Re: SA DKIM related bug 6462 - Possibly Gmail, Sendmail and/or Thunderbird related?

From: Kevin A. McGrail <>
Date: Thu, 15 Dec 2011 19:47:49 -0500

> I think only specific header fields are rewritten by Sendmail, i.e. those that are likely to be seen by users. The rewrites include making the field RFC-compliant in terms of quoting, but might also do something like make sure the domain part of the To: is the same as whatever came back from the DNS. However, I'm pretty sure Received is not on that header field list (or perhaps it's marked as a "trace field" and thus passed up for modification). The unfortunate thing is that all of the header field modification Sendmail does, much of which is correct and/or useful, happens after the milter interface has been applied, so the DKIM signing filter sees the unmodified copy, which is different from what goes out over the wire, which in turn means the signature won't validate.
 From my tests which are not completely exhaustive, sendmail appears to
overwrite the rcpt to: data to the To: header. I'm not sure if it does
this in all cases, only when the To: matches the rcpt to: data
non-case-sensitively, etc.
> OpenDKIM has features to compensate for this, specifically for this reason.
>> This behavior subsequently breaks DKIM's ability to check a signature
>> because of the change on the To: header based on my testing with Gmail.
>> And I do understand this is not a bug in DKIM unless for the To: Header
>> is not supposed to be used or case-sensitivity is not supposed to
>> involved. But I think this is a large issue that likely points to a
>> major problem with big players in the DKIM arena.
> If you are concerned about this and only this (i.e., not other potential signature-breaking rewrites), you could use "relaxed" canonicalization on the header when applying DKIM signatures, which folds it all to lowercase before processing anyway. But that's not enough for things like sendmail's "masquerade" or "genericstable" features, which can make much more drastic changes.
I'm looking at this issue from SpamAssassin's DKIM implementation which
is not always used in a milter environment and is only concerned on
received messages.

So in the real-world case I started with, AXB is using Thunderbird to
send via Gmail to my servers. When received on my servers, the rcpt to:
data is all lower case which may or may not match the To: Header.
Sendmail then rewrites the To header and delivers it to procmail.
Procmail fires off SpamAssassin and since the To: header is possibly
changed, we then fail the DKIM validation.

I'm guessing that DKIM on the recipient side can't be configured to say
"ignore case changes on To:", can it?

Received on Fri Dec 16 2011 - 00:48:00 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:22 PST