[pfx] Re: something like "enforce_mime_output_conversion"
On Mon, Sep 04, 2023 at 05:08:15PM -0400, Wietse Venema via Postfix-users wrote: > Viktor Dukhovni via Postfix-users: > > On Mon, Sep 04, 2023 at 12:18:38PM -0400, Viktor Dukhovni via Postfix-users > > wrote: > > > > > It is best to enable this for outbound mail only, i.e. messages that > > > arrive on the submission ports or through local submission via > > > sendmail(1)->postdrop(1)->pickup(8). That way, inbound 8bit mail will > > > not fail DKIM signature checks. > > > > > > One way to do that is to tweak the master.cf file to match the below: > > > > > > $ postconf -P '*/inet/enforce_mime_input_conversion' > > > smtps/inet/enforce_mime_input_conversion = yes > > > submission/inet/enforce_mime_input_conversion = yes > > > > > > $ postconf -Mf pickup/unix cleanups/unix > > > pickup unix n - n 60 1 pickup > > > -o cleanup_service_name=cleanups > > > cleanups unix n - n - 0 cleanup > > > -o enforce_mime_input_conversion=yes > > > > > > [ Your service name for wrapper-mode SMTP on port 465 may be > > > "submissions" or just "465", ... The "cleanups" service entry > > > is a clone of the "cleanup" entry with a tweak. ] > > > > Note, this was with the 3.9-20230901 snapshot, the "en" in "enforce_..." > > was dropped in 3.9-20230903. > > I agree that the manpage text is not yet complete, and that this > feature needs a good example. And, I must admit to not thinking through my example config. The submission settings are not effective, because smtpd(8) does not implement this feature, like pickup(8) these also would have needed a "-o cleanup_service_name" override. Wietse's "converse" example (with input MIME conversion on by default) is simpler. All the more reason to consider multiple instances or, at scale, separate MTAs. I do wonder however whether DKIM signing of bounces is always a good idea. Some of the bounced messages will include remote content that may be spam, and one might not want to tarnish one own domain's reputation by signing it. A cautious configuration might be to bounce only the message headers by setting "bounce_size_limit = 1" on inbound MTAs. For outbound MTAs, full content bounces are friendlier to users who might not have retained a copy of the sent message. Such courtesies are less compelling for bounces to remote senders. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: something like "enforce_mime_output_conversion"
Viktor Dukhovni via Postfix-users:
> On Mon, Sep 04, 2023 at 12:18:38PM -0400, Viktor Dukhovni via Postfix-users
> wrote:
>
> > It is best to enable this for outbound mail only, i.e. messages that
> > arrive on the submission ports or through local submission via
> > sendmail(1)->postdrop(1)->pickup(8). That way, inbound 8bit mail will
> > not fail DKIM signature checks.
> >
> > One way to do that is to tweak the master.cf file to match the below:
> >
> > $ postconf -P '*/inet/enforce_mime_input_conversion'
> > smtps/inet/enforce_mime_input_conversion = yes
> > submission/inet/enforce_mime_input_conversion = yes
> >
> > $ postconf -Mf pickup/unix cleanups/unix
> > pickup unix n - n 60 1 pickup
> > -o cleanup_service_name=cleanups
> > cleanups unix n - n - 0 cleanup
> > -o enforce_mime_input_conversion=yes
> >
> > [ Your service name for wrapper-mode SMTP on port 465 may be
> > "submissions" or just "465", ... The "cleanups" service entry
> > is a clone of the "cleanup" entry with a tweak. ]
>
> Note, this was with the 3.9-20230901 snapshot, the "en" in "enforce_..."
> was dropped in 3.9-20230903.
I agree that the manpage text is not yet complete, and that this
feature needs a good example.
In the case of a a single-purpose MTA that sends messages only, I
would argue to have "force_mime_input_conversion = yes" in main.cf.
It gets more complicated with a mixed-purpose MTA that also receives
messages from remote domains. That MTA should sign locally-generated
delivery status notification messages because they may need to be
delivered to remote senders; these messages are generated by the
bounce, trace, etc., services.
If I am not mistaken, the example n the quoted text above would end
up havibg a half-dozen "-o cleanup_service" overrides in master.cf
for the pickup, submissions, and submissions services, and for the
services that generate delivery status notifications.
Instead of a half-dozen "-o cleanup_service" overrides, it may be
simpler to have "force_mime_input_conversion = yes" in main.cf and
to configure only the port 25 service for remote clients to use a
cleanup service with "-o { force_mime_input_conversion = no }".
Thus:
/etc/postfix/main.cf:
force_mime_input_conversion = yes
/etc/postfix/master.cf:
submission inet n - n - -smtpd
...the usual smtpd_xxx = mua_xxx overrides...
submissions inet n - n - -smtpd
...the usual smtpd_xxx = mua_xxx overrides...
smtp inet n - n - -smtpd
-o { cleanup_service_name = cleanup-remote
cleanup-remote unix n - n - 0 cleanup
-o { enforce_mime_input_conversion = yes }
It gets messier when that MTA also provides "forwarding" service
for internal MTAs. In that case one might have to use a smtpd service
instance on a dedocated interface address for those internal MTAs.
10.0.0.2:smtp inet n - n - -smtpd
I hope we can clean this up further and improve the documentation.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: something like "enforce_mime_output_conversion"
On Mon, Sep 04, 2023 at 12:18:38PM -0400, Viktor Dukhovni via Postfix-users wrote: > It is best to enable this for outbound mail only, i.e. messages that > arrive on the submission ports or through local submission via > sendmail(1)->postdrop(1)->pickup(8). That way, inbound 8bit mail will > not fail DKIM signature checks. > > One way to do that is to tweak the master.cf file to match the below: > > $ postconf -P '*/inet/enforce_mime_input_conversion' > smtps/inet/enforce_mime_input_conversion = yes > submission/inet/enforce_mime_input_conversion = yes > > $ postconf -Mf pickup/unix cleanups/unix > pickup unix n - n 60 1 pickup > -o cleanup_service_name=cleanups > cleanups unix n - n - 0 cleanup > -o enforce_mime_input_conversion=yes > > [ Your service name for wrapper-mode SMTP on port 465 may be > "submissions" or just "465", ... The "cleanups" service entry > is a clone of the "cleanup" entry with a tweak. ] Note, this was with the 3.9-20230901 snapshot, the "en" in "enforce_..." was dropped in 3.9-20230903. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: something like "enforce_mime_output_conversion"
On Mon, Sep 04, 2023 at 11:43:06AM -0400, Wietse Venema via Postfix-users wrote: > This is now included with the Postfix 3.9 development release (i.e. > it will be part of the Postfix 3.9 stable release early 2024. I > changed the name for clarity, and the updated manpage text is below. > > Wietse > > https://www.postfix.org/postconf.5.html#force_mime_input_conversion It is best to enable this for outbound mail only, i.e. messages that arrive on the submission ports or through local submission via sendmail(1)->postdrop(1)->pickup(8). That way, inbound 8bit mail will not fail DKIM signature checks. One way to do that is to tweak the master.cf file to match the below: $ postconf -P '*/inet/enforce_mime_input_conversion' smtps/inet/enforce_mime_input_conversion = yes submission/inet/enforce_mime_input_conversion = yes $ postconf -Mf pickup/unix cleanups/unix pickup unix n - n 60 1 pickup -o cleanup_service_name=cleanups cleanups unix n - n - 0 cleanup -o enforce_mime_input_conversion=yes [ Your service name for wrapper-mode SMTP on port 465 may be "submissions" or just "465", ... The "cleanups" service entry is a clone of the "cleanup" entry with a tweak. ] If you have a dedicated submission server, or a separate Postfix instance for submission, then there's no need for such master.cf tweaks. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: something like "enforce_mime_output_conversion"
Tinne11: > Is there some parameter which could have been named > enforce_mime_output_conversion in analogy to disable_mime_output_conversion > or some other way to configure this? Wietse Venema: > Presently, MIME downgrade is an after-queue feature (i.e. after > mail is queued), implemented only in the SMTP delivery agent. > > On the other hand, DKIM signing must be a before-queue feature (i.e. ... > Therefore, downgrade-before-signing would also have to be made > available as a before-queue feature. ... > Turns out that this required very little code (basically one boolean > configuration parameter that controls a bitfield flag that is input > to the Postfix MIME processor. Preliminary manpage text is below. This is now included with the Postfix 3.9 development release (i.e. it will be part of the Postfix 3.9 stable release early 2024. I changed the name for clarity, and the updated manpage text is below. Wietse https://www.postfix.org/postconf.5.html#force_mime_input_conversion force_mime_input_conversion (default: no) Convert body content that claims to be 8-bit into quoted-printable, before header_checks, body_checks, Milters, and before after-queue content filters. This feature does not affect messages that are sent into smtpd_proxy_filter. The typical use case is an MTA that applies this conversion before signing outbound messages, so that the signatures will remain valid when a message is later delivered to an MTA that does not announce 8BITMIME support, or when a message line exceeds the SMTP length limit. This feature is available in Postfix >= 3.9. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: something like "enforce_mime_output_conversion"
> This feature is available in Postfix >= 3.9. Great! And Thanks a lot, Wietse and Victor, for all the advice that help right now. Cheers Stephan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: something like "enforce_mime_output_conversion"
On Tue, Jul 18, 2023 at 06:37:08PM -0400, Wietse Venema via Postfix-users wrote: > Turns out that this required very little code (basically one boolean > configuration parameter that controls a bitfield flag that is input > to the Postfix MIME processor. Preliminary manpage text is below. Cool! Nice to have an existing streaming MIME parser available at the record stream layer. Works both when reading the queue file from disk on delivery, and when reading it from a socket at the smtpd->cleanup boundary. Congratulations on a design that stands the test of time. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: something like "enforce_mime_output_conversion"
Wietse Venema via Postfix-users: > Tinne11 via Postfix-users: > > Is there some parameter which could have been named > > enforce_mime_output_conversion in analogy to disable_mime_output_conversion > > or some other way to configure this? > > It would avoid the need for (null) content filters that I discuss > in my other response. However this is no as simple as it might > appear to be. > > Presently, MIME downgrade is an after-queue feature (i.e. after > mail is queued), implemented only in the SMTP delivery agent. > > On the other hand, DKIM signing must be a before-queue feature (i.e. > before mail is queued) because the Postfix Milter implementation > requires that Milters can make changes to queue files. Delivery > agents must not do such things. > > Therefore, downgrade-before-signing would also have to be made > available as a before-queue feature. Unfortunately I don't have the > time for doing that. Turns out that this required very little code (basically one boolean configuration parameter that controls a bitfield flag that is input to the Postfix MIME processor. Preliminary manpage text is below. Wietse enforce_mime_input_conversion (default: no) Convert content that claims to be 8-bit into quoted-printable, and up- date the correspnding Content-Transfer-Encoding: message headers. This conversion happens before header_checks, before body_checks, before storing a message in the mail queue, and before applying Milters. The typical use case is an MTA that signs outbound messages after the 8-bit to quoted-printable conversion, so that the signatures will re- main valid when a message is handled by an MTA that does not announce 8BITMIME support. This feature is available in Postfix >= 3.9. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: something like "enforce_mime_output_conversion"
On Tue, Jul 18, 2023 at 11:29:20AM -0400, Wietse Venema via Postfix-users wrote:
> This can work with the 'advanced' example in FILTER_README:
>
> main.cf:
> content_filter = smtp-7bit:127.0.0.1:10025
>
> master.cf:
> smtp-7bit .. .. .. .. .. .. smtp
>-o { smtp_discard_ehlo_keywords = 8BITMIME }
>
> 127.0.0.1:10025 .. .. .. .. .. .. smtpd
> -o { content_filter= }
>
> And with multiple Postfix instances.
Right, and/or disable announcing "8BITMIME" on the server side.
This still needs to happen before DKIM signing, so can't be deferred to
the outbound delivery hop.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: something like "enforce_mime_output_conversion"
Tinne11 via Postfix-users: > Is there some parameter which could have been named > enforce_mime_output_conversion in analogy to disable_mime_output_conversion > or some other way to configure this? It would avoid the need for (null) content filters that I discuss in my other response. However this is no as simple as it might appear to be. Presently, MIME downgrade is an after-queue feature (i.e. after mail is queued), implemented only in the SMTP delivery agent. On the other hand, DKIM signing must be a before-queue feature (i.e. before mail is queued) because the Postfix Milter implementation requires that Milters can make changes to queue files. Delivery agents must not do such things. Therefore, downgrade-before-signing would also have to be made available as a before-queue feature. Unfortunately I don't have the time for doing that. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: something like "enforce_mime_output_conversion"
Viktor Dukhovni via Postfix-users:
> On Tue, Jul 18, 2023 at 01:43:46PM +0200, Tinne11 via Postfix-users wrote:
>
> > In order to follow this recommendation, a Postfix MSA (being part of a
> > system DKIM-signing outbound messages) needs to be configured to convert all
> > submitted 8-bit messages to 7-bit (base64 or Quoted-Printable). Is this
> > possible?
>
> Yes, but it requires a (possibly NOOP) content_filter delivery hop,
> or equivalently a multi-instance configuratoin with an input and output
> Postfix instance. If you force all incoming mail through an internal
> SMTP hop, you can do the 8bit -> 7bit downgrade during that delivery,
> and delay the DKIM signing until the output instance, which will
> always see 7bit input.
The downgrade can be forced by sending mail from Postfix using an
SMTP client that ignores the server's 8BITMIME announcement (with
"smtp_discard_ehlo_keywords = 8BITMIME").
This can work with the 'advanced' example in FILTER_README:
main.cf:
content_filter = smtp-7bit:127.0.0.1:10025
master.cf:
smtp-7bit .. .. .. .. .. .. smtp
-o { smtp_discard_ehlo_keywords = 8BITMIME }
127.0.0.1:10025 .. .. .. .. .. .. smtpd
-o { content_filter= }
And with multiple Postfix instances.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: something like "enforce_mime_output_conversion"
On Tue, Jul 18, 2023 at 01:43:46PM +0200, Tinne11 via Postfix-users wrote: > In order to follow this recommendation, a Postfix MSA (being part of a > system DKIM-signing outbound messages) needs to be configured to convert all > submitted 8-bit messages to 7-bit (base64 or Quoted-Printable). Is this > possible? Yes, but it requires a (possibly NOOP) content_filter delivery hop, or equivalently a multi-instance configuratoin with an input and output Postfix instance. If you force all incoming mail through an internal SMTP hop, you can do the 8bit -> 7bit downgrade during that delivery, and delay the DKIM signing until the output instance, which will always see 7bit input. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
