-1

On our Postfix server we previously removed the Date header from incoming emails and had Postfix automatically add it again to prevent spoofing the date and to work around mail servers with off clocks. However, this breaks DKIM signatures which include the Date header. Is there a way with Postfix to keep the DKIM signature intact while recording the receive timestamp in a mail header (and optimally having it shown in MUA UIs)?

Previous and abolished solution:

/etc/postfix/main.cf:

header_checks = pcre:/etc/postfix/maps/header_checks.pcre
always_add_missing_headers = yes

/etc/postfix/maps/header_checks.pcre:

/^\s*Date:/              IGNORE
ominug
  • 734
  • 7
  • 6
  • 3
    `we previously removed the Date header from incoming emails and had Postfix automatically add it again`. You were spoofing the date. The point DKIM is to prevent such tampering. Don't you think if a mail was actually sent the day before and was delayed due to technical problems that should be visible in the headers, regardless of when it arrived at your server? – Gerald Schneider Aug 11 '20 at 12:17
  • @GeraldSchneider Hello, "The point DKIM is to prevent such tampering." – I thought, the reason for DKIM was to primarily fight spoofed messages from unauthorized servers, not to prevent postprocessing by authorized servers. Maybe I should also have highlighted "**previously**" in my question, as I agree nowadays, that it is more practical to not postprocess the Date header. I am still looking for a good compromise. – ominug Aug 21 '20 at 08:39
  • 1
    Well, your wrong there. To verify if the mail originated from an authorized server SPF is used. The DKIM signature verifies that the headers that were signed haven't been modified, nothing else. The the signage key also verifies an authorized server is merely a bonus. I don't get why you feel the need to modify existing headers. The originating mailserver adds his timestamp (signed), every mailserver in between adds his processing timestamp and your mailserver adds the timestamp when it receives the mail. All these can be used by the mail client. – Gerald Schneider Aug 21 '20 at 09:23
  • @GeraldSchneider Thanks for nudging me to the `Received` header. – ominug Aug 31 '20 at 09:00

1 Answers1

1
  1. Configure the server to append a Received header on received messages.
  2. Configure the mail client/MUA that displays the timestamps (or install an add-on like: IMAP Received Date)
ominug
  • 734
  • 7
  • 6