Ok looking forward @davidep@giacomo I can see two ways to solve the issue
Sign N byte of email
## MaximumSignedBytes n
##
## Don't sign more than "n" bytes of the message. The default is to
## sign the entire message. Setting this implies "BodyLengths".
MaximumSignedBytes 1
Received: from prometheus.de-labrusse.fr (prometheus.de-labrusse.fr. [164.132.77.216])
by mx.google.com with ESMTPS id 68-v6si15334888wra.360.2018.06.01.14.28.16
for <stephane.delabrusse@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 01 Jun 2018 14:28:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of stephane@de-labrusse.fr designates 164.132.77.216 as permitted sender) client-ip=164.132.77.216;
Authentication-Results: mx.google.com;
dkim=pass header.i=@de-labrusse.fr header.s=default header.b=G+1c3mtr;
dkim=pass header.i=@de-labrusse.fr header.s=default header.b=MtYsD+eT;
spf=pass (google.com: domain of stephane@de-labrusse.fr designates 164.132.77.216 as permitted sender) smtp.mailfrom=stephane@de-labrusse.fr;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=de-labrusse.fr
Received: by prometheus.de-labrusse.fr (Postfix, from userid 8)
id 1AE1E1806BF2A; Fri, 1 Jun 2018 23:28:16 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 prometheus.de-labrusse.fr 1AE1E1806BF2A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=de-labrusse.fr;
s=default; t=1527888496;
bh=nR4OLZRZ0GUjrRPiikCTwjFrqv567Fsl8w66LhE1mcQ=; l=1;
h=From:Subject:To:Date:From;
b=G+1c3mtrl2sfrdOCQ6nsvTeQ9WkMyHhjNCwMCItzZGJyWVCiRC4TpkVjyhnBsRH8B
zR/Uoy1F2GCgBqg3mc8B+67dvBqjiewNqDgEkhnSYaeOFg1kGYirYY/CNrpm7DtkkN
CbdS6Y35PCXLbxIiRk5NP6hZmR3AOvmMSwFN67dXgurNoElJnUMzI4gKJ+6kQ5KhEg
JpkUnPVW5frxJs/NQ1rSiB5BxxdnhuoFrZWMTmaUp+ETgUpYje12lOuG24/oefUS4q
9S28ua9PlMftAIIvNMzD6sknYPaCnpjkt5qxUKzKhfBjrM1CPufRl72rZAztInRem0
qEywUpHsFJDtw==
it works
But this implies a huge security concern, everybody could add content to your email and the signature is still verified. Dkim is here to validate your email has not been modified during the transport.
At the end We have not much solution, postfix Filter is done after the Milter.
passtrough filter before milter
The complicated solution, we need to rewrite the postfix configuration, go back to the amavisd behaviour, and play with proxy and tcp port. this should/could be supposed to work but I have not tested
Ok nice catch âŠbut what happens if the disclaimer is attached, not appended? Does it still work?
Iâm afraid weâre working around the problem⊠Speaking frankly we have to admit the two features cannot be enabled at the same time in a safe way. One excludes the other.
Unless somebody can propose an alternative implementation! Possibly without subverting the new mail milter architecture. An alterMIME milter?
My proposal is to document the incompatibility and add an UI validator that forbids dkim with disclaimer and vice-versa.
Unfortunately we cannot create miracles, we are Integrator of external software and we swim between features, known issues and bugs.
Here the known issue is ALTERMime did not get update since 2008, even the creator is not interested by this adventure, and you have no competitors. Postfix developers have not risen the flag to continue the work, and they seem not interested.
Here what we need is a disclaimer software with MILTER feature, I could have badly searched of course, so if you have a solution, please share it.
Probably you have a choice to make, continue with amavisd/spamassassin which is really less good than rspamd, or go to rspamd . Amavisd use a proxy feature, created before the MILTER usage to separate email coming and outgoingâŠBut amavisd-new got no update since two years, I believe it is the end.
Rspamd is modern, under development, milter based, fast, and learn quick what is a spam or notâŠat the end it is not really designed for dinosaurs like getmail, p3scan but @davidep did a nice work to contourn the issues that the lead developer doesnât want to hear.
Like I tried to demonstrate, there is no easy choices and also free software needs volunteers, financial flowâŠnot only simple users
IIRC alterMIME appends the disclaimer text to text body and adds disclaimer as HTML attachment if the body is HTML. So what it does depends on the original mail format.
Could be wrong but I tested with SOGo and thunderbird both send html message and I have no attachment. Of course the message is modified by the signature
Will do it today and provide feedback. Probably you know guys how weekend can affect your performance this days
This issue affect you just when you are dealing with very strict dmarc policy clients. Not sure but from your outlook header looks like MS implementation and security is compromised against unix systems?
Attachment can be not good way for it again from security reasons. If you are dealing against very strict smtp server who is not allowing atechments or quarantine this kind of emails. This should be appended or injected to the message.
Also I believe that you should still consider this like a bug to resolve because disclaimer should not be consideration of the end users only system admins and NS is SMB offer.
I agree with Davide: DKIM (and other cryptographic features like PGP) canât leave with software which alter the mail body before sending. I strongly support this statement since ages.
And, even if I can appear harsh and rude, I think that server-side disclaimer feature shouldnât exists at all.
IMHO, we can add a note into the manual and not changing anything.
Ok guys all of us have been in the office some point but you donât like at al.
Iâm piss off because this make me to buy something not to be involved.
Let me know if you thing that is not affect NS distro because we are using thirdpart sowft.
I like to contribute to this project because in my meaning is really start up for every admin who is allowed to use unix. I love concept also and start implemented in my environment.
Good point and considerations, Iâm not a coder / and we need one. This is a kind of usability which every admin will do. Company and finally NS ISO will need. I understand that alterMIME is not longer supporting, but we have start point, where are the coders?
Stephen great news. There is the solution and you have founding for this âcheapâ offer
Yuppie yay you we have a sponsor
But seriously this can be done and you just find an example
Why not implement this functionality the same way like with Amivisd?
I think all this upgrade to 7.5 was to rush and harry
Plenty issues, incompatiblites, etc
Like in some kinde of panic