I recently noticed that locally generated mail (php mail, sendmail, cron, shell users, etc.) is being DKIM-signed the same way as authenticated SMTP submission. Because of that, any user on the server can send as another address and it will pass DKIM/DMARC since the server signs it (even if they don't have shell access they can use php mail).
My initial idea was to stop signing locally injected mail by removing non_smtpd_milters altogether, so only authenticated submission gets DKIM, but as Adam pointed out, this would also affect outbound spam filtering, forwarders and other internal flows, so doing it globally isn’t good.
Would it be possible to add the ability to exclude only locally generated email from DKIM signing, while keeping signing for the other things that need to have it?
The goal is simply to avoid DKIM signing for messages coming from sendmail/php mail, so they don’t pass DMARC when a user spoofs other addresses.
