Re: Capture outgoing email

Wed, 17 Aug 2022 06:30:31 -0700 

On 17/08/2022 12:21, Matus UHLAR - fantomas wrote:
I guess that the remote host doesn't support 8BITMIME and your server signs 8-bit e-mail, which can lead to invalid DKIM signatures. 


this is a weaknes of current DKIM standard which doesn't handle this 
situation and instead proposes converting to 7-bit prior to signing



try connecting the remote host to see if ehlo results into 8BITMIME 
line in response.


On 17.08.22 13:45, Andy Beverley wrote:

This is an interesting point that I hadn't thought of. I have 
smtputf8_enable set to yes, but I have just checked the remote server 
and it only shows:


250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP


So are you suggesting that what might be happening is that the email 
is being DKIM-signed as an 8-bit message (with the opendkim milter), 
and then after the signature has been added that the content is then 
altered in order to be delivered as a 7-bit message?



as that server doesn't announce 8-bit support, the message is most probably 
recoded to 7-bit which breaks dkim.



The sending server in question delivers many thousands of emails a day 
and I'm not *aware* of any other problems, but I don't know how widely 
deployed 8BITMIME is?



FWIW, the remote email system is Mimecast - I'd be interested to know 
if anyone else is having trouble delivering emails to them with valid 
DKIM signatures.


some sources explicitly recommend to recode to 7-bit because of this:

https://blog.jeanbruenn.info/2021/08/07/amavisd-new-and-dkim/


I was thinking about recoding and singing -  I use multi instance setup to 
implement SRS and signing in another instance so it should be easy to disable 
8bit in the input to that instance.



However, doing that would break existing DKIM signatures for forwarded 
e-mail so I avoid that for now.



Perhaps routing e-mail for domains known not to support 8bit through 
different instance (can be the same that signs mail, just different port 
where 8bit is disables) should do that.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901






















					Reply via email to