how to tell sendmail to do masquerading before dkim?

Question

Problem: Using

:
:
dnl # opendkim
include(`/etc/mail/m4/opendkim.m4')dnl

dnl # ClamAV milter
include(`/etc/mail/m4/clamav-milter.m4')dnl

dnl # Masquerading options
MASQUERADE_AS(`example.com')dnl
MASQUERADE_DOMAIN(`example.com')dnl
MASQUERADE_DOMAIN(`example.de')dnl

FEATURE(`always_add_domain')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`masquerade_entire_domain')dnl
:
:

in sendmail.mc opendkim adds a signature to the header, and next sendmail changes the header for masquerading, making the dkim signature invalid. Not reasonable.

How can I tell sendmail to apply all the "masquerade" options and features before adding a signature via opendkim?

Answer 1

I'm working through that same problem. I don't have a working config yet, but it looks like the ReplaceRules setting in opendkim.conf is the thing to use.

From the man page:

ReplaceRules (string) Specifies a file containing a list of text replacement rules that are applied to the message header fields to replace certain content expected to be changed as the message passes through local MTAs. This can be used to accommodate expected changes such as are made to From: fields by MTA "masquerade" features.

Edit: Version 2.11.0-0.1 in the EPEL repo has the ReplaceRules feature marked experimental, not compiled into the distribution bundle, so not easily available. I abandoned the idea of compiling my own copy. Much easier (at least in my case) to have Sendmail rewrite headers during intake - in "submit.mc" - before OpenDKIM ever sees them.

i.e., the sendmail.mc and submit.mc config files both include stuff like this:

MASQUERADE_AS(`mydomain.com')
FEATURE(`masquerade_envelope')
MASQUERADE_DOMAIN(`notherhost.mydomain.com')
MASQUERADE_DOMAIN_FILE(`/my/awesome/hostlist')