On 20-05-18 21:18, Dilyan Palauzov wrote:
Hello Wietse,
thanks for your fast and detailed answer.
Accepting 8-bit dkim signed email and forwarding it to a 7-bit-only
host inevitably leads to breaking the DKIM signatures. I am talking
primary about emails which are received from the world over SMTP, and
are forwarded, ideally unchanged, over SMTP to some other provider. In
this case doing the signing after converting to 7-bit is not an option,
as the emails arrive signed and the idea is not to break the signature.
As there is nothing that can be done if a provider sends 8-bit mails
for a domain with DMARC p=reject; policy to sites accepting only 7-bit
emails, I wouldn't concern myself furhter with this case.
Remote MTAs that do conversions and break signatures are out of my
control, therefore I am not concerned about them. I can only suggest
putting text in a file, that is supposed to be read by DKIM-deployers.
Can Postfix know, when it signes a message over DKIM, whether the host
to which the message will be forwarded is 8bit capable and transfer
only if this is not the case the email to 7bit before signing it?
You might know whether the first host supports 8bit but not the host
after that.
DKIM requires that 8bit email is converted to 7bit before signing
http://dkim.org/specs/rfc4871-dkimbase.html
"5.3 Normalize the Message to Prevent Transport Conversions
Some messages, particularly those using 8-bit characters, are subject to
modification during transit, notably conversion to 7-bit form. Such
conversions will break DKIM signatures. In order to minimize the chances
of such breakage, signers SHOULD convert the message to a suitable MIME
content transfer encoding such as quoted-printable or base64 as
described in MIME Part One [RFC2045] before signing."
Kind regards,
Martijn Brinkers
