Re: Capture outgoing email

Wed, 17 Aug 2022 05:46:31 -0700 

On 17/08/2022 12:21, Matus UHLAR - fantomas wrote:

On 17.08.22 11:38, Andy Beverley wrote:
Is there any way that I can capture the exact content of an email as it is delivered by Postfix to an external host? I am looking for something different to always_bcc or similar, in that I want to capture the exact email content rather than deliver a copy of it elsewhere. 


The reason is that a recipient host is claiming that DKIM signatures 
are broken from my server, despite them being correct for all other 
recipients. I would like to take an exact copy of the email as it is 
delivered, and run it through an independent DKIM checker (opendkim is 
used as a milter to sign the emails).



perhaps you could put the remote IP into debug_peer_list and increase 
debug_peer_level



Thanks for the reply. I received a separate off-list reply which pointed 
out that *_bcc functions still capture the email as it would have been, 
with DKIM signatures etc (I assumed it would take a different route and 
be formatted differently if delivering a copy locally).



I've done some testing as such, and the captured email does seem to be 
signed correctly.



I guess that the remote host doesn't support 8BITMIME and your server 
signs 8-bit e-mail, which can lead to invalid DKIM signatures.



this is a weaknes of current DKIM standard which doesn't handle this 
situation and instead proposes converting to 7-bit prior to signing



try connecting the remote host to see if ehlo results into 8BITMIME line 
in response.



This is an interesting point that I hadn't thought of. I have 
smtputf8_enable set to yes, but I have just checked the remote server 
and it only shows:


250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP


So are you suggesting that what might be happening is that the email is 
being DKIM-signed as an 8-bit message (with the opendkim milter), and 
then after the signature has been added that the content is then altered 
in order to be delivered as a 7-bit message?



The sending server in question delivers many thousands of emails a day 
and I'm not *aware* of any other problems, but I don't know how widely 
deployed 8BITMIME is?



FWIW, the remote email system is Mimecast - I'd be interested to know if 
anyone else is having trouble delivering emails to them with valid DKIM 
signatures.


Thanks,

Andy























					Reply via email to