Signing all outgoing mails on MTA, not on MUA

[Steve Revilak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

grover> We'd like to be able to sign all our outgoing mails.

grover> But not on each client system, which would mean everyone has
grover> to install some plugin or gpg-aware mail client, but on the
grover> mailserver itself.

grover> This way nobody has to think about it and signing works
grover> transparently for everyone. We would have one key for all,
grover> like a corporate key.

cbabcock> The corporate value of public key cryptography is much more
cbabcock> readily attained using DKIM. Milter setup and key management
cbabcock> for signing DKIM mail is pretty straight forward. You place
cbabcock> your key in Text records in DNS. That establishes a
cbabcock> meaningful connection between the identity of the sender (or
cbabcock> at least ownership of the mail server) and the owner of the
cbabcock> domain. Setting up DKIM with Postfix was at least as easy as
cbabcock> setting up GPG with Claws and it makes an identity assertion
cbabcock> that is appropriate for a server environment.

I agree with Chris -- this seems like a good application for DKIM.

In addition to non-repudiation, some email service providers will be
much less likely to categorize DKIM-signed messages as spam (if that
kind of thing matters to you.)

One DKIM implementation I've used is
<http://sourceforge.net/projects/dkim-milter/>.  dkim-milter is very
straightforward to set up with sendmail, and I know of people who've
used it with postfix (configured as a mail filter.)

Steve
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)

iEYEARECAAYFAknOR4kACgkQX7YJI4BuyDSrnQCfQ3HjyT2VSwqaw6Hx0QrPyrUu
6Z0AoKi2PIMJG1h/kpyKPeP9lJ9y3gM/
=9O3c
-----END PGP SIGNATURE-----