Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Never test for an error condition you don't know how to handle. -- Steinbach

computers / comp.mail.sendmail / Sendmail Folding To/CC Headers and Breaking DKIM Signatures

SubjectAuthor
* Sendmail Folding To/CC Headers and Breaking DKIM SignaturesPhil! Gold
`* Re: Sendmail Folding To/CC Headers and Breaking DKIM SignaturesClaus Aßmann
 `- Re: Sendmail Folding To/CC Headers and Breaking DKIM SignaturesPhil! Gold

1
Sendmail Folding To/CC Headers and Breaking DKIM Signatures

<1f2a3af9-b1b0-4475-abff-ca6c71bfe72dn@googlegroups.com>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=301&group=comp.mail.sendmail#301

  copy link   Newsgroups: comp.mail.sendmail
X-Received: by 2002:ad4:436b:: with SMTP id u11mr720060qvt.26.1632951786145;
Wed, 29 Sep 2021 14:43:06 -0700 (PDT)
X-Received: by 2002:a25:2284:: with SMTP id i126mr2532192ybi.3.1632951785818;
Wed, 29 Sep 2021 14:43:05 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Wed, 29 Sep 2021 14:43:05 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=162.129.251.105; posting-account=yt6xmgoAAABmONdRllnVfO7ynZOvxfb1
NNTP-Posting-Host: 162.129.251.105
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <1f2a3af9-b1b0-4475-abff-ca6c71bfe72dn@googlegroups.com>
Subject: Sendmail Folding To/CC Headers and Breaking DKIM Signatures
From: asciiphil@gmail.com (Phil! Gold)
Injection-Date: Wed, 29 Sep 2021 21:43:06 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 26
 by: Phil! Gold - Wed, 29 Sep 2021 21:43 UTC

I'm running Sendmail 8.14.7 (on a Scientific Linux 7 system), and I'm running into a problem where Sendmail sometimes breaks DKIM signatures on forwarded messages.

More specifically:

1. I have accounts on the system with either aliases or .forward files that direct Sendmail to cause all incoming messages to those accounts to be forwarded to external email addresses on different domains.

2. When Sendmail forwards messages, it sometimes reformats To: or CC: headers. Specifically, if it has a number of recipients on a single line, it will (sometimes) fold the header onto multiple lines and will place only one or two recipients on each line.

3. If the message's original DKIM signature included the To or CC header and used the simple canonicalization scheme, validation of that signature will now fail.

4. If the target of the forwarding uses DMARC (and the original sender's domain has a DMARC policy), the forwarded message will now fail DMARC validation and (subject to policy) may be rejected by the target mail server.

I would like the above chain of events not to happen. I can't control the DMARC settings used by people who send us mail, and I can't tell my account owners not to forward their mail. Can I prevent Sendmail from altering email headers as it forwards messages? Is there something else I can do?

Re: Sendmail Folding To/CC Headers and Breaking DKIM Signatures

<sj3ifi$16rn$1@gioia.aioe.org>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=302&group=comp.mail.sendmail#302

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!aioe.org!TQhpxQtosDuCEwzVw6PeyQ.user.46.165.242.75.POSTED!not-for-mail
From: ml+sendmail(-no-copies-please)@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: Sendmail Folding To/CC Headers and Breaking DKIM Signatures
Date: Thu, 30 Sep 2021 05:37:55 -0000 (UTC)
Organization: Aioe.org NNTP Server
Message-ID: <sj3ifi$16rn$1@gioia.aioe.org>
References: <1f2a3af9-b1b0-4475-abff-ca6c71bfe72dn@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Info: gioia.aioe.org; logging-data="39799"; posting-host="TQhpxQtosDuCEwzVw6PeyQ.user.gioia.aioe.org"; mail-complaints-to="abuse@aioe.org";
X-Notice: Filtered by postfilter v. 0.9.2
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Thu, 30 Sep 2021 05:37 UTC

Phil! Gold wrote:

> 3. If the message's original DKIM signature included the To or CC header and used
> the simple canonicalization scheme, validation of that signature will now fail.

Ask the sender not to use "simple"?

> forward their mail. Can I prevent Sendmail from altering email headers as it
> forwards messages? Is there something else I can do?

Unfortunately that requires a code change. Maybe you can write a
patch to add an option for sendmail to act as "pure MTA" which does
not modify headers?

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet?

Re: Sendmail Folding To/CC Headers and Breaking DKIM Signatures

<d89ae7db-9946-4160-b9db-c6c905559169n@googlegroups.com>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=304&group=comp.mail.sendmail#304

  copy link   Newsgroups: comp.mail.sendmail
X-Received: by 2002:ac8:4312:: with SMTP id z18mr6105733qtm.208.1633007413917;
Thu, 30 Sep 2021 06:10:13 -0700 (PDT)
X-Received: by 2002:a25:6185:: with SMTP id v127mr6645963ybb.151.1633007413577;
Thu, 30 Sep 2021 06:10:13 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Thu, 30 Sep 2021 06:10:13 -0700 (PDT)
In-Reply-To: <sj3ifi$16rn$1@gioia.aioe.org>
Injection-Info: google-groups.googlegroups.com; posting-host=162.129.251.105; posting-account=yt6xmgoAAABmONdRllnVfO7ynZOvxfb1
NNTP-Posting-Host: 162.129.251.105
References: <1f2a3af9-b1b0-4475-abff-ca6c71bfe72dn@googlegroups.com> <sj3ifi$16rn$1@gioia.aioe.org>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <d89ae7db-9946-4160-b9db-c6c905559169n@googlegroups.com>
Subject: Re: Sendmail Folding To/CC Headers and Breaking DKIM Signatures
From: asciiphil@gmail.com (Phil! Gold)
Injection-Date: Thu, 30 Sep 2021 13:10:13 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 22
 by: Phil! Gold - Thu, 30 Sep 2021 13:10 UTC

On Thursday, September 30, 2021 at 1:37:57 AM UTC-4, Claus Aßmann wrote:
> Phil! Gold wrote:
> > DKIM signature ... simple canonicalization scheme, validation of that signature will now fail.
> Ask the sender not to use "simple"?

I can ask individual sites to change their DKIM parameters, but I don't expect I'll gain much traction with that approach. Especially since simple is part of the RFC. And I can't anticipate every other site that will happen to send mail to any one of my users in the future and check ahead of time to see what their exact DKIM parameters are.

> > Can I prevent Sendmail from altering email headers as it forwards messages?
> Unfortunately that requires a code change. Maybe you can write a
> patch to add an option for sendmail to act as "pure MTA" which does
> not modify headers?

Okay. I'll have to spend some time figuring out whether patching sendmail or switching to a different MTA will be a better solution for us.

Thanks!

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor