Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DKIM] Use of relaxed/simple cannonicalization can lead to invalid DKIM signatures for long header lines #118

Open
ichdasich opened this issue Feb 26, 2023 · 2 comments
Open

[DKIM] Use of relaxed/simple cannonicalization can lead to invalid DKIM signatures for long header lines #118

ichdasich opened this issue Feb 26, 2023 · 2 comments

Comments

@ichdasich
Copy link

This issue comes from mail-in-a-box upstream, see mail-in-a-box/mailinabox#2239.

Copy-Paste summary of the issue:

Currently, mail in a box configures opendkim to use relaxed/simple canonicalization (ll34 https://github.com/mail-in-a-box/mailinabox/blob/main/setup/dkim.sh ). This can lead to verification issues with long To: headers; Specifically, whitespaces/\r\n/\n get injected, which let verification fail, see https://www.rfc-editor.org/rfc/rfc6376#section-3.4 and https://www.rfc-editor.org/rfc/rfc6376#section-3.5.

(I am currently a bit unsure why this is an issue for relaxed/simple being used; Technically this should be a simple/(relaxed|simple) issue).

This does only cause issues for very long To: headers.

Reproducing the issue

To test this:

  • start a test for a system using mail-in-a-box here: https://www.email-security-scans.org/ (select "store emails for me")
  • Wait for measurement mail to arrive and reply
  • See that DKIM verification failed
  • Download all data and extract it.
  • Run manual verification with dkimpy: sent-messages % cat 1.mbox | dkimverify -> signature verification failed
  • Edit the message and fix the broken headers (most likely To: having newlines added)
  • Rerun verification: sent-messages % cat 1.mbox | dkimverify -> signature ok

This issue also reproduces when sending to, e.g., google. To test that, start a test (or create a long to yourself), but this time before sending the test message, add a gmail address to the To: as well. You will see that the mail is not validated by Gmail anymore.

Suggested solution

Switch to relaxed/relaxed canonicalization for DKIM signing.
@UltraHKR
Copy link

UltraHKR commented Feb 26, 2023
edited
Loading

This is how a normal email looks...
image

This is the error as an example when sending to a lots of recipients
image

NOTE: I was testing my mail server with a tool ichdasich helped develop, and found this error... which ichdasich graciously filed as a bug far better than i could.

@UltraHKR
Copy link

UltraHKR commented Feb 26, 2023
edited
Loading

According to RFC6376 Section 3.4

It should be better to run relaxed, which allows some minor modification the mail-header.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ichdasich @UltraHKR