OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: 250-8BITMIME question

From: Bill Landry (billinetmsg.com)
Date: Wed Sep 19 2007 - 14:03:12 CDT

Mark Martinec wrote:
[snip]
> Convert to 7bit BEFORE signing your mail.
>
> If using a content filter like amavisd, you can force Postfix
> to downgrade to 7bit QP if you let amavis NOT to announce its
> 8-bit capability: smtpd_discard_ehlo_keywords = ('8BITMIME');
> and use a signing milter AFTER content filtering. See:
> http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim

Thanks for all of the feedback from everyone. Since I am using amavisd-new as a
content filter, I gave Mark's suggestion above a try. However, that did not
work either. Before making the change to amavisd.conf:

telnet 127.0.0.1 10024
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
ehlo test.net
250-[127.0.0.1]
250-VRFY
250-PIPELINING
250-SIZE
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 XFORWARD NAME ADDR PROTO HELO
quit
221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel
Connection closed by foreign host.

After making the change to amavisd.conf

telnet 127.0.0.1 10024
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
ehlo test.net
250-[127.0.0.1]
250-VRFY
250-PIPELINING
250-SIZE
250-ENHANCEDSTATUSCODES
250-DSN
250 XFORWARD NAME ADDR PROTO HELO
quit
221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel
Connection closed by foreign host.

This looks good, no 8BITMIME support announced. DK and DKIM signing is not done
until after the message is returned from amavisd-new to postfix:

main.cf:

content_filter = amavisd:[127.0.0.1]:10024

master.cf:

# Amavisd-New Begin
amavisd unix - - n - 5 smtp
   -o smtp_data_done_timeout=1500
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
   -o max_use=25
   -o smtp_bind_address=127.0.0.1
   -o strict_rfc821_envelopes=yes
   -o smtp_line_length_limit=0
   -o notify_classes=protocol,resource,software
   -o disable_mime_output_conversion=yes

127.0.0.1:10025 inet n - n - - smtpd
   -o cleanup_service_name=amavisd-cleanup
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=reject_unauth_pipelining
   -o smtpd_end_of_data_restrictions=
   -o mynetworks=127.0.0.0/8
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8
   -o smtpd_delay_reject=no
   -o strict_rfc821_envelopes=yes
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o smtpd_client_connection_count_limit=0
   -o smtpd_client_connection_rate_limit=0
   -o receive_override_options=no_unknown_recipient_checks
   -o local_header_rewrite_clients=
   -o smtpd_milters=inet:localhost:10022,inet:localhost:10023
   -o milter_protocol=2
   -o milter_macro_daemon_name=ORIGINATING

amavisd-cleanup unix n - n - 0 cleanup
   -o header_checks=regexp:/etc/postfix/amavisd-header-checks
   -o mime_header_checks=
   -o nested_header_checks=
   -o body_checks=
   -o canonical_maps=
   -o sender_canonical_maps=
   -o recipient_canonical_maps=
   -o masquerade_domains=
# Amavisd-New End

===

amavisd-header-checks:

/^Subject:/ WARN
/127\.0\.0\.1.*mail\.inetmsg\.com/ IGNORE
/mail\.inetmsg\.com.*amavisd\-new/ IGNORE
/mail\.inetmsg\.com.*userid/ IGNORE

And the debug output from (which can be viewed at http://www.inetmsg.com/debug.txt):

amavisd unix - - n - 5 smtp -v
127.0.0.1:10025 inet n - n - - smtpd -v

seems to indicate a conversion to 7bit, however, when the message arrives at the
destination, it is still showing up as "Content-Transfer-Encoding:
quoted-printable", which still causes DK and DKIM signature verifications to fail.

Again, thanks for everyones feedback, but are the any other thoughts/suggestions
on how I might be able to resolve this in the near term?

Bill