After a fairly long and frustrating day, I finally have DKIM working with Postfix on Etch. I was assuming it would be fairly straighforward, but was treated to such lovely errors as these in my mail.log:

smtpd: warning: milter [...] can't read SMFIC_OPTNEG reply packet header: Connection timed out
smtpd: warning: milter [...] read error in initial handshake
cleanup: warning: milter [...] can't read SMFIC_EOH reply packet header: Success
smtpd: warning: milter [...] can't read SMFIC_MAIL reply packet header: Success
smtpd: warning: milter [...] can't read SMFIC_OPTNEG reply packet header: Connection timed out
smtpd: warning: milter [...] read error in initial handshake

To make a long story short, dkim-filter defaults to doing DNS lookups via TCP. It never even bothers trying UDP. I suppose that makes a certain amount of sense, seeing as it expects a relatively large response (the public key). However, my anti-spam domU didn't have a firewall rule permitting 53/tcp out, so dkim-filter kept timing out after initial startup and then died.

After making sure the firewall was letting lookups via tcp through, dkim on cafuego.net works dandy :-)