Postfix basic install and DKIM violence.
While testing SMTP message reception and DKIM validation I ran into an evil action from Postfix.
In my basically default Debian Postfix/Dovecot system, if you send a message to Postfix, it DKIM signs it, then sends it off to the destination. But if your message needed 8BITMIME and your destination doesn't support that, then Postfix quietly re-encodes your message and body to be quoted-printable.
Now your DKIM signature is invalid!
It sounds like you can configure Postfix to bounce that instead, but that's not what I got for a simple installation.
That was about a day and a half of me debugging my DKIM verification code because my body hash calculation kept not matching the one in the DKIM header.
Morals:
- Just go ahead and support 8BITMIME and SMTPUTF8 if you can. No need to poke the bear.
- If your body header checksum matches for some messages, but not others, its probably something upstream corrupting the message bodies after the signature.