Mauricio Tavares:
> Stupid question: are you using 8bitmime? If so, I had an issue
> (http://unixwars.blogspot.com/2015/01/8bitmime-and-dkim-body-authentication.html)
> with receiving 8bitmime that was not being flagged as so, which would
> cause postfix to assume it was 7bit ASCII email and then DKIM would
> fail. Not saying it is your problem, but that is something to thing
> about.
now, as you found mailscanner as reason for post signing modification
I still like to focus the list to 8BITMIME.
Problem:
https://tools.ietf.org/html/rfc4871#section-5.3
Since two weeks or so I consequently disabled 8BITMIME extension on
any SMTP-Server
I use for submission. Postfix - the MTA I usually run - has the ability to
disable SMTP Extension very granular.
postfix/master.cf
# public MX, 8BITMIME still announced
25 inet n - - - - smtpd
-o smtpd_milters=$opendkim_verifier
# private submission, 7bit only
587 inet n - - - - smtpd
-o smtpd_discard_ehlo_keywords=8BITMIME,ETRN,silent-discard
-o smtpd_milters=$opendkim_signer
-o $sasl_foo
-o $tls_foo
This concept I deployed for any submission server I operate. Together with
new DKIM keys (only 2048 bit, no more 4k) my rate of message passing
DMARC increased dramatically.
There are many large ISP - also in Germany - not announcing 8BITMIME.
So my outbound MTA had to re-code the just signed message and destroy
the signature
on the first hop. Not announcing 8BITMIME forces the submitting MUA
to re-code the content before the MSA apply a DKIM signature.
This is not perfect and I aware of one disadvantage for today:
It's no longer possible to simply bounce a message with 8bit encoded
message content.
Andreas
Received on Tue Jul 28 2015 - 06:11:07 PST