From dcd971d079339f10b8e72b24372b47cd38a48bbc Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 21 Mar 2015 16:14:01 +0000
Subject: [PATCH] the opendmarc miter should run on incoming mail only

I added OpenDMARC's milter in fba4d4702e233fa66591ca37e6fe71225c661846. But this started
setting Authentication-Results headers on outbound mail with failures. Not sure why it
fails at that point, but it shouldn't be set at all. The failure might cause recipients
to junk the mail. See #358.

This commit removes the milter from the SMTP submission (port 587) listener.
---
 setup/dkim.sh         | 4 ++++
 setup/mail-postfix.sh | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/setup/dkim.sh b/setup/dkim.sh
index 4ef82419..56d5c3fc 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -60,6 +60,10 @@ tools/editconf.py /etc/opendmarc.conf -s \
 #
 # Be careful. If we add other milters later, this needs to be concatenated
 # on the smtpd_milters line.
+#
+# The OpenDMARC milter is skipped in the SMTP submission listener by
+# configuring smtpd_milters there to only list the OpenDKIM milter
+# (see mail-postfix.sh).
 tools/editconf.py /etc/postfix/main.cf \
 	"smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893"\
 	non_smtpd_milters=\$smtpd_milters \
diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh
index f467f2fd..f3cfc065 100755
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -62,6 +62,9 @@ tools/editconf.py /etc/postfix/main.cf \
 
 # Enable the 'submission' port 587 smtpd server and tweak its settings.
 #
+# * Do not add the OpenDMAC Authentication-Results header. That should only be added
+#   on incoming mail. Omit the OpenDMARC milter by re-setting smtpd_milters to the
+#   OpenDKIM milter only. See dkim.sh.
 # * Require the best ciphers for incoming connections per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
 #   By putting this setting here we leave opportunistic TLS on incoming mail at default cipher settings (any cipher is better than none).
 # * Give it a different name in syslog to distinguish it from the port 25 smtpd server.
@@ -71,6 +74,7 @@ tools/editconf.py /etc/postfix/main.cf \
 tools/editconf.py /etc/postfix/master.cf -s -w \
 	"submission=inet n       -       -       -       -       smtpd
 	  -o syslog_name=postfix/submission
+	  -o smtpd_milters=inet:127.0.0.1:8891
 	  -o smtpd_tls_ciphers=high -o smtpd_tls_protocols=!SSLv2,!SSLv3
 	  -o cleanup_service_name=authclean" \
 	"authclean=unix  n       -       -       -       0       cleanup