.
After editing the file, save it and restart OpenDKIM with this command:
sudo service opendkim restart
You can verify that the ownership and permissions of the OpenDKIM socket have changed with this command:
ls -l /var/spool/postfix/opendkim/opendkim.sock
You should see something like this:
srw-rw---- 1 opendkim postfix 0 Oct 12 07:30 /var/spool/postfix/opendkim/opendkim.sock
This means that the socket is owned by opendkim and belongs to the postfix group, and that both users can read and write to it.
Step 2: Add the non_smtpd_milters Parameter to Postfix
To add the non_smtpd_milters parameter to Postfix, you need to edit the /etc/postfix/main.cf file and add this line:
non_smtpd_milters = $smtpd_milters
This line tells Postfix to use the same milters for non-SMTP messages (such as NDNs) as for SMTP messages. The $smtpd_milters variable is a placeholder for the actual milters that you have configured for Postfix, such as OpenDKIM.
After editing the file, save it and reload Postfix with this command:
sudo service postfix reload
You can verify that Postfix is using the same milters for NDNs as for normal messages with this command:
postconf non_smtpd_milters
You should see something like this:
non_smtpd_milters = local:opendkim/opendkim.sock
This means that Postfix is using the OpenDKIM socket as a milter for NDNs.
Frequently Asked Questions
Here are some common questions and answers related to signing NDNs with DKIM:
Question: How can I test if my NDNs are signed correctly?
Answer: One way to test if your NDNs are signed correctly is to send a message to a non-existent address on your own domain and check the headers of the NDN that you receive. You should see a DKIM-Signature header that indicates that the message was signed by OpenDKIM. You can also use online tools such as Mail Tester or DKIM Validator to check the DKIM status of your NDNs.
Question: What are the benefits of signing NDNs with DKIM?
Answer: Signing NDNs with DKIM can help you avoid some potential problems, such as:
- Your NDNs being rejected or marked as spam by some recipients who require valid DKIM signatures for incoming messages.
- Your domain being spoofed by spammers or phishers who send fake NDNs to trick recipients into opening malicious attachments or links.
- Your domain reputation being damaged by NDNs that are not aligned with your SPF and DMARC policies.
Question: Are there any drawbacks of signing NDNs with DKIM?
Answer: Signing NDNs with DKIM can also introduce some challenges, such as:
- Your NDNs being modified or broken by intermediate servers that alter the message headers or body, which can invalidate the DKIM signature and cause delivery failures or spam filtering.
- Your OpenDKIM socket being exposed to more traffic and load, which can affect its performance and reliability.
- Your OpenDKIM configuration being more complex and prone to errors, which can affect your normal outgoing messages as well.
Therefore, you should carefully weigh the pros and cons of signing NDNs with DKIM and monitor your mail server logs and reports regularly to ensure that everything is working as expected.
Conclusion
In this article, I have explained how to make Postfix sign non-delivery notifications with DKIM using OpenDKIM. I hope you have found it useful and informative. If you have any questions or feedback, please feel free to leave a comment below.
Disclaimer: This article is based on my personal experience and research. It is not intended to be a definitive guide or a substitute for official documentation. You should always consult the official documentation and test your configuration before applying it to your production environment. I am not responsible for any damage or loss caused by following this article.