From cd011e23393b7edf0c7f61ebee1dcfad15e29ffb Mon Sep 17 00:00:00 2001
From: Stoiko Ivanov <s.ivanov@proxmox.com>
Date: Tue, 25 Feb 2025 16:02:02 +0100
Subject: [PATCH] reinject_local_mail: sign mails with DKIM based on header

as most mails PMG generates locally has an empty envelope-sender,
signing only makes sense when the from-header domain is used as
signing domain.

This fixes #3423, and partially addresses #2971 and #4658 (bounces
generated by postfix directly are not passed through our stack, and
should not be processed in general -  see
https://www.postfix.org/postconf.5.html#internal_mail_filter_classes).

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/Utils.pm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index b225a9e..6723b0d 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -247,6 +247,21 @@ sub reinject_local_mail {
 	$params->{mail}->{smtputf8} = $needs_smtputf8;
     }
 
+    my $dkim_sign = $cfg->get('admin', 'dkim_sign');
+    if ($dkim_sign) {
+	my $dkim = {};
+	$dkim->{sign} = $dkim_sign;
+	$dkim->{use_domain} = $cfg->get('admin', 'dkim-use-domain');
+	$dkim->{sign_all} = $cfg->get('admin', 'dkim_sign_all_mail');
+	$dkim->{selector} = $cfg->get('admin', 'dkim_selector');
+	eval {
+	    $entity = PMG::DKIMSign::sign_entity($entity, $dkim, $sender);
+	};
+	if ($@) {
+	    syslog('warning', "Could not DKIM-Sign local mail: $@");
+	}
+    }
+
     return reinject_mail($entity, $sender, $targets, $xforward, $me, $params);
 }