DKIM+disclaimer problems after upgrade to mail2 module


(Stéphane de Labrusse) #21

Ok looking forward @davidep @giacomo I can see two ways to solve the issue

  • Sign N byte of email

     ##  MaximumSignedBytes n
     ##  Don't sign more than "n" bytes of the message.  The default is to 
     ##  sign the entire message.  Setting this implies "BodyLengths".
     MaximumSignedBytes	1

this implies the BodyLengths which add a l=1

Received: from ( [])
        by with ESMTPS id 68-v6si15334888wra.360.2018.
        for <>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 01 Jun 2018 14:28:16 -0700 (PDT)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
       dkim=pass header.s=default header.b=G+1c3mtr;
       dkim=pass header.s=default header.b=MtYsD+eT;
       spf=pass ( domain of designates as permitted sender);
       dmarc=pass (p=NONE sp=NONE dis=NONE)
Received: by (Postfix, from userid 8)
	id 1AE1E1806BF2A; Fri,  1 Jun 2018 23:28:16 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 1AE1E1806BF2A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;
	s=default; t=1527888496;
	bh=nR4OLZRZ0GUjrRPiikCTwjFrqv567Fsl8w66LhE1mcQ=; l=1;

it works :slight_smile:

But this implies a huge security concern, everybody could add content to your email and the signature is still verified. Dkim is here to validate your email has not been modified during the transport.

At the end We have not much solution, postfix Filter is done after the Milter.

  • passtrough filter before milter

The complicated solution, we need to rewrite the postfix configuration, go back to the amavisd behaviour, and play with proxy and tcp port. this should/could be supposed to work but I have not tested

In fact we could introduce a lot of bad things just for altermime.

can you validate my solution please @zimny

edit /etc/opendkim.conf
MaximumSignedBytes 1
restart opendkim
systemctl restart opendkim

send email to apple please

(Davide Principi) #22

Ok nice catch …but what happens if the disclaimer is attached, not appended? Does it still work?

I’m afraid we’re working around the problem… Speaking frankly we have to admit the two features cannot be enabled at the same time in a safe way. One excludes the other.

Unless somebody can propose an alternative implementation! Possibly without subverting the new mail milter architecture. An alterMIME milter?

My proposal is to document the incompatibility and add an UI validator that forbids dkim with disclaimer and vice-versa.

(Zimny) #23

I love the threat but is this the way for upgrade?
Definitely I need me you guys
Excellent work

(Stéphane de Labrusse) #24

Unfortunately we cannot create miracles, we are Integrator of external software and we swim between features, known issues and bugs.

Here the known issue is ALTERMime did not get update since 2008, even the creator is not interested by this adventure, and you have no competitors. Postfix developers have not risen the flag to continue the work, and they seem not interested.

Here what we need is a disclaimer software with MILTER feature, I could have badly searched of course, so if you have a solution, please share it.

This is the official postfix plugin page

Probably you have a choice to make, continue with amavisd/spamassassin which is really less good than rspamd, or go to rspamd . Amavisd use a proxy feature, created before the MILTER usage to separate email coming and outgoing…But amavisd-new got no update since two years, I believe it is the end.

Rspamd is modern, under development, milter based, fast, and learn quick what is a spam or not…at the end it is not really designed for dinosaurs like getmail, p3scan but @davidep did a nice work to contourn the issues that the lead developer doesn’t want to hear.

Like I tried to demonstrate, there is no easy choices and also free software needs volunteers, financial flow…not only simple users :smiley:

(Stéphane de Labrusse) #25

I do not know, you speak to add the disclaimer as attachment ?

@zimny @saitobenkei is this could satisfy your need ?

(Davide Principi) #26

IIRC alterMIME appends the disclaimer text to text body and adds disclaimer as HTML attachment if the body is HTML. So what it does depends on the original mail format.

(Zimny) #27

I think I check it already. It’s not working. I tried encoding outgoing emails also in different way. Not going also.

(Stéphane de Labrusse) #28

Could be wrong but I tested with SOGo and thunderbird both send html message and I have no attachment. Of course the message is modified by the signature

(Zimny) #29

Will do it today and provide feedback. Probably you know guys how weekend can affect your performance this days :slight_smile:
This issue affect you just when you are dealing with very strict dmarc policy clients. Not sure but from your outlook header looks like MS implementation and security is compromised against unix systems?

(Zimny) #30

Attachment can be not good way for it again from security reasons. If you are dealing against very strict smtp server who is not allowing atechments or quarantine this kind of emails. This should be appended or injected to the message.
Also I believe that you should still consider this like a bug to resolve because disclaimer should not be consideration of the end users only system admins and NS is SMB offer.

(Zimny) #31

Stéphane do you still like to test and go that way?
If you like I can test it against Apple setup but this is not solution and just like you mention is security flaw. Or we are thinking of NS like some kind of Kali distro :grin:

(Giacomo Sanchietti) #32

I agree with Davide: DKIM (and other cryptographic features like PGP) can’t leave with software which alter the mail body before sending. I strongly support this statement since ages.
And, even if I can appear harsh and rude, I think that server-side disclaimer feature shouldn’t exists at all.

IMHO, we can add a note into the manual and not changing anything. :slight_smile:

(Zimny) #33

Giacomo I understand you have heavy Friday :grin:
We need to resolve it from 3 point:

  1. I love your distro to much
  2. From company point of view it’s not possible control your domain outgoing emails when you put this task at your employees
  3. NS will not compile with lot of regulations like ISO, etc

And DKIM is not a crypto future this is just another way to validate original sender of message.
PGP is completely different from it.

Need more checks on diffrent providers - HELP
(Zimny) #34

Ok guys all of us have been in the office some point but you don’t like at al.
I’m piss off because this make me to buy something not to be involved.
Let me know if you thing that is not affect NS distro because we are using thirdpart sowft.
I like to contribute to this project because in my meaning is really start up for every admin who is allowed to use unix. I love concept also and start implemented in my environment.

(Marc) #35

Looks like this feature won’t be integrated into rspamd:

Mimedefang? …I’ve read it could be overkill for this solely use and have performance penalty (IDK mailserver stuff so bear with me).

…but consider

(Zimny) #36

Good point and considerations, I’m not a coder / and we need one. This is a kind of usability which every admin will do. Company and finally NS ISO will need. I understand that alterMIME is not longer supporting, but we have start point, where are the coders?

Need more checks on diffrent providers - HELP
(Stéphane de Labrusse) #37

created an issue

(Stéphane de Labrusse) #38

a commercial disclaimer solution with a cheap price :smiley:

(Stéphane de Labrusse) #39

mailscanner should be able to add a disclaimer but postfix doesn’t recommend to work with

(Zimny) #40

Stephen great news. There is the solution and you have founding for this “cheap” offer
Yuppie yay you we have a sponsor :slight_smile:
But seriously this can be done and you just find an example
Why not implement this functionality the same way like with Amivisd?
I think all this upgrade to 7.5 was to rush and harry
Plenty issues, incompatiblites, etc
Like in some kinde of panic