Just wanted to follow up on this thread to document the resolution to
this thread. (Thanks, Jeremy, for helping me with this off-list.)
As Jeremy explained to me:
> If the "dkim_domain" option is set in any way,
> including with an expansion that would (later) evaluate to empty,
> we can't do cutthrough (because A we can't evaluate an expansion yet
> and B signing adds headers but needs the entire body - and the essence
> of cutthrough is that we transmit the body onwards as we are receiving
> it from the originator).
So, even though the domain I was relaying for was not one for which I am
DKIM signing messages, the presence of DKIM in the transport was turning
off cutthrough. My solution so far is to use two different transports:
one for relay domains with no DKIM at all in the transport and the other
for other non-local domains with the usual DKIM stuff. Like this:
lookuprelay:
driver = dnslookup
domains = +mx_domains
ignore_target_hosts = 127.0.0.0/8
condition = "${perl{check_limits}}"
transport = remote_relay
no_more
lookuphost:
driver = dnslookup
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8
condition = "${perl{check_limits}}"
transport = remote_smtp
no_more
Now that I have things set up this way, I am getting cutthrough when
relaying and rejections by the destination host are resulting in 5xx
rejections instead of a bounce message. Hallelujah! :)
If I am correct, I still have this case to deal with: a message
submitted locally or from an authenticated sender in a domain I should
DKIM sign for, but destined for a domain for which the server is a
relay. In this case, I don't need to use cutthrough, since the sender
should not a be spammer and the message is unlikely to fail and generate
a bounce. So I think I need an additional condition in the first router
so this case will fall through to the second router?
--
Rob Szarka
http://szarka.org/