Postfix, Amavis and DKIM body hashes

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix, Amavis and DKIM body hashes

Ralph Seichter-2
For quite some time, I have used OpenDKIM and lately dkimpy-milter to
sign messages entering Postfix via port 587:

  # /etc/postfix/master.cf
  submission  inet  n  -  n  -  -  smtpd
   -o smtpd_milters=unix:/run/dkimpy-milter/socket
   -o content_filter=amavis:localhost:10124
   [...]
  amavis  unix  -  -  n  -  2  smtp
   -o smtp_send_xforward_command=yes

It turns out that messages containing German umlauts (or other symbols
causing Thunderbird to use "Content-Type: text/plain; charset=utf-8")
result in Google MXs reporting the following:

  ARC-Authentication-Results: i=1; mx.google.com;
    dkim=neutral (body hash did not verify) [...]

If I change the above to

  submission  inet  n  -  n  -  -  smtpd
   -o smtpd_milters=inet:localhost:10124,unix:/run/dkimpy-milter/socket

Google validates the DKIM signatures as OK. In the latter case, Amavis
is called as a milter instead of as a content filter. The signatures are
even correct if they pass through dkimpy-milter before Amavis.

I am pretty certain that this means Amavis, when invoked as a content
filter, messes with the message bodies. Where there were 8bit symbols, I
find quoted-printable.

Before filing a bug report for Amavis, I just want to make sure I did
not miss some peculiarity of after-queue content filters?

-Ralph


Reply | Threaded
Open this post in threaded view
|

Re: Postfix, Amavis and DKIM body hashes

Bastian Blank-3
On Wed, Sep 11, 2019 at 09:24:39PM +0200, Ralph Seichter wrote:
> Before filing a bug report for Amavis, I just want to make sure I did
> not miss some peculiarity of after-queue content filters?

Any reason you don't use Amavis for DKIM signing?

Bastian

--
Bones: "The man's DEAD, Jim!"
Reply | Threaded
Open this post in threaded view
|

Re: Postfix, Amavis and DKIM body hashes

Wietse Venema
In reply to this post by Ralph Seichter-2
Ralph Seichter:
>   # /etc/postfix/master.cf
>   submission  inet  n  -  n  -  -  smtpd
>    -o smtpd_milters=unix:/run/dkimpy-milter/socket
>    -o content_filter=amavis:localhost:10124
>    [...]
>   amavis  unix  -  -  n  -  2  smtp
>    -o smtp_send_xforward_command=yes

You may want to add

     -o disable_mime_output_conversion=yes

to avoid conversions from 8BITMIME to quoted-printable.

Postfix by default converts when it does not see 8BITMIME
support announced in the SMTP "server" EHLO response.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix, Amavis and DKIM body hashes

Benny Pedersen-2
In reply to this post by Ralph Seichter-2
Ralph Seichter skrev den 2019-09-11 21:24:

> Before filing a bug report for Amavis, I just want to make sure I did
> not miss some peculiarity of after-queue content filters?

google amavisd 8bitmime , so amavisd only and always see 7bit mime, i
remember this was it when i used amavisd with amavisd dkim singing, if
its this still make updates to wiki and docs

thanks to Mark Martinec for this hint

Configuring multiple mail paths in amavisd
https://www.ijs.si/software/amavisd/amavisd-new-docs.html
Reply | Threaded
Open this post in threaded view
|

[SOLVED] Re: Postfix, Amavis and DKIM body hashes

Ralph Seichter-2
In reply to this post by Wietse Venema
* Wietse Venema:

> Postfix by default converts when it does not see 8BITMIME
> support announced in the SMTP "server" EHLO response.

Thanks Wietse, "disable_mime_output_conversion=yes" does the trick for
me. I was hoping I had missed some configuration switch.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Postfix, Amavis and DKIM body hashes

Ralph Seichter-2
In reply to this post by Bastian Blank-3
* Bastian Blank:

> Any reason you don't use Amavis for DKIM signing?

Over time, I have contributed code to Amavis, OpenDKIM and dkimpy-
milter. Right now, I use the latter as a basis, because I need to
implement a very flexible DKIM signing mechanism. As you know from
your existing merge request, Amavis needs restructuring. ;-)

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Postfix, Amavis and DKIM body hashes

Matus UHLAR - fantomas
In reply to this post by Wietse Venema
>Ralph Seichter:
>>   # /etc/postfix/master.cf
>>   submission  inet  n  -  n  -  -  smtpd
>>    -o smtpd_milters=unix:/run/dkimpy-milter/socket
>>    -o content_filter=amavis:localhost:10124
>>    [...]
>>   amavis  unix  -  -  n  -  2  smtp
>>    -o smtp_send_xforward_command=yes

On 11.09.19 15:36, Wietse Venema wrote:
>You may want to add
>
>     -o disable_mime_output_conversion=yes
>
>to avoid conversions from 8BITMIME to quoted-printable.
>
>Postfix by default converts when it does not see 8BITMIME
>support announced in the SMTP "server" EHLO response.

...and some mailservers convert quoted-printable to 8bit.
Both is legal in sense of SMTP RFCs, and ignoring this is imho major design
flaw of DKIM.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."