1. Forum
  2. USENET
  3. comp.mail.sendmail

  • autoconvert messes up DKIM signature

    From Helmut K. C. Tessarek@kct@evermeet.cx to comp.mail.sendmail on Fri Oct 31 17:21:17 2025
    From Newsgroup: comp.mail.sendmail

    Hello sendmail experts!

    Today I sent myself a test email from an updated k9-mail client and imagine my surprise as the DKIM check failed with "Invalid (E-mail was modified)".

    I checked the mail headers and found the following:

    X-MIME-Autoconverted: from quoted-printable to 8bit by [bla] 59VKaHmW832917

    Weird, why would sendmail do such a conversion? I never told it to do so (or at
    least I think I never did). I guess k9-mail sent the mail in a format sendmail didn't like. However, there is nothing I can do about that. But what is even weirder is that sendmail modifies a signed email. So this basically breaks DKIM.

    This brought a few interesting questions to light, some of which most likely show my non-sendmail-expert status. So please bear with me:

    1. Why would sendmail modify the mail after it was signed? Is there a way that sendmail does this conversion before the opendkim milter signs it? I can't be the only one who uses opendkim and sendmail. Modifying an email after is was signed clearly makes no sense.

    2. Is there a reason for sendmail to do this conversion in the first place? Afaik quoted-printable is not an exotic/unknown format and thus should be understood by today's clients.

    3. How can I turn off this auto-conversion? Would it result in drawbacks?

    While the 3rd one is the brutal approach, I'd rather go with the 1st one, which
    also makes the most sense in terms of a mail processing workflow.
    Unfortunately I don't know how to do either.

    Here is my sendmail.mc: https://evermeet.cx/paste/sendmail_mc.xD5s.txt (available until 2025-11-07 20:56:45 UTC)

    Cheers,
    K. C.




    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Helmut K. C. Tessarek@kct@evermeet.cx to comp.mail.sendmail on Fri Oct 31 19:40:40 2025
    From Newsgroup: comp.mail.sendmail

    After searching and debugging I have noticed that my local mailer was using the
    9 flag.

    I have removed it by replacing my
    MODIFY_MAILER_FLAGS(`LOCAL', `-f')
    with
    MODIFY_MAILER_FLAGS(`LOCAL', `-f-9')

    IMO this flag is incompatible with DKIM, unless I am missing something.

    Is this flag really needed these days?

    Cheers,
    K. C.
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Marco Moock@mm+solani@dorfdsl.de to comp.mail.sendmail on Sat Nov 1 10:39:21 2025
    From Newsgroup: comp.mail.sendmail

    Am 31.10.2025 um 19:40:40 Uhr schrieb Helmut K. C. Tessarek:

    IMO this flag is incompatible with DKIM, unless I am missing
    something.

    It is important that the DKIM signing happens after such a conversation.
    IIRC the milter interface is being invoked before the mailers is being
    used.

    Although, I cannot give you full advise on that.

    Is there a reason that the local mailer is used in your case when
    sending mail to remote machines?

    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Helmut K. C. Tessarek@kct@evermeet.cx to comp.mail.sendmail on Sat Nov 1 22:03:46 2025
    From Newsgroup: comp.mail.sendmail

    On 2025-11-01 05:39, Marco Moock wrote:
    It is important that the DKIM signing happens after such a conversation.
    IIRC the milter interface is being invoked before the mailers is being
    used.

    Yep that was my idea, but this can't work and will never work, when the local mailer modifies the email. The local mailer cannot send an email before signing.
    So the workflow is actually correct.

    Is there a reason that the local mailer is used in your case when
    sending mail to remote machines?

    I sent an email to myself, thus the email never had to leave the server. ;-) This is why the local mailer was used.

    But this whole thing revealed that DKIM and the 9 flag in the local mailer are incompatible.
    Not only for me signing emails, but for anyone. If your mail server signs an email, but my local mailer changes it, then this will screw up your DKIM signature.
    My local mailer is always used to deliver any email to my user and thus inbox, so allowing my local mailer to modify an email is a no-no.

    The question now is, does my disabling of that flag have any drawbacks? Is such
    a conversion really needed in this day and age?

    Cheers,
    K. C.
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Claus =?iso-8859-1?Q?A=DFmann?=@INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org to comp.mail.sendmail on Sun Nov 2 01:38:25 2025
    From Newsgroup: comp.mail.sendmail

    Helmut K. C. Tessarek wrote:

    But this whole thing revealed that DKIM and the 9 flag in the local mailer are
    incompatible.
    Not only for me signing emails, but for anyone. If your mail server signs an email, but my local mailer changes it, then this will screw up your DKIM signature.

    Most setups check the DKIM signature when mail is received, i.e.,
    before local delivery, and add a header with the result.

    If you check the signature after local mail delivery, then make sure
    there are no modifications that affect DKIM.
    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.
    --- Synchronet 3.21a-Linux NewsLink 1.2