ubuntu-mail-server team mailing list archive

Thread
Date

[Bug 1857618] Re: opendkim generate an invalid signature if one header is fold just after the header name

To: ubuntu-mail-server@xxxxxxxxxxxxxxxxxxx
From: Msd <1857618@xxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Dec 2019 17:28:43 -0000
Reply-to: Bug 1857618 <1857618@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

https://marc.info/?l=postfix-users&m=157746682807997&q=mbox

>> It works fine with `milter_protocol = 6`.
> 
> Which is the default value.
> 
> Milter protocols versions < 6 don't support the SMFIP_HDR_LEADSPC
> feature. This feature was introduced with Sendmail 8.14, and is
> needed to correctly preserve the leading whitespace of a header
> field value.
> 
> 	Wietse

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1857618

Title:
  opendkim generate an invalid signature if one header is fold just
  after the header name

Status in opendkim package in Ubuntu:
  Invalid

Bug description:
  opendkim generate an invalid signature if one header is fold just
  after the header name

  Expected : the email is well signed.

  Actual : Signature is invalid.

  How to reproduce ? Send the email just below by replacing
  "example.com" by a valid DKIM-signed domain. I used postfix to send
  the email.

  Here is a source .eml email that will fail to be correctly signed by
  opendkim :

  ```
  From: <test@xxxxxxxxxxx>
  To: <test@xxxxxxxxxxx>
  Subject: 
   Folding_White_Space_and_too_long_subject_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

  Test
  ```

  opendkim generate an invalid signature with this email because of the
  "Subject:" folding white space.

  The signature is valid if the "Subject:" is written in one line :

  ```
  Subject: Folding_White_Space_and_too_long_subject_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  ```

  Ubuntu 18.04.3 LTS
  opendkim : 2.11.0~alpha-11build1

  ---

  This bug occurs for all headers signed by opendkim (not only with
  "Subject:").

  This syntax seems valid. At least Gmail, Outlook, Thunderbird display
  the subject correctly.

  https://www.ietf.org/rfc/rfc5322.txt :

  > Unfolding is accomplished by simply removing any CRLF
  >    that is immediately followed by WSP.  Each header field should be
  >    treated in its unfolded form for further syntactic and semantic
  >    evaluation.  An unfolded header field has no length restriction and
  >    therefore may be indeterminately long.

  Gmail and opendkim itself consider the signature as invalid.

  opendkim :

  ```
  Authentication-Results: xxx.example.com (amavisd-new); dkim=fail (2048-bit key)
  	reason="fail (message has been altered)" header.d=example.com
  	header.b=ABCDEF; 
  ```

  Gmail:

  ```
  ARC-Authentication-Results: i=1; mx.google.com;
         dkim=fail header.i=@example.com header.s=xxxxxxx header.b="a/aaaaaa";
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1857618/+subscriptions

References

[Bug 1857618] [NEW] opendkim generate an invalid signature if one header is fold just after the header name
From: Msd, 2019-12-26