Re: [ietf-smtp] Quoted-Printable-8bit and downgrade

Viktor Dukhovni <> Wed, 31 March 2021 20:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B9EA23A36E7 for <>; Wed, 31 Mar 2021 13:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DqGv4qd0RtD6 for <>; Wed, 31 Mar 2021 13:53:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E8C353A36E8 for <>; Wed, 31 Mar 2021 13:53:19 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 2F572DA187 for <>; Wed, 31 Mar 2021 16:53:18 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Viktor Dukhovni <>
In-Reply-To: <20210331194048.BCDE771B77F2@ary.qy>
Date: Wed, 31 Mar 2021 16:53:17 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <20210331194048.BCDE771B77F2@ary.qy>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [ietf-smtp] Quoted-Printable-8bit and downgrade
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 31 Mar 2021 20:53:25 -0000

> On Mar 31, 2021, at 3:40 PM, John Levine <> wrote:
> Interesting question.  I presume there are still MTAs that can do downgrades
> but how common is it in practice?

Postfix will do 7bit downgrade by default if the content is designated
or detected as 8bit and the remote MTA does not advertise 8BITIME support:

> It breaks DKIM signatures unless the MTA can find the signing keys and resign
> on the fly which seems a bit much.

For outbound mail, where the MTA/MSA is also the one doing the signing, the
safest thing is to just downgrade all messages before signing, so that
there's never any post-signature dynamic downgrade during delivery.  This
can be done by passing through an internal SMTP content filter that does
not offer 8BITMIME.  I expect most administrators don't do this.  In which
case any submitted 8BITMIME message may get downgraded after signing.

Since most MUAs do quoted-printable defensively, actual downgrading at
the MSA is rare.

One can also of course configure "disable_mime_output_conversion = yes",
but I expect most administrators don't.

I don't do DKIM, so I have personal experience to report.