Viktor Dukhovni via Postfix-users:
> On Mon, Sep 04, 2023 at 12:18:38PM -0400, Viktor Dukhovni via Postfix-users
> wrote:
>
> > It is best to enable this for outbound mail only, i.e. messages that
> > arrive on the submission ports or through local submission via
> > sendmail(1)->postdrop(1)->pickup(8). That way, inbound 8bit mail will
> > not fail DKIM signature checks.
> >
> > One way to do that is to tweak the master.cf file to match the below:
> >
> > $ postconf -P '*/inet/enforce_mime_input_conversion'
> > smtps/inet/enforce_mime_input_conversion = yes
> > submission/inet/enforce_mime_input_conversion = yes
> >
> > $ postconf -Mf pickup/unix cleanups/unix
> > pickup unix n - n 60 1 pickup
> > -o cleanup_service_name=cleanups
> > cleanups unix n - n - 0 cleanup
> > -o enforce_mime_input_conversion=yes
> >
> > [ Your service name for wrapper-mode SMTP on port 465 may be
> > "submissions" or just "465", ... The "cleanups" service entry
> > is a clone of the "cleanup" entry with a tweak. ]
>
> Note, this was with the 3.9-20230901 snapshot, the "en" in "enforce_..."
> was dropped in 3.9-20230903.
I agree that the manpage text is not yet complete, and that this
feature needs a good example.
In the case of a a single-purpose MTA that sends messages only, I
would argue to have "force_mime_input_conversion = yes" in main.cf.
It gets more complicated with a mixed-purpose MTA that also receives
messages from remote domains. That MTA should sign locally-generated
delivery status notification messages because they may need to be
delivered to remote senders; these messages are generated by the
bounce, trace, etc., services.
If I am not mistaken, the example n the quoted text above would end
up havibg a half-dozen "-o cleanup_service" overrides in master.cf
for the pickup, submissions, and submissions services, and for the
services that generate delivery status notifications.
Instead of a half-dozen "-o cleanup_service" overrides, it may be
simpler to have "force_mime_input_conversion = yes" in main.cf and
to configure only the port 25 service for remote clients to use a
cleanup service with "-o { force_mime_input_conversion = no }".
Thus:
/etc/postfix/main.cf:
force_mime_input_conversion = yes
/etc/postfix/master.cf:
submission inet n - n - - smtpd
...the usual smtpd_xxx = mua_xxx overrides...
submissions inet n - n - - smtpd
...the usual smtpd_xxx = mua_xxx overrides...
smtp inet n - n - - smtpd
-o { cleanup_service_name = cleanup-remote
cleanup-remote unix n - n - 0 cleanup
-o { enforce_mime_input_conversion = yes }
It gets messier when that MTA also provides "forwarding" service
for internal MTAs. In that case one might have to use a smtpd service
instance on a dedocated interface address for those internal MTAs.
10.0.0.2:smtp inet n - n - - smtpd
I hope we can clean this up further and improve the documentation.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
