Such configuration must be moved to client.
WebTop already supports it: WebTop 5 — NethServer 7 Final
I think something similar is possible with many other mail clients.
This means that alterMIME is no longer maintained and could be removed by upstream in the next major release. I don’t know another project that does the same thing… What to do?
I think the best thing to do is being prepared to find an alternative and planning the migration to it.
Not sure why you mean “must” be on the client mail app.
Then if you host several domains on NS you need to do it manually on every client machine by editing signatures.
This future was great for quick adding disclaimer for all domain users at one time.
Some of my clients are far away from my company, some of them are not computer gigs and probably don’t know how to edit settings in their mail apps.
Looks like only one solution for my company is to downgrade to previous ver of mail module.
Very sad 
1 Like
Isn’t necessary.
I’m the first who has fought to have disclaimers/signatures managed directly by the server and not by the clients.
I would like you share the full email header in a cool way to read it, pastebin or full email and the signature you added please.
For what I have tested with a really basic signature, rspamd doesn’t break altermime/opendkim and the signature was added.
I checked with the webmail sogo, how did you test it ?
2 Likes
@davidep something fun, when I sign email by PGP (like all of my sent emails with thunderbird) the ALTERMIME signature is not added.
If the email is not signed, then the signature is added.
I can see each time the
May 31 21:38:27 prometheus postfix/pipe[31578]: 2D7AA1806B0DC: to=<stephane.delabrusse@gmail.com>, relay=dfilt, delay=1.3, delays=1.2/0.01/0/0.11, dsn=2.0.0, status=sent (delivered via dfilt service)
Fun, but at the end I could understand why, the message could not be modified, maybe a bit of documentation should be done ???
1 Like
I have tested in very simple way. Send emails to google and icloud with and without added "Append a legal note to sent messages” to the domain. When "Append a legal note to sent messages” future was on got from both providers “signature verification failed - bh mismatch” dkim errors. When i turned off "Append a legal note to sent messages” in email->domain preferences both providers rapport no errors.
Here is my appended signature
“IT Pro Systems” - E-MAIL DISCLAIMER - This message is for the intended recipient only and may contain confidential or proprietary information. If you receive this message in error, please immediately delete it, destroy all copies of it and notify the sender. If you contact us by E-mail, we may store your details to aid communication. We may also monitor mail entering and leaving from “IT Pro Systems”. We take reasonable precautions to ensure that our E-mails are virus free. However, we cannot accept responsibility for any virus transmitted in net and recommend that you subject any incoming E-mail to your own virus checking procedures.
tested for outlook.com (office365) with your signature, it works as expected
Received: from VE1EUR02FT022.eop-EUR02.prod.protection.outlook.com
(2a01:111:f400:7e06::202) by AM6PR03CA0031.outlook.office365.com
(2603:10a6:20b::44) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.797.11 via Frontend
Transport; Fri, 1 Jun 2018 15:19:18 +0000
Authentication-Results: spf=pass (sender IP is 164.132.77.216)
smtp.mailfrom=de-labrusse.fr; chubbfrance.com; dkim=pass (signature was
verified) header.d=de-labrusse.fr;chubbfrance.com; dmarc=pass action=none
header.from=de-labrusse.fr;
Received-SPF: Pass (protection.outlook.com: domain of de-labrusse.fr
designates 164.132.77.216 as permitted sender)
receiver=protection.outlook.com; client-ip=164.132.77.216;
helo=prometheus.de-labrusse.fr;
tested from google, with your signature it works as expected
Received: from prometheus.de-labrusse.fr (prometheus.de-labrusse.fr. [164.132.77.216])
by mx.google.com with ESMTPS id f56-v6si452943qtk.355.2018.06.01.08.19.18
for <stephane.delabrusse@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 01 Jun 2018 08:19:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of stephane@de-labrusse.fr designates 164.132.77.216 as permitted sender) client-ip=164.132.77.216;
Authentication-Results: mx.google.com;
dkim=pass header.i=@de-labrusse.fr header.s=default header.b=fZ2KlyKj;
dkim=neutral (body hash did not verify) header.i=@de-labrusse.fr header.s=default header.b=TZCBe+JQ;
spf=pass (google.com: domain of stephane@de-labrusse.fr designates 164.132.77.216 as permitted sender) smtp.mailfrom=stephane@de-labrusse.fr;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=de-labrusse.fr
can you send me your private apple email (by PM) I will send you an email, can you transmit it back please ?
For what I saw, either a bug to find on your side, or something misconfigured somewhere…or probably apple s… 
It seems that Google is aware that the body hash is not valid. Maybe Apple checks are more strict.
Can we disable the body signing if alterMime is enabled?
I think we have a bit misunderstanding here.
In your google header you have exactly the same problem “dkim=neutral (body hash did not verify)” / apple is a bit more restrictive and they notice this issue "dkim=fail reason="signature verification failed - bh mismatch"
They will allow email anyway because second dkim record is correct.
Problem is when you are dealing with the company who has more restrict dmarc policy.
Then they will reject email from you.
Our misunderstanding is between NS appended disclaimer and dkim signature meaning.
My first thoughts was outgoing emails are scanned by rspamd and this is dealing with body hash issue.
But when I have turn off disclaimer on NS then dkim signatures pass without any notices or fail messages from providers.
I think David has some solution for it.
Yep we do not see it before, but sure the former nethserver-mail is impacted too. It makes sense, if you add a signature you modify the body
Not sure…maybe one way, however we could try to add the disclaimer before to sign
1 Like
this has been searched a lot on several forum, but without much answers.
We use a postfix filter to add a disclaimer, but the MILTER (rspamd, opendkim) are processed first, then the dfilt filter proceed to add the disclaimer at the end of the process, and of course the body mismatch the dkim signature.
One way could be to add the diclaimer in the header, not tested yet.
Ok looking forward @davidep @giacomo I can see two ways to solve the issue
-
Sign N byte of email
## MaximumSignedBytes n ## ## Don't sign more than "n" bytes of the message. The default is to ## sign the entire message. Setting this implies "BodyLengths". MaximumSignedBytes 1
https://fossies.org/linux/opendkim/opendkim/opendkim.conf.sample
this implies the BodyLengths which add a l=1
Received: from prometheus.de-labrusse.fr (prometheus.de-labrusse.fr. [164.132.77.216])
by mx.google.com with ESMTPS id 68-v6si15334888wra.360.2018.06.01.14.28.16
for <stephane.delabrusse@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 01 Jun 2018 14:28:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of stephane@de-labrusse.fr designates 164.132.77.216 as permitted sender) client-ip=164.132.77.216;
Authentication-Results: mx.google.com;
dkim=pass header.i=@de-labrusse.fr header.s=default header.b=G+1c3mtr;
dkim=pass header.i=@de-labrusse.fr header.s=default header.b=MtYsD+eT;
spf=pass (google.com: domain of stephane@de-labrusse.fr designates 164.132.77.216 as permitted sender) smtp.mailfrom=stephane@de-labrusse.fr;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=de-labrusse.fr
Received: by prometheus.de-labrusse.fr (Postfix, from userid 8)
id 1AE1E1806BF2A; Fri, 1 Jun 2018 23:28:16 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 prometheus.de-labrusse.fr 1AE1E1806BF2A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=de-labrusse.fr;
s=default; t=1527888496;
bh=nR4OLZRZ0GUjrRPiikCTwjFrqv567Fsl8w66LhE1mcQ=; l=1;
h=From:Subject:To:Date:From;
b=G+1c3mtrl2sfrdOCQ6nsvTeQ9WkMyHhjNCwMCItzZGJyWVCiRC4TpkVjyhnBsRH8B
zR/Uoy1F2GCgBqg3mc8B+67dvBqjiewNqDgEkhnSYaeOFg1kGYirYY/CNrpm7DtkkN
CbdS6Y35PCXLbxIiRk5NP6hZmR3AOvmMSwFN67dXgurNoElJnUMzI4gKJ+6kQ5KhEg
JpkUnPVW5frxJs/NQ1rSiB5BxxdnhuoFrZWMTmaUp+ETgUpYje12lOuG24/oefUS4q
9S28ua9PlMftAIIvNMzD6sknYPaCnpjkt5qxUKzKhfBjrM1CPufRl72rZAztInRem0
qEywUpHsFJDtw==
it works 
But this implies a huge security concern, everybody could add content to your email and the signature is still verified. Dkim is here to validate your email has not been modified during the transport.
At the end We have not much solution, postfix Filter is done after the Milter.
- passtrough filter before milter
The complicated solution, we need to rewrite the postfix configuration, go back to the amavisd behaviour, and play with proxy and tcp port. this should/could be supposed to work but I have not tested
http://www.postfix.org/SMTPD_PROXY_README.html
In fact we could introduce a lot of bad things just for altermime.
can you validate my solution please @zimny
edit /etc/opendkim.conf
add
MaximumSignedBytes 1
restart opendkim
systemctl restart opendkim
send email to apple please
2 Likes
Ok nice catch …but what happens if the disclaimer is attached, not appended? Does it still work?
I’m afraid we’re working around the problem… Speaking frankly we have to admit the two features cannot be enabled at the same time in a safe way. One excludes the other.
Unless somebody can propose an alternative implementation! Possibly without subverting the new mail milter architecture. An alterMIME milter?
My proposal is to document the incompatibility and add an UI validator that forbids dkim with disclaimer and vice-versa.
2 Likes
I love the threat but is this the way for upgrade?
Definitely I need me you guys
Excellent work
Unfortunately we cannot create miracles, we are Integrator of external software and we swim between features, known issues and bugs.
Here the known issue is ALTERMime did not get update since 2008, even the creator is not interested by this adventure, and you have no competitors. Postfix developers have not risen the flag to continue the work, and they seem not interested.
Here what we need is a disclaimer software with MILTER feature, I could have badly searched of course, so if you have a solution, please share it.
This is the official postfix plugin page Postfix Add-on Software
Probably you have a choice to make, continue with amavisd/spamassassin which is really less good than rspamd, or go to rspamd . Amavisd use a proxy feature, created before the MILTER usage to separate email coming and outgoing…But amavisd-new got no update since two years, I believe it is the end.
Rspamd is modern, under development, milter based, fast, and learn quick what is a spam or not…at the end it is not really designed for dinosaurs like getmail, p3scan but @davidep did a nice work to contourn the issues that the lead developer doesn’t want to hear.
Like I tried to demonstrate, there is no easy choices and also free software needs volunteers, financial flow…not only simple users 
1 Like