[Djigzo users] [OT] Invalid signature because of "Content-Transfer-Encoding: 8bit"

Martijn Brinkers martijn at djigzo.com
Wed Apr 20 15:58:26 CEST 2011


On 01/-10/-28163 08:59 PM, Martijn Brinkers wrote:
> On 01/-10/-28163 08:59 PM, lst_hoe02 at kwsoft.de wrote:
>> Zitat von Martijn Brinkers <martijn at djigzo.com>:
>>
>>>> today i got a mail fro a well known German Trustcenter with a invalid
>>>> signature warning (content altered). A former mail to an other account
>>>> from the same Trustcenter was valid. On inspection it looks like someone
>>>> altered the encoding because the valid mail has
>>>> "Content-Transfer-Encoding: 8bit" and the broken one
>>>> "Content-Transfer-Encoding: quoted-printable". As far as i know a SMTP
>>>> server should only pass 8bit if the remote site announces 8BITMIME, so i
>>>> suspect this is the trouble maker because neither Djigzo nor our Virus
>>>> scan announces 8BITMIME :-(
>>>>
>>>> Any comments on this?
>>>
>>> The application that added the signature is not RFC 3851 compliant.
>>> before signing a message the mail agent should convert 8bit mime bodies
>>> to 7bit. This is important because if SMTP sees that a server does not
>>> support 8bit, it should convert the message to 7bit. Because of this
>>> conversion the message has been changed and therefore the signature is
>>> no longer valid. So the trouble maker is the application that signed the
>>> message :). The problem is that there is not much you can do. In
>>> principle you can disable the conversion from 8bit to 7bit in your own
>>> gateway (not that I recommend that ;) but you cannot control other
>>> intermediate gateways.
>>>
>>
>> Lead me straight to another question: What does Djigzo do if it is feed
>> with 8bit content to sign? Oh, wait... It does not announce 8BITMIME so
>> this should not happen at all, no?
> 
> Yes you are right. The caller should convert it to 7bit so the
> signing/encryption engine only sees 7bit messages :). However lets
> suppose that the caller does not convert the message to 7bit. Postfix
> will receive the message and the message will then be send to the
> internal SMTP (the after queue filter). Because the internal SMTP server
> does not announce 8bit, Postfix will convert it to 7bit and therefore
> all email will be converted to 7bit before signing.
> 

If you really really do not want the conversion from 8bit to 7bit
(because the sender won't fix their app) you might try disabling the
conversion to 7bit by adding "disable_mime_output_conversion" to your
postfix configuration.

Kind regards,

Martijn


-- 
Djigzo open source email encryption
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3398 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.ciphermail.com/pipermail/users/attachments/20110420/11c76b16/attachment-0001.p7s>


More information about the Users mailing list