Re: Help Request: wrong body hash / 8BITMIME

From: A. Schulze <sca_at_andreasschulze.de>
Date: Tue, 28 Jul 2015 08:10:53 +0200

Mauricio Tavares:

> Stupid question: are you using 8bitmime? If so, I had an issue
> (http://unixwars.blogspot.com/2015/01/8bitmime-and-dkim-body-authentication.html)
> with receiving 8bitmime that was not being flagged as so, which would
> cause postfix to assume it was 7bit ASCII email and then DKIM would
> fail. Not saying it is your problem, but that is something to thing
> about.

now, as you found mailscanner as reason for post signing modification
I still like to focus the list to 8BITMIME.
Problem: https://tools.ietf.org/html/rfc4871#section-5.3

Since two weeks or so I consequently disabled 8BITMIME extension on
any SMTP-Server
I use for submission. Postfix - the MTA I usually run - has the ability to
disable SMTP Extension very granular.

postfix/master.cf
   # public MX, 8BITMIME still announced
   25 inet n - - - - smtpd
    -o smtpd_milters=$opendkim_verifier

   # private submission, 7bit only
   587 inet n - - - - smtpd
    -o smtpd_discard_ehlo_keywords=8BITMIME,ETRN,silent-discard
    -o smtpd_milters=$opendkim_signer
    -o $sasl_foo
    -o $tls_foo

This concept I deployed for any submission server I operate. Together with
new DKIM keys (only 2048 bit, no more 4k) my rate of message passing
DMARC increased dramatically.

There are many large ISP - also in Germany - not announcing 8BITMIME.
So my outbound MTA had to re-code the just signed message and destroy
the signature
on the first hop. Not announcing 8BITMIME forces the submitting MUA
to re-code the content before the MSA apply a DKIM signature.

This is not perfect and I aware of one disadvantage for today:
It's no longer possible to simply bounce a message with 8bit encoded
message content.

Andreas
Received on Tue Jul 28 2015 - 06:11:07 PST

This archive was generated by hypermail 2.3.0 : Tue Jul 28 2015 - 06:18:01 PST