The documentation here suggest there are a three of ways an email is eligible for signing.
an email must either be:
A) received from an authenticated user,
B) a reserved (local) IP address, or
C) an address in the sign_networks map (if defined).
I have mailcow configured for the domain example.com. It is an internal DNS server, so the mx record correctly points to the SMTP server the email gets routed to when it arrives from an external source. Let’s call it internal_mail.example.com.
internal_mail.example.com is also used to send email. It connects to the mailcow server as unauthenticated hands the email over to mailcow to send.
Mailcow does not have a user list, so it doesn’t know that the user is authenticated. User mailboxes are contained in the internal email server.
This appears to dismiss option A above.
So I tried option C. My dkim_signing.conf has a bunch of defaults set. One of those is
sign_networks = "/etc/rspamd/custom/dovecot_trusted.map";. I tried updating dovecot_trusted.map with the valid internal networks that would be connecting to mailcow to send email. However, I noticed that dovecot_trusted.map removes my manual additions and reverts to a couple of addresses it puts there automatically.
So that appears to no longer be an option.
How do I use option B?
When mailcow is being used as purely as an MTA relay with a spam filter, how does one get it to sign email that it relays for our internal mail server?
Thanks
Kevin