Re: SA DKIM related bug 6462 - Possibly Gmail, Sendmail and/or Thunderbird related?

From: Kevin A. McGrail <>
Date: Thu, 15 Dec 2011 23:03:09 -0500

Hi Claus, thanks for responding.

>> mail from:
> mail from:<>
>> 250 2.1.0 Sender ok
>> rcpt to: rOoT_at_TaLoN1.PcCc.CoM
> rcpt to:<rOoT_at_TaLoN1.PcCc.CoM>
> See RFC 821ff.
> In:
>> To:
> Out:
>> To: root_at_TaLoN1.PcCc.CoM
I'm unsure of the points above. Are you saying that RFC 821 says that
the envelope rcpt to: will purposefully create the To: header?

Or are you showing that I didn't use <> to properly format the email
address. If the latter, I don't believe it's material to the
situation. But I will test this as well as with a non-root user as you
sagely warn below.

If you are saying the former, do you have a recommendation on how this
situation should be resolved? Please understand, I'm not referring to
this even as a bug. It might be nothing more than a widespread and
common configuration issue. But if a player as large as Google is
signing with DKIM based on the To: Header and the To: Header is changing
in Sendmail because of the envelope data, I'd like to understand why and
suggest the best course of action for resolving the issue for everyone.

BTW, what is RFC 821ff? I'm not familiar with the extra ff part and
googling it wasn't any help.

> What's in your .mc file? Do you use some masquerading?

I tested this on more than one system. However, to remove a lot of
variables, I also tested a stock centos system running a stock centos
sendmail installation. The stock MC (dnl lines removed) is:

VERSIONID(`setup for Red Hat Linux')dnl
define(`confTO_CONNECT', `1m')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `20000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_QUEUEWARN', `1d')dnl
define(`confTO_QUEUERETURN', `10d')dnl
define(`confQUEUE_LA', `12')dnl
define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
define(`confMAX_DAEMON_CHILDREN', 50)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=, Name=MTA')dnl
> Do you use
> this kind of mixed case in your local DNS or /etc/hosts or whatever
> you told sendmail to use for name resolution? As sendmail doesn't
> make up that data it has to get it from somewhere.
I don't believe Sendmail is making up the data or getting it from DNS. I
believe the MUA is providing it from address books as it gives it to the

For example, sometimes in my mail client, I use

It appears, when AXB is responding to me using Thunderbird via Gmail, I
noticed that the DKIM validation failed. Based on the attached files,
one file showing an email saved from a milter prior to sendmail
processing and one saved after sendmail processing, you'll note the To:
header is changed to the lower-case This changing of the To:
header breaks the ability to verify the DKIM signature.

 From further testing corroborated on this list, it appears sendmail is
definitely changing the To: header based on the envelope rcpt to: data.
You can see this in the Received header of the attached files from Gmail.

My concern is that this is going to be a widespread issue and DKIM
and/or Sendmail should be advising regarding the issue and a recommended
> PS: you shouldn't use "root" for testing as it treated in a special
> way in sm8.

Using angle-brackets and a non-root user shows the same behavior.
Sendmail appears to replace the To: header with the email address used
in the rcpt to: envelope data.

If the message below were signed prior to injection with the To: taken
into account, I conjecture it would fail validation because of the
change in case on the To: header.

The attached emails are a real-world example of this occurring with
Gmail so this is not just a test case. The testing with root and the
user below is simply to show how you can recreate the situation where
the To: header has the email address re-written based on the envelope
data. It appears to occur with root, non-root and with complete or
incomplete email address syntax.

Manual Injection:
[root_at_talon1 mail]# telnet localhost 25
Connected to localhost.localdomain (
Escape character is '^]'.
220 ESMTP Sendmail 8.13.1/8.13.1; Thu, 15 Dec 2011
22:56:50 -0500
250 Hello localhost.localdomain [], pleased to
meet you
mail from: <>
250 2.1.0 <>... Sender ok
rcpt to: <>
250 2.1.5 <>... Recipient ok
354 Enter mail, end with "." on a line by itself
Subject: Test with envelope rcpt to: <> and To:
To: "Billy Bob Joe Smith" <>

This is a test with an envelope rcpt to: <> and
To: of
250 2.0.0 pBG3uoCR029483 Message accepted for delivery

Mbox File:
 From Thu Dec 15 22:57:33 2011
Return-Path: <>
Received: from (localhost.localdomain [])
         by (8.13.1/8.13.1) with SMTP id pBG3uoCR029483
         for <>; Thu, 15 Dec 2011 22:57:02 -0500
Date: Thu, 15 Dec 2011 22:56:50 -0500
Message-Id: <>
Subject: Test with envelope rcpt to: <> and To:
To: "Billy Bob Joe Smith" <>

This is a test with an envelope rcpt to: <> and
To: of


Received on Fri Dec 16 2011 - 04:03:21 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:22 PST