For quite some time, I have used OpenDKIM and lately dkimpy-milter to
sign messages entering Postfix via port 587:
# /etc/postfix/master.cf
submission inet n - n - - smtpd
-o smtpd_milters=unix:/run/dkimpy-milter/socket
-o content_filter=amavis:localhost:10124
[...]
amavis unix - - n - 2 smtp
-o smtp_send_xforward_command=yes
It turns out that messages containing German umlauts (or other symbols
causing Thunderbird to use "Content-Type: text/plain; charset=utf-8")
result in Google MXs reporting the following:
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) [...]
If I change the above to
submission inet n - n - - smtpd
-o smtpd_milters=inet:localhost:10124,unix:/run/dkimpy-milter/socket
Google validates the DKIM signatures as OK. In the latter case, Amavis
is called as a milter instead of as a content filter. The signatures are
even correct if they pass through dkimpy-milter before Amavis.
I am pretty certain that this means Amavis, when invoked as a content
filter, messes with the message bodies. Where there were 8bit symbols, I
find quoted-printable.
Before filing a bug report for Amavis, I just want to make sure I did
not miss some peculiarity of after-queue content filters?
-Ralph
