On Mon, Sep 04, 2023 at 05:08:15PM -0400, Wietse Venema via Postfix-users wrote:
> Viktor Dukhovni via Postfix-users:
> > On Mon, Sep 04, 2023 at 12:18:38PM -0400, Viktor Dukhovni via Postfix-users
> > wrote:
> >
> > > It is best to enable this for outbound mail only, i.e. messages that
> > > arrive on the submission ports or through local submission via
> > > sendmail(1)->postdrop(1)->pickup(8). That way, inbound 8bit mail will
> > > not fail DKIM signature checks.
> > >
> > > One way to do that is to tweak the master.cf file to match the below:
> > >
> > > $ postconf -P '*/inet/enforce_mime_input_conversion'
> > > smtps/inet/enforce_mime_input_conversion = yes
> > > submission/inet/enforce_mime_input_conversion = yes
> > >
> > > $ postconf -Mf pickup/unix cleanups/unix
> > > pickup unix n - n 60 1 pickup
> > > -o cleanup_service_name=cleanups
> > > cleanups unix n - n - 0 cleanup
> > > -o enforce_mime_input_conversion=yes
> > >
> > > [ Your service name for wrapper-mode SMTP on port 465 may be
> > > "submissions" or just "465", ... The "cleanups" service entry
> > > is a clone of the "cleanup" entry with a tweak. ]
> >
> > Note, this was with the 3.9-20230901 snapshot, the "en" in "enforce_..."
> > was dropped in 3.9-20230903.
>
> I agree that the manpage text is not yet complete, and that this
> feature needs a good example.
And, I must admit to not thinking through my example config. The
submission settings are not effective, because smtpd(8) does not
implement this feature, like pickup(8) these also would have needed a
"-o cleanup_service_name" override. Wietse's "converse" example (with
input MIME conversion on by default) is simpler.
All the more reason to consider multiple instances or, at scale, separate
MTAs.
I do wonder however whether DKIM signing of bounces is always a good
idea. Some of the bounced messages will include remote content that may
be spam, and one might not want to tarnish one own domain's reputation
by signing it.
A cautious configuration might be to bounce only the message headers by
setting "bounce_size_limit = 1" on inbound MTAs. For outbound MTAs,
full content bounces are friendlier to users who might not have retained
a copy of the sent message. Such courtesies are less compelling for
bounces to remote senders.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
