Discussion:
wallace breaks dkim signature
Jan Kowalsky
2018-05-31 18:26:42 UTC
Permalink
Hi all,

I have Problem with dkim signature and wallace. We use rspamd as milter
which can also dkim sign emails.

When I deactivate wallace in the submission (master.cf) the signatures
are valid (http://dkimvalidator.com/). If wallace is in between it
fails. The Reason seems to be, that wallace formats all quoted printable
- if the email isn't already (not in thunderbird with german umlauts e.g.).

Is there any possibility to achive to milter messages AFTER wallace?

Any experiences with this?

Best Regards
Jan
Skale, Franz
2018-06-01 06:44:23 UTC
Permalink
Hi,
DKIM uses non standard quoted printable encoding !
See:
http://dkim.org/specs/rfc4871-dkimbase.html#dkim-qp
Wallace, of course, uses standard QP encoding and doesn't take care for
special cases, though it's a feature request.
Register at https://git.kolab.org and submit a task at
https://git.kolab.org/tag/pykolab/.

Rgds.
Franz
Post by Jan Kowalsky
Hi all,
I have Problem with dkim signature and wallace. We use rspamd as milter
which can also dkim sign emails.
When I deactivate wallace in the submission (master.cf) the signatures
are valid (http://dkimvalidator.com/). If wallace is in between it
fails. The Reason seems to be, that wallace formats all quoted
printable
- if the email isn't already (not in thunderbird with german umlauts e.g.).
Is there any possibility to achive to milter messages AFTER wallace?
Any experiences with this?
Best Regards
Jan
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Jan Kowalsky
2018-06-01 08:08:19 UTC
Permalink
Hi Franz,

thanks for answer,
Post by Skale, Franz
Hi,
DKIM uses non standard quoted printable encoding !
http://dkim.org/specs/rfc4871-dkimbase.html#dkim-qp
But as far as I understand, dkim itselfs doesn't change the mail body at
all. The qp encoding in my understanding is only for calculating hash.
Post by Skale, Franz
Wallace, of course, uses standard QP encoding and doesn't take care for
special cases, though it's a feature request.
But wallaces alters the mailbody itself. It changes all to quoted
printable and, if configured, adds footer/header.

So dkim signing in my experiences is valid if the email already is
quoted printable from the mua. Roundcube is fine, thunderbird in default
not. But we do not have control about how users are configure there
email programs and 8bit email transfer isn't very uncommon any more.

The problem is, that wallace alteres mails after dkim milter is applied.
Even if the encoding is no problem we run in trubles as far as wallace
adds e.g. footers.

Regards
Jan
Skale, Franz
2018-06-01 09:17:27 UTC
Permalink
Hi,
i see no mangling of the message body other than setting the default
locale to UTF-8 then encode it quoted printable. The header will be
parsed and changed (invitation etc.).
It the message contains html, it will be parsed too.
Since you didn't supply a debug example i can only urge you to enable
wallace debugging.
Attention, since wallace hat a problem when debugging enabled, you
should start wallace manually in a screen/tmux session with
screenlogging enabled !
Change /etc/default/wallace and enable debugging (extensively covered in
some older threads) or start it manually.
Be sure that your default locale on the server is utf-8 !
Also, reordering of the content_filter directive might help.
In the future, supply config file snippets as well as debug messages.
Sure, it will help a lot.

Rgds.
Franz
Post by Jan Kowalsky
Hi Franz,
thanks for answer,
Post by Skale, Franz
Hi,
DKIM uses non standard quoted printable encoding !
http://dkim.org/specs/rfc4871-dkimbase.html#dkim-qp
But as far as I understand, dkim itselfs doesn't change the mail body at
all. The qp encoding in my understanding is only for calculating hash.
Post by Skale, Franz
Wallace, of course, uses standard QP encoding and doesn't take care for
special cases, though it's a feature request.
But wallaces alters the mailbody itself. It changes all to quoted
printable and, if configured, adds footer/header.
So dkim signing in my experiences is valid if the email already is
quoted printable from the mua. Roundcube is fine, thunderbird in default
not. But we do not have control about how users are configure there
email programs and 8bit email transfer isn't very uncommon any more.
The problem is, that wallace alteres mails after dkim milter is applied.
Even if the encoding is no problem we run in trubles as far as wallace
adds e.g. footers.
Regards
Jan
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Jan Kowalsky
2018-06-02 01:10:53 UTC
Permalink
Hi Franz,
Post by Skale, Franz
Hi,
i see no mangling of the message body other than setting the default
locale to UTF-8 then encode it quoted printable. The header will be
parsed and changed (invitation etc.).
yes, that's it. It's changing the Content-Transfer-Encoding to
quoted-printable. If this is done after dkim signing it breaks signature.
Post by Skale, Franz
It the message contains html, it will be parsed too.
Since you didn't supply a debug example i can only urge you to enable
wallace debugging.
I can't see anything in debug log - except if smtplib is called the data
is already qouted printable:


2018-06-02 01:25:54,004 pykolab.wallace INFO Accepted connection
2018-06-02 01:25:54,018 pykolab.wallace DEBUG [8771]: Resource
Management called for ('/var/spool/pykolab/wallace/tmpk9DNom',), {}
2018-06-02 01:25:54,019 pykolab.wallace DEBUG [8771]: Renaming
'/var/spool/pykolab/wallace/tmpk9DNom' to
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom'
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: Nachricht ist
keine iTip Nachricht (keine Multipart Nachricht)
2018-06-02 01:25:54,020 pykolab.wallace INFO Message is not an iTip
message or does not contain any (valid) iTip.
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: No itips, no
resources, pass along
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom'
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: Invitation policy
called for ('/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom',), {}
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Invitation policy
executing for '/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom',
False
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Renaming
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom' to
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Nachricht ist
keine iTip Nachricht (keine Multipart Nachricht)
2018-06-02 01:25:54,022 pykolab.wallace INFO Message is not an iTip
message or does not contain any (valid) iTip objects.
2018-06-02 01:25:54,022 pykolab.wallace DEBUG [8771]: No itips, no
users, pass along
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
2018-06-02 01:25:54,022 pykolab.wallace INFO Akzeptiere Nachricht in
/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom (durch
Modul wallace)
2018-06-02 01:25:54,022 pykolab.wallace DEBUG [8771]: Akzeptiere
Nachricht in:
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
2018-06-02 01:25:54,023 pykolab.wallace DEBUG [8771]: recipients:
['***@example.net']
send: 'ehlo mx0.example.net\r\n'
reply: '250-mx0.example.net\r\n'
reply: '250-PIPELINING\r\n'
reply: '250-SIZE 20480000\r\n'
reply: '250-VRFY\r\n'
reply: '250-ETRN\r\n'
reply: '250-STARTTLS\r\n'
reply: '250-XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\r\n'
reply: '250-ENHANCEDSTATUSCODES\r\n'
reply: '250-8BITMIME\r\n'
reply: '250 DSN\r\n'
reply: retcode (250); Msg: mx0.example.net
PIPELINING
SIZE 20480000
VRFY
ETRN
STARTTLS
XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT
ENHANCEDSTATUSCODES
8BITMIME
DSN
send: 'mail FROM:<***@example.net> size=1123\r\n'
reply: '250 2.1.0 Ok\r\n'
reply: retcode (250); Msg: 2.1.0 Ok
send: 'rcpt TO:<***@example.net>\r\n'
reply: '250 2.1.5 Ok\r\n'
reply: retcode (250); Msg: 2.1.5 Ok
send: 'data\r\n'
reply: '354 End data with <CR><LF>.<CR><LF>\r\n'
reply: retcode (354); Msg: End data with <CR><LF>.<CR><LF>
data: (354, 'End data with <CR><LF>.<CR><LF>')
send: 'Sender: ***@example.net\r\nDKIM-Signature: v=1;
a=rsa-sha256; c=relaxed/relaxed; d=example.net;\r\n s=dkim201805;
t=1527895386;\r\n
h=from:from:sender:sender:reply-to:subject:subject:date:date:\r\n
message-id:message-id:to:to:cc:mime-version:mime-version:\r\n
content-type:content-type:\r\n
content-transfer-encoding:content-transfer-encoding:in-reply-to:\r\n
references; bh=IYC/RDnaNtcM6arkuRe/LIW86LUe+V8zvrkFPp/dOoY=;\r\n
b=XjBEXPP/CfSc9RqxX6G+zVW0gorAevrouaSNdQXIx2GhJVvUvheJszeils1SKtRYV7h3oK\r\n
ricUH0upeecCDgQJPyGc90aY/JwsoLs2ZpANomt53fQxOJiSyIiuqGbRAyZgsddK0BoW77\r\n
+TpL2Xatf9c5u017mxvzAWJngXzD52hV7txlM/gKcGy3SZR48F74JNyGdIJX3qmMBe0dSo\r\n
oGj6g0YHN4nTdtvJ995J7eYYgofUJlUglOezF58rQV7n4Vh44pncZZ+vMDKNaQ2h9eKPw6\r\n
AcypUALlZvnssOWyuHRBzHqy7Aet2F9dH8sBvOAZCxcLnuOlC8kruqNAF34/WA==\r\nTo:
Test User <***@example.net>\r\nFrom: cu-test
<***@example.net>\r\nSubject: test encoding 2\r\nMessage-ID:
<7b2f68db-4e2a-1762-a223-***@example.net>\r\nDate: Sat, 2 Jun
2018 01:25:50 +0200\r\nMIME-Version: 1.0\r\nContent-Type: text/plain;
charset=utf-8\r\nContent-Language: de-LU\r\nContent-Transfer-Encoding:
quoted-printable\r\n\r\ntest encoding2\r\n=C3=A4=C3=B6=C3=BC\r\n.\r\n'
reply: '250 2.0.0 Ok: queued as 09238B14\r\n'
reply: retcode (250); Msg: 2.0.0 Ok: queued as 09238B14
data: (250, '2.0.0 Ok: queued as 09238B14')
send: 'quit\r\n'
reply: '221 2.0.0 Bye\r\n'
reply: retcode (221); Msg: 2.0.0 Bye
2018-06-02 01:25:54,153 pykolab.wallace DEBUG [9175]: Worker process
PoolWorker-7 initializing
Post by Skale, Franz
Be sure that your default locale on the server is utf-8 !
yes. it is.

What I actually don't understand: Where exactly wallace is changing the
encoding? I send email with 8bit encoding and utf-8.

This is my original mail:


Date: Sat, 2 Jun 2018 01:25:50 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Thunderbird/52.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: de-LU
Content-Transfer-Encoding: 8bit

test encoding2
äöü

(encoded in utf-8 - not quoted printable)

I found the function for converting in the footer and invitation
modules. But even if I disable this modules the encoding still is
changed. It's not if I disable wallace in postfix master.cf. I wondering
if this is done by python smtplib.

My submission part of master.cf:

submission inet n - n - -
smtpd
-o cleanup_service_name=cleanup_submission
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_data_restrictions=$submission_data_restrictions
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_sender_restrictions=$submission_sender_restrictions
-o content_filter=smtp-wallace:[127.0.0.1]:10026

Because I don't have amavis I call wallace directly in submission.

Milter is called in main.cf:

smtpd_milters = inet:mailpd.example.net:11332
non_smtpd_milters = inet:mailpd.example.net:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name}
{auth_authen}
milter_default_action = accept


So the mailflow now is: going to prequeue-miltering and signs dkim.
After that there is the content filter set to wallaces - which alteres
the message and breaks signature.
Post by Skale, Franz
Also, reordering of the content_filter directive might help.
It's not easy, because wallace always is content filter - and milter is
prequeue (opendkim or rspamd doesn't matter).

What I tried: using rspamd as a content_filter which is possible. So I
could pass mails from submission to wallace:

submission inet n - n - -
smtpd
-o cleanup_service_name=cleanup_submission
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_data_restrictions=$submission_data_restrictions
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_sender_restrictions=$submission_sender_restrictions
# overwrite the default miter - we can't do that on submission,
because we have first go to wallace
-o smtpd_milters=
-o content_filter=smtp-wallace:[127.0.0.1]:10026

And then in wallace:

# Listener to re-inject email from Wallace into Postfix
127.0.0.1:10027 inet n - n - 100
smtpd
-o cleanup_service_name=cleanup_internal
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_milters=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o content_filter=smtp:[127.0.0.1]:2525

in the last line I call the rspamd content filter which I define hiere:

# rspamd as content filter
127.0.0.1:2525 inet n - n - - smtpd
-o syslog_name=postfix/content-filter
-o mynetworks=127.0.0.0/8
-o content_filter=
-o smtpd_milters=${rspamd}
-o smtpd_tls_security_level=none
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_relay_restrictions=permit_mynetworks,reject
-o smtpd_authorized_xforward_hosts=${mynetworks}


Now everything works - but on smtp we have the mailflow:

-> rspamd as milter -> wallace -> rspamd as content_filter

I haven't got any Idea how to either to call rspamd content filter in
case of submission but not of smtpd. Or have one directive where both
content filters are called. As far as I understand there is no possility
in postfix to add more then one content_filter without reinjection. But
even in this case - still the problem to distinguish between smtpd and
submission.

Regard
Jan
Post by Skale, Franz
Post by Jan Kowalsky
Hi Franz,
thanks for answer,
Post by Skale, Franz
Hi,
DKIM uses non standard quoted printable encoding !
http://dkim.org/specs/rfc4871-dkimbase.html#dkim-qp
But as far as I understand, dkim itselfs doesn't change the mail body at
all. The qp encoding in my understanding is only for calculating hash.
Post by Skale, Franz
Wallace, of course, uses standard QP encoding and doesn't take care for
special cases, though it's a feature request.
But wallaces alters the mailbody itself. It changes all to quoted
printable and, if configured, adds footer/header.
So dkim signing in my experiences is valid if the email already is
quoted printable from the mua. Roundcube is fine, thunderbird in default
not. But we do not have control about how users are configure there
email programs and 8bit email transfer isn't very uncommon any more.
The problem is, that wallace alteres mails after dkim milter is applied.
Even if the encoding is no problem we run in trubles as far as wallace
adds e.g. footers.
Regards
Jan
Skale, Franz
2018-06-02 07:08:21 UTC
Permalink
Hi Jan,
respamd must take care of the data, regardless of which encoding stream
injected.
As i develop webservices, you've to guess the encoding prior before
mangling the data stream.
Whit utf-8 you have the ability to call is_utf8 which tells you, if the
the utf8 (2 bytes) representation) is either native or encoded.
Input has to be encoded and output decoded.
Regarding your problem, i think that respamd doesn't check, if the input
stream is alreasy quoted-printable encoded.
I think you've to file a bug report.
Pykolab only set's encoding for string handling, obviously the way to
go.
/usr/lib/python2.7/dist-packages/wallace/module_resources.py:
charset.add_charset('utf-8', charset.SHORTEST, charset.QP)
/usr/lib/python2.7/dist-packages/wallace/module_resources.py: msg
= MIMEText(utils.stripped_message(message_text), _charset='utf-8')
So, it's utf-8 encoded.
Ergo, respamd has to decode the input stream (utf8_decode) when it's not
in native encoded.
The client sets the msg_content_type (Content-Type).
So, if the client uses wrong localesm than , of course the string
representation is wrong.
Respamd has to take care about decoding the string according to the
Content-Type.
I think you've to file a bug report for respamd.


Rgds.
Franz
Post by Jan Kowalsky
Hi Franz,
Post by Skale, Franz
Hi,
i see no mangling of the message body other than setting the default
locale to UTF-8 then encode it quoted printable. The header will be
parsed and changed (invitation etc.).
yes, that's it. It's changing the Content-Transfer-Encoding to
quoted-printable. If this is done after dkim signing it breaks
signature.
Post by Skale, Franz
It the message contains html, it will be parsed too.
Since you didn't supply a debug example i can only urge you to enable
wallace debugging.
I can't see anything in debug log - except if smtplib is called the data
2018-06-02 01:25:54,004 pykolab.wallace INFO Accepted connection
2018-06-02 01:25:54,018 pykolab.wallace DEBUG [8771]: Resource
Management called for ('/var/spool/pykolab/wallace/tmpk9DNom',), {}
2018-06-02 01:25:54,019 pykolab.wallace DEBUG [8771]: Renaming
'/var/spool/pykolab/wallace/tmpk9DNom' to
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom'
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: Nachricht ist
keine iTip Nachricht (keine Multipart Nachricht)
2018-06-02 01:25:54,020 pykolab.wallace INFO Message is not an iTip
message or does not contain any (valid) iTip.
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: No itips, no
resources, pass along
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom'
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: Invitation policy
called for
('/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom',), {}
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Invitation policy
executing for
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom',
False
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Renaming
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom' to
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Nachricht ist
keine iTip Nachricht (keine Multipart Nachricht)
2018-06-02 01:25:54,022 pykolab.wallace INFO Message is not an iTip
message or does not contain any (valid) iTip objects.
2018-06-02 01:25:54,022 pykolab.wallace DEBUG [8771]: No itips, no
users, pass along
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
2018-06-02 01:25:54,022 pykolab.wallace INFO Akzeptiere Nachricht in
/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom (durch
Modul wallace)
2018-06-02 01:25:54,022 pykolab.wallace DEBUG [8771]: Akzeptiere
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
send: 'ehlo mx0.example.net\r\n'
reply: '250-mx0.example.net\r\n'
reply: '250-PIPELINING\r\n'
reply: '250-SIZE 20480000\r\n'
reply: '250-VRFY\r\n'
reply: '250-ETRN\r\n'
reply: '250-STARTTLS\r\n'
reply: '250-XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\r\n'
reply: '250-ENHANCEDSTATUSCODES\r\n'
reply: '250-8BITMIME\r\n'
reply: '250 DSN\r\n'
reply: retcode (250); Msg: mx0.example.net
PIPELINING
SIZE 20480000
VRFY
ETRN
STARTTLS
XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT
ENHANCEDSTATUSCODES
8BITMIME
DSN
reply: '250 2.1.0 Ok\r\n'
reply: retcode (250); Msg: 2.1.0 Ok
reply: '250 2.1.5 Ok\r\n'
reply: retcode (250); Msg: 2.1.5 Ok
send: 'data\r\n'
reply: '354 End data with <CR><LF>.<CR><LF>\r\n'
reply: retcode (354); Msg: End data with <CR><LF>.<CR><LF>
data: (354, 'End data with <CR><LF>.<CR><LF>')
a=rsa-sha256; c=relaxed/relaxed; d=example.net;\r\n s=dkim201805;
t=1527895386;\r\n
h=from:from:sender:sender:reply-to:subject:subject:date:date:\r\n
message-id:message-id:to:to:cc:mime-version:mime-version:\r\n
content-type:content-type:\r\n
content-transfer-encoding:content-transfer-encoding:in-reply-to:\r\n
references; bh=IYC/RDnaNtcM6arkuRe/LIW86LUe+V8zvrkFPp/dOoY=;\r\n
b=XjBEXPP/CfSc9RqxX6G+zVW0gorAevrouaSNdQXIx2GhJVvUvheJszeils1SKtRYV7h3oK\r\n
ricUH0upeecCDgQJPyGc90aY/JwsoLs2ZpANomt53fQxOJiSyIiuqGbRAyZgsddK0BoW77\r\n
+TpL2Xatf9c5u017mxvzAWJngXzD52hV7txlM/gKcGy3SZR48F74JNyGdIJX3qmMBe0dSo\r\n
oGj6g0YHN4nTdtvJ995J7eYYgofUJlUglOezF58rQV7n4Vh44pncZZ+vMDKNaQ2h9eKPw6\r\n
2018 01:25:50 +0200\r\nMIME-Version: 1.0\r\nContent-Type: text/plain;
quoted-printable\r\n\r\ntest encoding2\r\n=C3=A4=C3=B6=C3=BC\r\n.\r\n'
reply: '250 2.0.0 Ok: queued as 09238B14\r\n'
reply: retcode (250); Msg: 2.0.0 Ok: queued as 09238B14
data: (250, '2.0.0 Ok: queued as 09238B14')
send: 'quit\r\n'
reply: '221 2.0.0 Bye\r\n'
reply: retcode (221); Msg: 2.0.0 Bye
2018-06-02 01:25:54,153 pykolab.wallace DEBUG [9175]: Worker process
PoolWorker-7 initializing
Post by Skale, Franz
Be sure that your default locale on the server is utf-8 !
yes. it is.
What I actually don't understand: Where exactly wallace is changing the
encoding? I send email with 8bit encoding and utf-8.
Date: Sat, 2 Jun 2018 01:25:50 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Thunderbird/52.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: de-LU
Content-Transfer-Encoding: 8bit
test encoding2
äöü
(encoded in utf-8 - not quoted printable)
I found the function for converting in the footer and invitation
modules. But even if I disable this modules the encoding still is
changed. It's not if I disable wallace in postfix master.cf. I
wondering
if this is done by python smtplib.
submission inet n - n - -
smtpd
-o cleanup_service_name=cleanup_submission
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_data_restrictions=$submission_data_restrictions
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_sender_restrictions=$submission_sender_restrictions
-o content_filter=smtp-wallace:[127.0.0.1]:10026
Because I don't have amavis I call wallace directly in submission.
smtpd_milters = inet:mailpd.example.net:11332
non_smtpd_milters = inet:mailpd.example.net:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name}
{auth_authen}
milter_default_action = accept
So the mailflow now is: going to prequeue-miltering and signs dkim.
After that there is the content filter set to wallaces - which alteres
the message and breaks signature.
Post by Skale, Franz
Also, reordering of the content_filter directive might help.
It's not easy, because wallace always is content filter - and milter is
prequeue (opendkim or rspamd doesn't matter).
What I tried: using rspamd as a content_filter which is possible. So I
submission inet n - n - -
smtpd
-o cleanup_service_name=cleanup_submission
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_data_restrictions=$submission_data_restrictions
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_sender_restrictions=$submission_sender_restrictions
# overwrite the default miter - we can't do that on submission,
because we have first go to wallace
-o smtpd_milters=
-o content_filter=smtp-wallace:[127.0.0.1]:10026
# Listener to re-inject email from Wallace into Postfix
127.0.0.1:10027 inet n - n - 100
smtpd
-o cleanup_service_name=cleanup_internal
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_milters=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o content_filter=smtp:[127.0.0.1]:2525
# rspamd as content filter
127.0.0.1:2525 inet n - n - - smtpd
-o syslog_name=postfix/content-filter
-o mynetworks=127.0.0.0/8
-o content_filter=
-o smtpd_milters=${rspamd}
-o smtpd_tls_security_level=none
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_relay_restrictions=permit_mynetworks,reject
-o smtpd_authorized_xforward_hosts=${mynetworks}
-> rspamd as milter -> wallace -> rspamd as content_filter
I haven't got any Idea how to either to call rspamd content filter in
case of submission but not of smtpd. Or have one directive where both
content filters are called. As far as I understand there is no
possility
in postfix to add more then one content_filter without reinjection. But
even in this case - still the problem to distinguish between smtpd and
submission.
Regard
Jan
Post by Skale, Franz
Post by Jan Kowalsky
Hi Franz,
thanks for answer,
Post by Skale, Franz
Hi,
DKIM uses non standard quoted printable encoding !
http://dkim.org/specs/rfc4871-dkimbase.html#dkim-qp
But as far as I understand, dkim itselfs doesn't change the mail body at
all. The qp encoding in my understanding is only for calculating hash.
Post by Skale, Franz
Wallace, of course, uses standard QP encoding and doesn't take care for
special cases, though it's a feature request.
But wallaces alters the mailbody itself. It changes all to quoted
printable and, if configured, adds footer/header.
So dkim signing in my experiences is valid if the email already is
quoted printable from the mua. Roundcube is fine, thunderbird in default
not. But we do not have control about how users are configure there
email programs and 8bit email transfer isn't very uncommon any more.
The problem is, that wallace alteres mails after dkim milter is applied.
Even if the encoding is no problem we run in trubles as far as wallace
adds e.g. footers.
Regards
Jan
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Jan Kowalsky
2018-06-02 14:07:42 UTC
Permalink
Hi Franz,
Post by Skale, Franz
Hi Jan,
respamd must take care of the data, regardless of which encoding stream
injected.
dkim signing doesn't change (and shouldn't) anything of the body. If
it's utf-8 8bit it will be utf-8 8bit after signing.

Problem is (without milter or not) that wallace seems to change the
transfer encoding always to qouted printable which in theory is fine.
Mailclients don't do this always. Some send with utf-8 and 8bit transfer
encoding. Which should be fine too.

As wallace comes into play after dkim signing - the problem is, that
wallace changes the transfer encoding to quoted printable. if the mail
has non-ascii characters even if the original message (before and after
signing) have had transfer encoding 8bit.

This breaks of course signature. There is nothing rspamd can care about.
The utf-8 8bit is totally fine (and in the responsibility of the user
agent).
Post by Skale, Franz
As i develop webservices, you've to guess the encoding prior before
mangling the data stream.
Whit utf-8 you have the ability to call is_utf8  which tells you, if the
the utf8 (2 bytes) representation) is either native or encoded.
Input has to be encoded and output decoded.
Regarding your problem, i think that respamd doesn't check, if the input
stream is alreasy quoted-printable encoded.
dkim signing (with rspamd as milter) is proceeded before mail goes to
wallace.
Post by Skale, Franz
I think you've to file a bug report.
Yes, I'll do. I'll try to understand how wallace get's data from smtpd -
but I didn't get it so far.
Post by Skale, Franz
Pykolab only set's encoding for string handling, obviously the way to go.
/usr/lib/python2.7/dist-packages/wallace/module_resources.py:   
charset.add_charset('utf-8', charset.SHORTEST, charset.QP)
/usr/lib/python2.7/dist-packages/wallace/module_resources.py:        msg
= MIMEText(utils.stripped_message(message_text), _charset='utf-8')
So, it's utf-8 encoded.
but why it's still quoted printable if I disable all wallace modules?
For me it looks like the smtpd.py already get's data in quoted printable
no matter the original encoding.

in __init__.py

def process_message(self, peer, mailfrom, rcpttos, data):


if I print data to debug - it's already quoted-printable. But I didn't
find out where the data variable comes from. So I fail with further
debugging.
Post by Skale, Franz
Ergo, respamd has to decode the input stream (utf8_decode) when it's not
in native encoded.
The client sets the msg_content_type (Content-Type).
So, if the client uses wrong localesm than , of course the string
representation is wrong.
Respamd has to take care about decoding the string according to the
Content-Type.
I think you've to file a bug report for respamd.
Well, there is everything fine with encoding. rspamd doesn't touch
anything on encoding or Content type. Just parsing email and sign's dkim.

For me it looks totally fine to send emails with utf8 and 8bit (not
quoted printable) like some clients do. There is no need for changing it
on the way.

My guess is, that wallace in principle sets transfer encoding to quoted
printable as long it's not transferrable with 7bit. But I can't find
where it does.

Regards
Jan
Post by Skale, Franz
Rgds.
Franz
Post by Jan Kowalsky
Hi Franz,
Post by Skale, Franz
Hi,
i see no mangling of the message body other than setting the default
locale to UTF-8 then encode it quoted printable. The header will be
parsed and changed (invitation etc.).
yes, that's it. It's changing the Content-Transfer-Encoding to
quoted-printable. If this is done after dkim signing it breaks signature.
Post by Skale, Franz
It the message contains html, it will be parsed too.
Since you didn't supply a debug example i can only urge you to enable
wallace debugging.
I can't see anything in debug log - except if smtplib is called the data
2018-06-02 01:25:54,004 pykolab.wallace INFO Accepted connection
2018-06-02 01:25:54,018 pykolab.wallace DEBUG [8771]: Resource
Management called for ('/var/spool/pykolab/wallace/tmpk9DNom',), {}
2018-06-02 01:25:54,019 pykolab.wallace DEBUG [8771]: Renaming
'/var/spool/pykolab/wallace/tmpk9DNom' to
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom'
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: Nachricht ist
keine iTip Nachricht (keine Multipart Nachricht)
2018-06-02 01:25:54,020 pykolab.wallace INFO Message is not an iTip
message or does not contain any (valid) iTip.
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: No itips, no
resources, pass along
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom'
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: Invitation policy
called for
('/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom',), {}
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Invitation policy
executing for '/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom',
False
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Renaming
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom' to
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Nachricht ist
keine iTip Nachricht (keine Multipart Nachricht)
2018-06-02 01:25:54,022 pykolab.wallace INFO Message is not an iTip
message or does not contain any (valid) iTip objects.
2018-06-02 01:25:54,022 pykolab.wallace DEBUG [8771]: No itips, no
users, pass along
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
2018-06-02 01:25:54,022 pykolab.wallace INFO Akzeptiere Nachricht in
/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom (durch
Modul wallace)
2018-06-02 01:25:54,022 pykolab.wallace DEBUG [8771]: Akzeptiere
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
send: 'ehlo mx0.example.net\r\n'
reply: '250-mx0.example.net\r\n'
reply: '250-PIPELINING\r\n'
reply: '250-SIZE 20480000\r\n'
reply: '250-VRFY\r\n'
reply: '250-ETRN\r\n'
reply: '250-STARTTLS\r\n'
reply: '250-XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\r\n'
reply: '250-ENHANCEDSTATUSCODES\r\n'
reply: '250-8BITMIME\r\n'
reply: '250 DSN\r\n'
reply: retcode (250); Msg: mx0.example.net
PIPELINING
SIZE 20480000
VRFY
ETRN
STARTTLS
XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT
ENHANCEDSTATUSCODES
8BITMIME
DSN
reply: '250 2.1.0 Ok\r\n'
reply: retcode (250); Msg: 2.1.0 Ok
reply: '250 2.1.5 Ok\r\n'
reply: retcode (250); Msg: 2.1.5 Ok
send: 'data\r\n'
reply: '354 End data with <CR><LF>.<CR><LF>\r\n'
reply: retcode (354); Msg: End data with <CR><LF>.<CR><LF>
data: (354, 'End data with <CR><LF>.<CR><LF>')
a=rsa-sha256; c=relaxed/relaxed; d=example.net;\r\n s=dkim201805;
t=1527895386;\r\n
h=from:from:sender:sender:reply-to:subject:subject:date:date:\r\n
message-id:message-id:to:to:cc:mime-version:mime-version:\r\n
content-type:content-type:\r\n
content-transfer-encoding:content-transfer-encoding:in-reply-to:\r\n
references; bh=IYC/RDnaNtcM6arkuRe/LIW86LUe+V8zvrkFPp/dOoY=;\r\n
b=XjBEXPP/CfSc9RqxX6G+zVW0gorAevrouaSNdQXIx2GhJVvUvheJszeils1SKtRYV7h3oK\r\n
ricUH0upeecCDgQJPyGc90aY/JwsoLs2ZpANomt53fQxOJiSyIiuqGbRAyZgsddK0BoW77\r\n
+TpL2Xatf9c5u017mxvzAWJngXzD52hV7txlM/gKcGy3SZR48F74JNyGdIJX3qmMBe0dSo\r\n
oGj6g0YHN4nTdtvJ995J7eYYgofUJlUglOezF58rQV7n4Vh44pncZZ+vMDKNaQ2h9eKPw6\r\n
2018 01:25:50 +0200\r\nMIME-Version: 1.0\r\nContent-Type: text/plain;
quoted-printable\r\n\r\ntest encoding2\r\n=C3=A4=C3=B6=C3=BC\r\n.\r\n'
reply: '250 2.0.0 Ok: queued as 09238B14\r\n'
reply: retcode (250); Msg: 2.0.0 Ok: queued as 09238B14
data: (250, '2.0.0 Ok: queued as 09238B14')
send: 'quit\r\n'
reply: '221 2.0.0 Bye\r\n'
reply: retcode (221); Msg: 2.0.0 Bye
2018-06-02 01:25:54,153 pykolab.wallace DEBUG [9175]: Worker process
PoolWorker-7 initializing
Post by Skale, Franz
Be sure that your default locale on the server is utf-8 !
yes. it is.
What I actually don't understand: Where exactly wallace is changing the
encoding? I send email with 8bit encoding and utf-8.
Date: Sat, 2 Jun 2018 01:25:50 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: de-LU
Content-Transfer-Encoding: 8bit
test encoding2
äöü
(encoded in utf-8 - not quoted printable)
I found the function for converting in the footer and invitation
modules. But even if I disable this modules the encoding still is
changed. It's not if I disable wallace in postfix master.cf. I wondering
if this is done by python smtplib.
submission          inet        n       -       n       -       -
smtpd
    -o cleanup_service_name=cleanup_submission
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_authenticated_header=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_helo_restrictions=$mua_helo_restrictions
    -o smtpd_data_restrictions=$submission_data_restrictions
    -o smtpd_recipient_restrictions=$submission_recipient_restrictions
    -o smtpd_sender_restrictions=$submission_sender_restrictions
    -o content_filter=smtp-wallace:[127.0.0.1]:10026
Because I don't have amavis I call wallace directly in submission.
smtpd_milters = inet:mailpd.example.net:11332
non_smtpd_milters = inet:mailpd.example.net:11332
milter_protocol = 6
milter_mail_macros =  i {mail_addr} {client_addr} {client_name}
{auth_authen}
milter_default_action = accept
So the mailflow now is: going to prequeue-miltering and signs dkim.
After that there is the content filter set to wallaces - which alteres
the message and breaks signature.
Post by Skale, Franz
Also, reordering of the content_filter directive might help.
It's not easy, because wallace always is content filter - and milter is
prequeue (opendkim or rspamd doesn't matter).
What I tried: using rspamd as a content_filter which is possible. So I
submission          inet        n       -       n       -       -
smtpd
    -o cleanup_service_name=cleanup_submission
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_authenticated_header=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_helo_restrictions=$mua_helo_restrictions
    -o smtpd_data_restrictions=$submission_data_restrictions
    -o smtpd_recipient_restrictions=$submission_recipient_restrictions
    -o smtpd_sender_restrictions=$submission_sender_restrictions
    # overwrite the default miter - we can't do that on submission,
      because we have first go to wallace
    -o smtpd_milters=
    -o content_filter=smtp-wallace:[127.0.0.1]:10026
# Listener to re-inject email from Wallace into Postfix
127.0.0.1:10027     inet        n       -       n       -       100
smtpd
    -o cleanup_service_name=cleanup_internal
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_milters=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o content_filter=smtp:[127.0.0.1]:2525
# rspamd as content filter
127.0.0.1:2525 inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/content-filter
    -o mynetworks=127.0.0.0/8
    -o content_filter=
    -o smtpd_milters=${rspamd}
    -o smtpd_tls_security_level=none
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_relay_restrictions=permit_mynetworks,reject
    -o smtpd_authorized_xforward_hosts=${mynetworks}
  -> rspamd as milter -> wallace -> rspamd as content_filter
I haven't got any Idea how to either to call rspamd content filter in
case of submission but not of smtpd. Or have one directive where both
content filters are called. As far as I understand there is no possility
in postfix to add more then one content_filter without reinjection. But
even in this case - still the problem to distinguish between smtpd and
submission.
Regard
Jan
Post by Skale, Franz
Post by Jan Kowalsky
Hi Franz,
thanks for answer,
Post by Skale, Franz
Hi,
DKIM uses non standard quoted printable encoding !
http://dkim.org/specs/rfc4871-dkimbase.html#dkim-qp
But as far as I understand, dkim itselfs doesn't change the mail body at
all. The qp encoding in my understanding is only for calculating hash.
Post by Skale, Franz
Wallace, of course, uses standard QP encoding and doesn't take care for
special cases, though it's a feature request.
But wallaces alters the mailbody itself. It changes all to quoted
printable and, if configured, adds footer/header.
So dkim signing in my experiences is valid if the email already is
quoted printable from the mua. Roundcube is fine, thunderbird in default
not. But we do not have control about how users are configure there
email programs and 8bit email transfer isn't very uncommon any more.
The problem is, that wallace alteres mails after dkim milter is applied.
Even if the encoding is no problem we run in trubles as far as wallace
adds e.g. footers.
Regards
Jan
Skale, Franz
2018-06-02 15:30:56 UTC
Permalink
Hi Jan,
It doesn't matter if the milter doesn't change the message or not.
It has to take care of the encoding to represent the OS the right
internal character set.
It use spamassassin as well as other content filters.
Of course they reaveive the whole body but only mangle the header.
Nevertheless, the forwarded bytestream must have the right, internal
character encoding.
Simple testmail q.e.d: (as stated in the mime encoding guidlines !)

Mail from my perl MUA: (snipped):
X-Virus-Scanned: Debian amavisd-new at
Sender: ***@example.com
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Date: Sat, 02 Jun 2018 16:23:07 +0200
From: test <***@example.com>
To: ***@gmail.com
Subject: test
Message-ID: <***@example.com>
X-Sender: ***@example.com
Content-Transfer-Encoding: quoted-printable

=C2=B5=E2=88=9E=E2=88=9E=C5=93=C5=93@=E2=88=86=E2=88=86=E2=88=86=CF=80=CF=
=80}=E2=89=A0}}{||=C2=BA=C2=AA=C2=A9=C6=92=C2=A9=E2=88=AB=E2=88=AB=C5=93=C3=
=A6=C3=A6=C3=A4=C3=A4=C3=BC=

Outputting the (sending to another stream, of course, it has to be
decoded).
perl -E 'use utf8; use MIME::QuotedPrint "encode_qp"; use Mojo::Util
"encode"; printf("%s\n", encode_qp(encode("UTF-8",
"µ∞∞œœ@∆∆∆ππ}≠}}{||ºª©ƒ©∫∫œææääü")));'
=C2=B5=E2=88=9E=E2=88=9E=C5=93=C5=93@=E2=88=86=E2=88=86=E2=88=86=CF=80=CF=
=80}=E2=89=A0}}{||=C2=BA=C2=AA=C2=A9=C6=92=C2=A9=E2=88=AB=E2=88=AB=C5=93=C3=
=A6=C3=A6=C3=A4=C3=A4=C3=BC=

So the body was: µ∞∞œœ@∆∆∆ππ}≠}}{||ºª©ƒ©∫∫œææääü


The UTF-8 flow should now be clear !

My own MUA uprades all stream using UTF-8 (utf8::upgrade).

Rgds.
Franz
Post by Jan Kowalsky
Hi Franz,
Post by Skale, Franz
Hi Jan,
respamd must take care of the data, regardless of which encoding stream
injected.
dkim signing doesn't change (and shouldn't) anything of the body. If
it's utf-8 8bit it will be utf-8 8bit after signing.
Problem is (without milter or not) that wallace seems to change the
transfer encoding always to qouted printable which in theory is fine.
Mailclients don't do this always. Some send with utf-8 and 8bit transfer
encoding. Which should be fine too.
As wallace comes into play after dkim signing - the problem is, that
wallace changes the transfer encoding to quoted printable. if the mail
has non-ascii characters even if the original message (before and after
signing) have had transfer encoding 8bit.
This breaks of course signature. There is nothing rspamd can care about.
The utf-8 8bit is totally fine (and in the responsibility of the user
agent).
Post by Skale, Franz
As i develop webservices, you've to guess the encoding prior before
mangling the data stream.
Whit utf-8 you have the ability to call is_utf8  which tells you, if the
the utf8 (2 bytes) representation) is either native or encoded.
Input has to be encoded and output decoded.
Regarding your problem, i think that respamd doesn't check, if the input
stream is alreasy quoted-printable encoded.
dkim signing (with rspamd as milter) is proceeded before mail goes to
wallace.
Post by Skale, Franz
I think you've to file a bug report.
Yes, I'll do. I'll try to understand how wallace get's data from smtpd -
but I didn't get it so far.
Post by Skale, Franz
Pykolab only set's encoding for string handling, obviously the way to go.
/usr/lib/python2.7/dist-packages/wallace/module_resources.py:   
charset.add_charset('utf-8', charset.SHORTEST, charset.QP)
/usr/lib/python2.7/dist-packages/wallace/module_resources.py:        msg
= MIMEText(utils.stripped_message(message_text), _charset='utf-8')
So, it's utf-8 encoded.
but why it's still quoted printable if I disable all wallace modules?
For me it looks like the smtpd.py already get's data in quoted
printable
no matter the original encoding.
in __init__.py
if I print data to debug - it's already quoted-printable. But I didn't
find out where the data variable comes from. So I fail with further
debugging.
Post by Skale, Franz
Ergo, respamd has to decode the input stream (utf8_decode) when it's not
in native encoded.
The client sets the msg_content_type (Content-Type).
So, if the client uses wrong localesm than , of course the string
representation is wrong.
Respamd has to take care about decoding the string according to the
Content-Type.
I think you've to file a bug report for respamd.
Well, there is everything fine with encoding. rspamd doesn't touch
anything on encoding or Content type. Just parsing email and sign's dkim.
For me it looks totally fine to send emails with utf8 and 8bit (not
quoted printable) like some clients do. There is no need for changing it
on the way.
My guess is, that wallace in principle sets transfer encoding to quoted
printable as long it's not transferrable with 7bit. But I can't find
where it does.
Regards
Jan
Post by Skale, Franz
Rgds.
Franz
Post by Jan Kowalsky
Hi Franz,
Post by Skale, Franz
Hi,
i see no mangling of the message body other than setting the default
locale to UTF-8 then encode it quoted printable. The header will be
parsed and changed (invitation etc.).
yes, that's it. It's changing the Content-Transfer-Encoding to
quoted-printable. If this is done after dkim signing it breaks signature.
Post by Skale, Franz
It the message contains html, it will be parsed too.
Since you didn't supply a debug example i can only urge you to enable
wallace debugging.
I can't see anything in debug log - except if smtplib is called the data
2018-06-02 01:25:54,004 pykolab.wallace INFO Accepted connection
2018-06-02 01:25:54,018 pykolab.wallace DEBUG [8771]: Resource
Management called for ('/var/spool/pykolab/wallace/tmpk9DNom',), {}
2018-06-02 01:25:54,019 pykolab.wallace DEBUG [8771]: Renaming
'/var/spool/pykolab/wallace/tmpk9DNom' to
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom'
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: Nachricht ist
keine iTip Nachricht (keine Multipart Nachricht)
2018-06-02 01:25:54,020 pykolab.wallace INFO Message is not an iTip
message or does not contain any (valid) iTip.
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: No itips, no
resources, pass along
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom'
2018-06-02 01:25:54,020 pykolab.wallace DEBUG [8771]: Invitation policy
called for
('/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom',), {}
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Invitation policy
executing for
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom',
False
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Renaming
'/var/spool/pykolab/wallace/resources/incoming/tmpk9DNom' to
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
2018-06-02 01:25:54,021 pykolab.wallace DEBUG [8771]: Nachricht ist
keine iTip Nachricht (keine Multipart Nachricht)
2018-06-02 01:25:54,022 pykolab.wallace INFO Message is not an iTip
message or does not contain any (valid) iTip objects.
2018-06-02 01:25:54,022 pykolab.wallace DEBUG [8771]: No itips, no
users, pass along
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
2018-06-02 01:25:54,022 pykolab.wallace INFO Akzeptiere Nachricht in
/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom (durch
Modul wallace)
2018-06-02 01:25:54,022 pykolab.wallace DEBUG [8771]: Akzeptiere
'/var/spool/pykolab/wallace/invitationpolicy/incoming/tmpk9DNom'
send: 'ehlo mx0.example.net\r\n'
reply: '250-mx0.example.net\r\n'
reply: '250-PIPELINING\r\n'
reply: '250-SIZE 20480000\r\n'
reply: '250-VRFY\r\n'
reply: '250-ETRN\r\n'
reply: '250-STARTTLS\r\n'
reply: '250-XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\r\n'
reply: '250-ENHANCEDSTATUSCODES\r\n'
reply: '250-8BITMIME\r\n'
reply: '250 DSN\r\n'
reply: retcode (250); Msg: mx0.example.net
PIPELINING
SIZE 20480000
VRFY
ETRN
STARTTLS
XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT
ENHANCEDSTATUSCODES
8BITMIME
DSN
reply: '250 2.1.0 Ok\r\n'
reply: retcode (250); Msg: 2.1.0 Ok
reply: '250 2.1.5 Ok\r\n'
reply: retcode (250); Msg: 2.1.5 Ok
send: 'data\r\n'
reply: '354 End data with <CR><LF>.<CR><LF>\r\n'
reply: retcode (354); Msg: End data with <CR><LF>.<CR><LF>
data: (354, 'End data with <CR><LF>.<CR><LF>')
a=rsa-sha256; c=relaxed/relaxed; d=example.net;\r\n s=dkim201805;
t=1527895386;\r\n
h=from:from:sender:sender:reply-to:subject:subject:date:date:\r\n
message-id:message-id:to:to:cc:mime-version:mime-version:\r\n
content-type:content-type:\r\n
content-transfer-encoding:content-transfer-encoding:in-reply-to:\r\n
references; bh=IYC/RDnaNtcM6arkuRe/LIW86LUe+V8zvrkFPp/dOoY=;\r\n
b=XjBEXPP/CfSc9RqxX6G+zVW0gorAevrouaSNdQXIx2GhJVvUvheJszeils1SKtRYV7h3oK\r\n
ricUH0upeecCDgQJPyGc90aY/JwsoLs2ZpANomt53fQxOJiSyIiuqGbRAyZgsddK0BoW77\r\n
+TpL2Xatf9c5u017mxvzAWJngXzD52hV7txlM/gKcGy3SZR48F74JNyGdIJX3qmMBe0dSo\r\n
oGj6g0YHN4nTdtvJ995J7eYYgofUJlUglOezF58rQV7n4Vh44pncZZ+vMDKNaQ2h9eKPw6\r\n
2018 01:25:50 +0200\r\nMIME-Version: 1.0\r\nContent-Type: text/plain;
quoted-printable\r\n\r\ntest
encoding2\r\n=C3=A4=C3=B6=C3=BC\r\n.\r\n'
reply: '250 2.0.0 Ok: queued as 09238B14\r\n'
reply: retcode (250); Msg: 2.0.0 Ok: queued as 09238B14
data: (250, '2.0.0 Ok: queued as 09238B14')
send: 'quit\r\n'
reply: '221 2.0.0 Bye\r\n'
reply: retcode (221); Msg: 2.0.0 Bye
2018-06-02 01:25:54,153 pykolab.wallace DEBUG [9175]: Worker process
PoolWorker-7 initializing
Post by Skale, Franz
Be sure that your default locale on the server is utf-8 !
yes. it is.
What I actually don't understand: Where exactly wallace is changing the
encoding? I send email with 8bit encoding and utf-8.
Date: Sat, 2 Jun 2018 01:25:50 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: de-LU
Content-Transfer-Encoding: 8bit
test encoding2
äöü
(encoded in utf-8 - not quoted printable)
I found the function for converting in the footer and invitation
modules. But even if I disable this modules the encoding still is
changed. It's not if I disable wallace in postfix master.cf. I wondering
if this is done by python smtplib.
submission          inet        n       -       n       -       -
smtpd
    -o cleanup_service_name=cleanup_submission
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_authenticated_header=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_helo_restrictions=$mua_helo_restrictions
    -o smtpd_data_restrictions=$submission_data_restrictions
    -o
smtpd_recipient_restrictions=$submission_recipient_restrictions
    -o smtpd_sender_restrictions=$submission_sender_restrictions
    -o content_filter=smtp-wallace:[127.0.0.1]:10026
Because I don't have amavis I call wallace directly in submission.
smtpd_milters = inet:mailpd.example.net:11332
non_smtpd_milters = inet:mailpd.example.net:11332
milter_protocol = 6
milter_mail_macros =  i {mail_addr} {client_addr} {client_name}
{auth_authen}
milter_default_action = accept
So the mailflow now is: going to prequeue-miltering and signs dkim.
After that there is the content filter set to wallaces - which alteres
the message and breaks signature.
Post by Skale, Franz
Also, reordering of the content_filter directive might help.
It's not easy, because wallace always is content filter - and milter is
prequeue (opendkim or rspamd doesn't matter).
What I tried: using rspamd as a content_filter which is possible. So I
submission          inet        n       -       n       -       -
smtpd
    -o cleanup_service_name=cleanup_submission
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_authenticated_header=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_helo_restrictions=$mua_helo_restrictions
    -o smtpd_data_restrictions=$submission_data_restrictions
    -o
smtpd_recipient_restrictions=$submission_recipient_restrictions
    -o smtpd_sender_restrictions=$submission_sender_restrictions
    # overwrite the default miter - we can't do that on submission,
      because we have first go to wallace
    -o smtpd_milters=
    -o content_filter=smtp-wallace:[127.0.0.1]:10026
# Listener to re-inject email from Wallace into Postfix
127.0.0.1:10027     inet        n       -       n       -       100
smtpd
    -o cleanup_service_name=cleanup_internal
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_milters=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o content_filter=smtp:[127.0.0.1]:2525
# rspamd as content filter
127.0.0.1:2525 inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/content-filter
    -o mynetworks=127.0.0.0/8
    -o content_filter=
    -o smtpd_milters=${rspamd}
    -o smtpd_tls_security_level=none
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_relay_restrictions=permit_mynetworks,reject
    -o smtpd_authorized_xforward_hosts=${mynetworks}
  -> rspamd as milter -> wallace -> rspamd as content_filter
I haven't got any Idea how to either to call rspamd content filter in
case of submission but not of smtpd. Or have one directive where both
content filters are called. As far as I understand there is no possility
in postfix to add more then one content_filter without reinjection. But
even in this case - still the problem to distinguish between smtpd and
submission.
Regard
Jan
Post by Skale, Franz
Post by Jan Kowalsky
Hi Franz,
thanks for answer,
Post by Skale, Franz
Hi,
DKIM uses non standard quoted printable encoding !
http://dkim.org/specs/rfc4871-dkimbase.html#dkim-qp
But as far as I understand, dkim itselfs doesn't change the mail body at
all. The qp encoding in my understanding is only for calculating hash.
Post by Skale, Franz
Wallace, of course, uses standard QP encoding and doesn't take
care
for
special cases, though it's a feature request.
But wallaces alters the mailbody itself. It changes all to quoted
printable and, if configured, adds footer/header.
So dkim signing in my experiences is valid if the email already is
quoted printable from the mua. Roundcube is fine, thunderbird in default
not. But we do not have control about how users are configure there
email programs and 8bit email transfer isn't very uncommon any more.
The problem is, that wallace alteres mails after dkim milter is applied.
Even if the encoding is no problem we run in trubles as far as wallace
adds e.g. footers.
Regards
Jan
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Jan Kowalsky
2018-06-02 21:37:52 UTC
Permalink
Hi Franz,

sorry, anyhow I don't get it.
Post by Skale, Franz
Hi Jan,
It doesn't matter if the milter doesn't change the message or not.
It has to take care of the encoding to represent the OS the right
internal character set.
I think, there is noting wrong about character set. What should be wrong
on uft-8 with 8bit transfer encoding?

My mua (e.g. thunderbird) sends email with utf-8 and 8bit encoding - as
far as I set it to convert it to quoted printable.

Without wallace in line I receive the testmail:

----------------- Mail Start ----------------------------
Return-Path: <***@example.org>
Received: from mx0.datenkollektiv.net ([10.0.2.1])
by mail.datenkollektiv.net (Cyrus
git2.5+0-Debian-2.5~dev2015021301-0~kolab1) with LMTPA;
Sat, 02 Jun 2018 23:23:34 +0200
X-Sieve: CMU Sieve 2.4
Sender: ***@example.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org;
s=dkim201805;
t=1527974414; h=from:from:sender:sender:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:mime-version:mime-version:
content-type:content-type:
content-transfer-encoding:content-transfer-encoding:in-reply-to:
references; bh=2daQtWGer16oLmYYJEl3J5smXKBAQ8azeMPtCJyWnZE=;
b=Xu32ZwKclJcIRu2zhRLic1Lh8p4284Tj4XfoTJuKgJ6yyHenGJ+5AS5n9ujn7bjB8QAP+d
GOe7To7REh4QPxMwV8fpSLVLJUu/4QvXTem/36nqfY/CsNrqEZEzu4XRMKIkjwcabmCkVx
ATNkoOB7aGOF1UKYgP3xhMYScTv9QjPiyJ0BCtfUuNUmeof6xLHTUt9kC1qIUwurs5joEj
Om/Q0PlQYFPw0U3HVypEssWh8L0iMtZa2t95BDo8xXL7wNMLeKKOjXT0iC/6PYuqhe8W+X
43ngV378Ho1rHYutdLh+4AVG8B8C3bPrPIFoJJsmpUR8xJf9rLJKYkMh09Nrmw==
From: Test User <***@example.org>
Subject: testmail
To: ***@example.org
Message-ID: <ae50f44e-8b63-a2f2-90b3-***@example.org>
Date: Sat, 2 Jun 2018 23:23:25 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit

text with non-ascii characters: äöü
----------------- Mail End ----------------------------

Turning on Wallace:

----------------- Mail Start ----------------------------
Return-Path: <***@example.org>
Received: from mx0.datenkollektiv.net ([10.0.2.1])
by mail.datenkollektiv.net (Cyrus
git2.5+0-Debian-2.5~dev2015021301-0~kolab1) with LMTPA;
Sat, 02 Jun 2018 23:17:45 +0200
X-Sieve: CMU Sieve 2.4
Sender: ***@example.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org;
s=dkim201805;
t=1527974067; h=from:from:sender:sender:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:mime-version:mime-version:
content-type:content-type:
content-transfer-encoding:content-transfer-encoding:in-reply-to:
references; bh=2daQtWGer16oLmYYJEl3J5smXKBAQ8azeMPtCJyWnZE=;
b=on6XeWbnA//yFxpJ/tNo8+d51PwEG90wJKuqsIAnywnsHj2YitYRQEmF77PkJvhiFsSQc4
NfLX5c1ZWn4QrYEasIP8DLlNcenrMlNWIGL798azFfzsnGgJigr1UaqvOhJjJXl6SKvdyn
a76+GBZt/nRIoWbpD814HJMyrys3SthIdaR8t06N9tGe6qdRNbDSazjrhs032/AKFsbk8V
gJ6iJHM1tsg+LK4GNtjV8KsldNcUChRgfIoC/oTGW1p1B8y3mSahCIL54mjKYpN9X6gbmG
kVp9wFH6Sc5z+Ywt/W985qZweapjApkXPb3SLUjDNw9vnk1Ld516wFYuFx4M7Q==
To: ***@example.org
From: Test User <***@example.org>
Subject: testmail
Message-ID: <bcfea1c4-3173-e082-6cd7-***@example.org>
Date: Sat, 2 Jun 2018 23:17:42 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

text with non-ascii characters: =C3=A4=C3=B6=C3=BC
----------------- Mail End ----------------------------

So of course the body was changed by wallace.
Post by Skale, Franz
It use spamassassin as well as other content filters.
Of course they reaveive the whole body but only mangle the header.
Nevertheless, the forwarded bytestream must have the right, internal
character encoding.
But actually it does in my case. There is no difference with or without
milter. The milter just adds signature as a header. Wallace does change
the transfer-encoding later changing any 8bit to quoted printable. Since
the signature is calculated about the whole mail body which is changed,
any signature added before is broken.

Without milter I have the same situation. First without wallace:

----------------- Mail Start ----------------------------
Return-Path: <***@example.org>
Received: from mx0.datenkollektiv.net ([10.0.2.1])
by mail.datenkollektiv.net (Cyrus
git2.5+0-Debian-2.5~dev2015021301-0~kolab1) with LMTPA;
Sat, 02 Jun 2018 23:28:31 +0200
X-Sieve: CMU Sieve 2.4
Sender: ***@example.org
From: Test User <***@example.org>
Subject: testmail
To: ***@example.org
Message-ID: <7bfc7832-8ef9-d476-99e1-***@example.org>
Date: Sat, 2 Jun 2018 23:28:30 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit

text with non-ascii characters: äöü
----------------- Mail End ----------------------------

Again whith Wallace:

----------------- Mail Start ----------------------------
Return-Path: <***@example.org>
Received: from mx0.datenkollektiv.net ([10.0.2.1])
by mail.datenkollektiv.net (Cyrus
git2.5+0-Debian-2.5~dev2015021301-0~kolab1) with LMTPA;
Sat, 02 Jun 2018 23:29:19 +0200
X-Sieve: CMU Sieve 2.4
Sender: ***@example.org
From: Test User <***@example.org>
Subject: testmail
To: ***@example.org
Message-ID: <a74a6779-4494-f778-5b83-***@example.org>
Date: Sat, 2 Jun 2018 23:29:18 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

text with non-ascii characters: =C3=A4=C3=B6=C3=BC
----------------- Mail End ----------------------------
Post by Skale, Franz
My own MUA uprades all stream using UTF-8 (utf8::upgrade).
When I configure my MUA to force sending mails quoted-printable
(strictly mime) everything is ok. But we don't have control about the
MUAs from our customers. So in most cases people (if using thunderbird)
will send mails with 8bit transfer encoding.

So I tried to understand where wallace forces transfer encoding to
quoted printable but didn't find it (except in the particular modules.

Best regards
Jan
Jan Kowalsky
2018-06-05 09:44:21 UTC
Permalink
Hi Jupiter,

thanks for your hint. In fact this was the second consideration to
change the order of content filtes.

But in our specific setup this seems not so easy - at least not for me.
But maybe you've an idea.

As far as I see: the difference from your setup is that we use milter
for spam detection _and_ for signing. Until now we used amavis (as proxy
filter) and opendkim.

So situation is, that we have an prequeue content filter (rspamd) which
also sign's outgoing mails - if they come from an internal domain.

For dkim signing we can address rspamd also to act as a content_filter.
So I tried the following.

On normal smtpd everything goes first to the prequeue milter and
afterwards to wallaces. Everything is fine.

For submission my idea was to ignore the prequeue content filter and go
directly to wallace:


submission inet n - n - -
smtpd
-o cleanup_service_name=cleanup_submission
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_data_restrictions=$submission_data_restrictions
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_sender_restrictions=$submission_sender_restrictions
# overwrite the default miter - we can't do that on submission,
because we have first go to wallace
-o smtpd_milters=
-o content_filter=smtp-wallace:[127.0.0.1]:10026


Similar as you, on reinjection from wallace to postfix now I implement
the rspamd as a content_filter for dkim signing.


127.0.0.1:10027 inet n - n - 100
smtpd
-o cleanup_service_name=cleanup_internal
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_milters=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o content_filter=smtp:[127.0.0.1]:2525

But now every mail incoming on smtpd is going to rspamd two times. Once
as a milter (prequeue) and a second time after wallace.

I would need a possibility to only send mails to a content filter e.g.
if they come from internal domains - or not if they came from smtpd.

Is there any such possibility in postfix? I didn't find out yet, if
there is a configuration option in rspamd to avoid checking again and
only do dkim signing.

Best regards
Jan
Hi.
You just need to make sure that signing happens _/LAST/_ in the milter chain
configured in master.cf, and if you want the header signing to not be broken,
cleanup any headers added _/after/_ signing (the fact that it arrives on the
10029 smtp socket from amavis before submission to the final destination adds a
localhost received from header). Heres an example of my setup signing with
amavis built-in dkim capability. I have configured some magic for amavis to not
inject any headers itself in the signing listener so that they don’t hit the
cleanup_internal header purge and thus break signing again. This way Wallace
does its thing way before the signing even happens so the body and headers are
intact from DKIMs point of view when transmitting the message (iirc my settings
are simple/simple and all of this works flawlessly).
# Filter email through Amavisd
smtp-amavis unix - - n - 3 smtp
-o smtp_data_done_timeout=1800
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes
-o max_use=20
-o smtp_bind_address=127.0.0.1
# Listener to re-inject email from Amavisd into Postfix
127.0.0.1:10025 inet n - n - 100 smtpd
-o cleanup_service_name=cleanup_internal
-o content_filter=smtp-wallace:[127.0.0.1]:10026
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
But since I can't
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# Filter email through Wallace
smtp-wallace unix - - n - 3 smtp
-o smtp_data_done_timeout=1800
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes
-o max_use=20
# Listener to re-inject email from Wallace into Postfix
127.0.0.1:10027 inet n - n - 100 smtpd
-o cleanup_service_name=cleanup_internal
-o content_filter=smtp-amavis-dkim:[127.0.0.1]:10028
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# Send mail second time to amavis for DKIM
smtp-amavis-dkim unix - - n - 3 smtp
-o smtp_data_done_timeout=1800
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes
-o max_use=20
-o smtp_bind_address=127.0.0.1
# Listener to re-inject email from DKIM signing
127.0.0.1:10029 inet n - n - 100 smtpd
-o cleanup_service_name=cleanup_internal
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
Loading...