On 21/10/2024 20:16, Florian Effenberger via mailop wrote:
Hello everyone,
let me thank you again for helping me out with this issue, I am really
glad to see so much discussion and support here!
Now things seem to fall into place indeed. Both Mimecast as well as
aboutmy.email do not announce 8BITMIME, while other sites for testing
like dmarctester or dkimvalidator support it. I just checked that for
all these MX.
That seems to explain why the signature works correctly for nearly
everywhere, except for these two sites (and I actually appreciate
aboutmy.email's settings, because that helped to identify the problem!).
Exactly as Alexander described.
I was briefly confused with SMTPUTF8, but the issue is actually 8BITMIME.
On another host I have access to (but did not setup myself) with amavis
I do not have that problem, so it seems the message gets converted
before signing, whereas in my setup with rspamd it does not.
D'oh...
I'll try to look for a solution now. What Jaroslaw proposed seems to be
an option, alternatively a newer Postfix version that supports
force_mime_input_conversion. Happy to hear about other solutions if
people have something in mind, of course. ;)
In fact, Rspamd itself could do that downgrade, meaning setting CTE to
7bit and recoding all relevant parts to qp/base64 (depending on their
content) before DKIM signing. It is all perfectly doable with the
existing Rspamd Lua API I suppose. Of course, Milter connector also
allows full body rewrite as well as specific headers rewrite. It just
requires some manual coding.
Some clients can also be 'fixed' to use 7bit only:
https://support.mozilla.org/en-US/questions/1272196
In general, it is the never ending issue of the middleboxes in the
Internet. You can't simply assume that all peers on your way support
even 30+ years old standards. Introducing something that breaks E2E
compatibility (a good example of such a thing is clearly SMTPUTF8) has
always been risky in terms of deliverability.
The least common denominator is just to use 7 bit and refrain from using
any sort of IDN names.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
