Hello Martijn, RFC6376 recommends converting the messages to 7bit before signing, but does not require it.
Moreover, I want to run a host with aliases, where alias-owners get emails, that are forwarded to some other hosts, and are accepted, when the original is sent in 8bit, the original sender imposed p=reject; DMARC policy, and the final host accepts 8bit. Clearly, when the email is sent 8bit and with reject DMARC there is no universal way to operate, except possibly doing SRS. My aim is to address the MTA-implementation concerns in a single file, that is considered when OpenDKIM is installed on a system. Reading that file people should know how best to configure MTA to get <dkim>pass</dkim> in the DKIM aggregate reports, providing that the other intermediate hosts do also their best not to modify the message. If there is anything usefull related to Postfix in this regard, please try to include it. If there are contovertial approaches, that need to be weightet by the site administrator (like 7bit/8bit, quoting of dot in display-part of from headers, that were not quoted), also mention them. As I said, with sendmail it took me really a lot of time to figure out how to get the best results in the dmarc aggregate reports, e.g. figuring out that the implicit quoting breaks signatures, but also many other things took a lot of time, like concurrency problems within openDKIM, that are not addressed here further. At the end doing robust DKIM signing shall be easy and the users shall not delve theirselves in the option to find out why the aggregate reports are suboptimal. Greetings Dilian On Sun, 2018-05-20 at 21:30 +0200, martijn.list wrote: > On 20-05-18 21:18, Dilyan Palauzov wrote: > > Hello Wietse, > > > > thanks for your fast and detailed answer. > > > > Accepting 8-bit dkim signed email and forwarding it to a 7-bit-only > > host inevitably leads to breaking the DKIM signatures. I am > > talking > > primary about emails which are received from the world over SMTP, > > and > > are forwarded, ideally unchanged, over SMTP to some other > > provider. In > > this case doing the signing after converting to 7-bit is not an > > option, > > as the emails arrive signed and the idea is not to break the > > signature. > > As there is nothing that can be done if a provider sends 8-bit > > mails > > for a domain with DMARC p=reject; policy to sites accepting only 7- > > bit > > emails, I wouldn't concern myself furhter with this case. > > > > Remote MTAs that do conversions and break signatures are out of my > > control, therefore I am not concerned about them. I can only > > suggest > > putting text in a file, that is supposed to be read by DKIM- > > deployers. > > > > Can Postfix know, when it signes a message over DKIM, whether the > > host > > to which the message will be forwarded is 8bit capable and transfer > > only if this is not the case the email to 7bit before signing it? > > You might know whether the first host supports 8bit but not the host > after that. > > DKIM requires that 8bit email is converted to 7bit before signing > > http://dkim.org/specs/rfc4871-dkimbase.html > > "5.3 Normalize the Message to Prevent Transport Conversions > > Some messages, particularly those using 8-bit characters, are subject > to > modification during transit, notably conversion to 7-bit form. Such > conversions will break DKIM signatures. In order to minimize the > chances > of such breakage, signers SHOULD convert the message to a suitable > MIME > content transfer encoding such as quoted-printable or base64 as > described in MIME Part One [RFC2045] before signing." > > Kind regards, > > Martijn Brinkers > >
