RE: SA DKIM related bug 6462 - Possibly Gmail, Sendmail and/or Thunderbird related?

From: Murray S. Kucherawy <>
Date: Thu, 15 Dec 2011 16:52:00 -0800

> -----Original Message-----
> From: Kevin A. McGrail []
> Sent: Thursday, December 15, 2011 4:35 PM
> To: Murray S. Kucherawy
> Cc: Axb;
> Subject: Re: SA DKIM related bug 6462 - Possibly Gmail, Sendmail and/or Thunderbird related?
> This is a big issue and major barrier to DKIM validation because if the
> rcpt to: data is in a different case than the To: Header than I believe
> DKIM is going to fail when sendmail uses to rcpt to: data to rewrite the
> To: header.

I haven't found this to be a major issue so far, having worked with DKIM and sendmail for many years now. The tools and techniques exist to work around it.

> Any ideas of who is it fault to work on fixing this very large issue?

You could contact the open source sendmail people and ask for a patch or a release with a knob to turn this off. I have some doubts a response would be quick or enthusiastic, however. :-)

> Is DKIM supposed to be using case sensitive information from the To:
> Header?

That's your choice as the signer. As I suggested in my last message, you could sign with "relaxed" canonicalized mode for the header, which would process it all after mapping to lowercase. That would render this rewrite harmless.

You could also configure your DKIM signing agent not to sign the To: field at all, also making the rewrite harmless.

> Is Sendmail allowed to rewrite the To header?

I think it depends on the context. If it's accepting the submission from you, it has a role that includes preparing your message for transport (RFC4409, RFC5321, RFC5598). One could argue that doing so includes normalizing the content in some ways, and maybe they feel that means wrapping To: field domains to lowercase for whatever reason. I would say at least that its fixing of improper quoting of header fields is perfectly valid in this context.

On the other hand, if it's acting as a relay, it's not supposed to make any changes to the message whatsoever other than adding trace information.

The unfortunate thing is that this rewriting happens after the point at which DKIM is performed in sendmail's case, automatically invalidating a signature that includes To: modifications if that signature covered the To: field. This isn't really sendmail's fault, but is an artifact of the way it and milter evolved.

> Are mail clients supposed to use a different case for To: headers than
> for rcpt to: data?

There's actually no relationship at all. One is the envelope, one is the content. They don't even need to contain overlapping sets of addresses. Moreover, DKIM never sees the envelope, so it doesn't matter what envelope changes occurred.

Received on Fri Dec 16 2011 - 00:52:09 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:22 PST