[bug]: content-transfer-encoding DKIM Issue

Kite5836 commented 1 month ago

What happened?

We use stalwart as an email relay for internal notifications from internal services, I've noticed that some outbound emails fail DKIM verification when received by Microsoft exchange online, but not all of them. I've checked the headers and it seems that all the emails that had failed DKIM had a content-transfer-encoding header of 'quoted-printable'. Even weirder, it seems to only be when stalwart signed emails with this header are received by Microsoft mail servers, the same emails pass DKIM verification when received by gmail.

How can we reproduce the problem?

I can reproduce the problem by doing the following steps:

Enable DKIM on stalwart (done via creating a domain, adding the DNS records and leaving all other DKIM settings at default)
Send quoted-printable email (Send-MailMessage in Windows PowerShell 5.1 seems to send these) to an Outlook.com address and gmail address via stalwart
Look in the message headers in the received email on outlook.com, should say DKIM=fail with either '(body hash did not verify)' or '(signature did not verify)'
Look at the message headers in gmail, should say DKIM=pass

Version

v0.7.x

What database are you using?

RocksDB

What blob storage are you using?

RocksDB

Where is your directory located?

Internal

What operating system are you using?

Windows

Relevant log output

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

mdecimus commented 1 month ago

Can you try sending the same message to https://www.mail-tester.com/ ? Also please include a sample message that is failing to pass DKIM on Microsoft's servers.

Kite5836 commented 1 month ago

mail-tester.com thinks the DKIM signature is valid: stalwart-mailtester

I've attached the headers of the test message that was sent to both mail-tester and Microsoft with the IP and domain info removed: stalwart-headers.txt

If you need the full message, I'm happy to send you it directly, please let me know an email address I can send to.

mdecimus commented 1 month ago

If both Google and mail-tester (which uses OpenDKIM) mark the signature as valid, I would say this is a Microsoft bug calculating quoted-printable body hashes.

Kite5836 commented 1 month ago

While it could very well be a Microsoft bug, I doubt I'd be able to get them to fix it and it's preventing me from switching to a p=quarantine dmarc policy (as stalwart relayed/signed emails would be blocked by our Microsoft exchange online tenant).

Is there anything stalwart can do (sieve script etc) that would be able to convert it to a non quoted-printable format before signing/sending?

tmeidinger commented 1 month ago

Did you try:

a) let your mail client add a Message-Id Header or b) add a Message-Id Header in stalwart-mail (SMTP/Inbound/Data Stage) add condition local_port == 587 resp. 465 corresponding to the local_port == 25 entry or c) remove Message-ID from signing Headers (SMTP/DKIM/Signatures/)

mdecimus commented 1 month ago

Is there anything stalwart can do (sieve script etc) that would be able to convert it to a non quoted-printable format before signing/sending?

You could create a Sieve script that extracts the quoted-printable part and rewrites the message. Alternatively you can try using the simple canonicalization algorithm on DKIM to see if that helps.

I am closing this as it seems to be a Microsoft issue. But we can continue the conversation here even if closed.

stalwartlabs / mail-server