[Rspamd-Users] rspamd DKIM, Mimecast and Content-Encoding
Darrin Smart
darrin at filmlight.ltd.uk
Mon Oct 21 20:05:05 UTC 2024
> On Oct 21, 2024, at 9:48 AM, Florian Effenberger <florian at effenberger.org> wrote:
>
> Postfix has SMTPUTF8 disabled because of Dovecot-LMTP, that is the unique setting on encoding I configured.
Perhaps your issue is with 8BITMIME handling.
DKIM will fail if the message body is altered after DKIM signing. This can happen when any mail hop doesn't support 8BITMIME, as the sending MTA will convert the body to 7-bit.
We had this issue with some outbound mail. The fix was to ensure all mail is converted to 7-bit before DKIM signing.
In our case we have a second Postfix instance running for outbound delivery with 8BITMIME disabled (smtpd_discard_ehlo_keywords = 8bitmime), and it does the signing with OpenDKIM. For inbound, we accept 8BITMIME and let the Rspamd milter do the DMARC validation.
This way, we can accept and validate both 7-bit & 8-bit messages, but only send 7-bit messages.
MUA
|
v
Internet (inbound) -> Postfix (8BITMIME) + rpsamd -> Dovecot-LDA
|
v
Postfix (!8BITMIME) + OpenDKIM
|
v
Internet (outbound)
From memory, disabling 8bitmime for the submission service did not work well for us - some clients ignored it and sent 8bitmime anyway. We also generate mail locally on the server, and wanted that to be downconverted before delivery.
We don't use Dovecot-LTMP for local delivery, just Dovecot-LDA, so I'm not sure how it will deal with 8BITMIME. I suspect if it doesn't advertise it the Postix will simply convert to 7-bit. This should be ok as long as rspamd has already done the DMARC validation.
There might be better ways to do this now, it was a few years ago for us. I took the idea from a post on the Postfix mailing list.
Darrin
Ref:
https://github.com/trusteddomainproject/OpenDKIM/tree/develop/opendkim
More information about the Users
mailing list