I’ve tried to switch the Portal Password Reset Template to multipart/alternative. (on 6.2.9).
When an inline image is included, the base64 URL is getting wrapped or mangled during transport in ways that the image cannot be displayed.
When investigating, I have noticed that the password reset mail seems to not get autoconverted to 7bit/quoted printable. In the other templates the long base64 URL get’s wrapped correctly during the conversion to quoted-printable and therefore remains intact.
Is there an easy way to get the password reset message to be autoconverted too?
Otherwise this makes the password reset template a bit of an outlier, because even when not using HTML, the text body will stay 8 bit. As soon as 8 bit chars are introduced the template itself has to be provided with the final transfer-encoding. Making handling a bit more involved, compared to the rest of the templates.
i figured out where the difference comes from. The messages sent to the forgot-password-processor do not get system-DKIM signed like the auto-submitted ones from Notify.
My workaround is to enable DKIM for all messages, so convertTo7Bit is called that way.
Before DKIM
MIME-Version: 1.0
From: <secmail@domain.internal>
To: webmail-user@example.com
Subject: Reset your Secure E-Mail Portal password
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Auto-Submitted: auto-generated
Date: Thu, 23 Apr 2026 14:58:49 +0200 (CEST)
Message-ID: <2145890520.113.1776949129152.JavaMail.ciphermail-backend@cmweb.domain.internal>
Return-Path: <secmail@domain.internal>
A password reset was requested for your email address.
To reset your Secure E-Mail Portal password, click the "reset password" link below and follow the instructions.
https://secmail.domain.internal/password-reset?d=eyJlIjoicGhAbWltaXIuY2giLCJ0IjoxNzc2OTQ5MTI5MTE2LCJtIjoicGlpZXJ6YWJrbmFrcHY3bWo2NTNrbTJjbnRyZnM1bjdjMjdoc3ZmY3JuZjJkcWVhYWx5cSJ9
If you did not request a password reset, please ignore this message.
If you receive multiple password reset requests in a short time frame, please contact support.
With DKIM
MIME-Version: 1.0
From: <secmail@domain.internal>
To: webmail-user@example.com
Subject: Reset your Secure E-Mail Portal password
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Auto-Submitted: auto-generated
Date: Thu, 23 Apr 2026 15:03:36 +0200 (CEST)
Message-ID: <1147534386.114.1776949416321.JavaMail.ciphermail-backend@cmweb.domain.internal>
X-MIME-Autoconverted: from 8bit to 7bit by CipherMail
Return-Path: <secmail@domain.internal>
A password reset was requested for your email address.
To reset your Secure E-Mail Portal password, click the "reset password" lin=
k below and follow the instructions.
https://secmail.domain.internal/password-reset?d=3DeyJlIjoicGhAbWltaXIuY=
2giLCJ0IjoxNzc2OTQ5NDE2Mjg3LCJtIjoicXloaXZ3dHVzeG0yN3VqdDZ0NHJhcjJpY21ndHN4=
M2xsN240cTJzY3hjaDJqZHY2ZmE1YSJ9
If you did not request a password reset, please ignore this message.
If you receive multiple password reset requests in a short time frame, plea=
se contact support.
The main issue appears to come down to simple line-wrapping that was applied so the lines do not exceed 999 chars for transport. (The inline image was several KiB). Other effects were not directly apparent to me, as it seems all hops transported the 8bit parts without interfering otherwise.
Since it is not a problem once DKIM is activated, my immediate guess would be that this happens after processing and during transport. Otherwise, the line breaks would likely already have split the inline-content before the QP transfer-encoding is applied.
I was wondering whether it makes sense to apply a 7-bit conversion before the Mail is passed to the MailEnqueuer. Because, being able to just edit templates in their 8bit glory and let the gateway worry about a safe transfer-encoding is pretty neat.