On Tuesday 06 January 2009 23:06, Martin Spinassi <martins.listz@xxxxxxxxx> wrote: > We're trying to add domain keys to a postfix server, but it can't open > ports used by dkim to sign the mail. Here is some output of audit.log: What do you mean? How are you using DKIM signatures? I am using DKIM on my Postfix server, for the Debian SE Linux policy I have a domain dkim_t used for the dkim-filter program (the Milter that is used for signing and checking signatures - known outside Debian as dkim-milter). Ancient versions of Postfix used to require a configuration where the mail was forwarded to a different port where a daemon then forwarded it back - it was really ugly in every possible way and didn't scale. Among other things it caused a proliferation of Received lines which sometimes triggered mail loop detection and exposed details of the configuration to the world when sending mail. http://www.postfix.org/MILTER_README.html Using a Milter is the best way to do it on a recent version of Postfix. It requires Postfix version 2.3 or newer (which means the vast majority of Postfix servers are new enough). > I've allready added the port to the postfix_master_t domain with: > # semanage port -a -t postfix_master_t -p tcp 10026 Generally the best thing to do in such situations is to examine the context used for a similar port, the command "semanage port -l|grep 25" shows that smtp_port_t is used. While I don't recommend doing what you are doing, using the type smtp_port_t is probably going to give a better result than any other pre-existing type. > It's a RHEL 5.2 and kernel 2.6.18-92.1.22.el5. I have some CentOS 5.2 servers running Postfix with a milter for DKIM (as part of the work required to provide the real service). The milter in question is a proprietary system to prevent Phishing email (you can contact me off-list if you want to participate in the beta program). But I'm sure that dkim-milter would also work well on CentOS 5.2 and RHEL 5.2 with Postfix. -- russell@xxxxxxxxxxxx http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
