ubuntu-mail-server team mailing list archive

Thread
Date

[Bug 1857618] Re: opendkim generate an invalid signature if one header is fold just after the header name

To: ubuntu-mail-server@xxxxxxxxxxxxxxxxxxx
From: David Bürgin <1857618@xxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Dec 2019 07:31:11 -0000
Reply-to: Bug 1857618 <1857618@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

My OpenDKIM installation (2.11.0~alpha-11build1 on Ubuntu 18.04 Server)
can sign your message, and produces a valid signature.

Perhaps some other component at your site or in transit is altering the
folding or line terminators? Anything unusual about your system and
configuration? Perhaps try setting Canonicalization to ‘relaxed/relaxed’
and see if the verification result changes
(https://tools.ietf.org/html/rfc6376#section-3.4.2)?

--
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1857618

Title:
opendkim generate an invalid signature if one header is fold just
after the header name

Status in opendkim package in Ubuntu:
New

Bug description:
opendkim generate an invalid signature if one header is fold just
after the header name

Expected : the email is well signed.

Actual : Signature is invalid.

How to reproduce ? Send the email just below by replacing
"example.com" by a valid DKIM-signed domain. I used postfix to send
the email.

Here is a source .eml email that will fail to be correctly signed by
opendkim :

```
From: <test@xxxxxxxxxxx>
To: <test@xxxxxxxxxxx>
Subject:
Folding_White_Space_and_too_long_subject_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Test
```

opendkim generate an invalid signature with this email because of the
"Subject:" folding white space.

The signature is valid if the "Subject:" is written in one line :

```
Subject: Folding_White_Space_and_too_long_subject_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
```

Ubuntu 18.04.3 LTS
opendkim : 2.11.0~alpha-11build1

---

This bug occurs for all headers signed by opendkim (not only with
"Subject:").

This syntax seems valid. At least Gmail, Outlook, Thunderbird display
the subject correctly.

https://www.ietf.org/rfc/rfc5322.txt :

> Unfolding is accomplished by simply removing any CRLF
> that is immediately followed by WSP. Each header field should be
> treated in its unfolded form for further syntactic and semantic
> evaluation. An unfolded header field has no length restriction and
> therefore may be indeterminately long.

Gmail and opendkim itself consider the signature as invalid.

opendkim :

```
Authentication-Results: xxx.example.com (amavisd-new); dkim=fail (2048-bit key)
reason="fail (message has been altered)" header.d=example.com
header.b=ABCDEF;
```

Gmail:

```
ARC-Authentication-Results: i=1; mx.google.com;
dkim=fail header.i=@example.com header.s=xxxxxxx header.b="a/aaaaaa";
```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1857618/+subscriptions

References

[Bug 1857618] [NEW] opendkim generate an invalid signature if one header is fold just after the header name
From: Msd, 2019-12-26