Re: FixCRLF when ?

From: Murray S. Kucherawy <>
Date: Tue, 15 Jan 2013 12:01:24 -0800 (PST)

On Tue, 15 Jan 2013, Benny Pedersen wrote:
> i think roundcube have a more hidded bug i will try to verify, so this
> was why i asked how this setting in opendkim works, if its done before
> signing, why is it then needed in verifying ?

If a message is sent out with bare CRs or LFs, it's not valid for mail
transport. The RFCs require the body to be CRLF terminated unless it's
sent inside a binary data object (which is rare). It's expected that MTAs
downstream, or possibly the one that first sends the message, will fix
them into CRLFs.

Because of the order in which things are done on some MTAs, it's possible
that opendkim sees and signs the message, and then the MTA does the CRLF
fixing. That would immediately mean the signature goes out invalid, since
what's signed (CRs and LFs alone) doesn't match what's actually sent
(CRLFs). On the other hand, if you turn on FixCRLF and the MTA doesn't
normalize things to CRLF, the signature is again broken.

As a receiver, if you get traffic that wasn't CRLF-terminated, your MTA
might fix it before handing it to the filter. If the signer signed
unfixed content, the signature will break; if your MTA doesn't fix content
that was subjected to FixCRLF by the signer, that too will break. There
has to be symmetry all around, and we rely on that behaviour from MTAs
for DKIM to work properly.

Ideally, the signer does FixCRLF and so does the MTA sending the
message, meaning they both have the same view of the content that the
receiver will get, and then everything verifies. So you're correct,
FixCRLF shouldn't normally do anything at the verifier.

> as i understand it now is that it is done both in sign / verify, but its
> default off, could this be why so manny see fails for dkim-adsp ?

I don't think this has anything to do with your ADSP issues. I didn't get
an example of a failed message after you increased your SignatureTTL so I
haven't looked into it any further.

> to get it clear from me, does fixcrlf invalidte dkim if its fix it on
> verify ?, what happend on this maillist here if the maillist server have
> it turned on ?, and i send it with default off ?

FixCRLF invalidates a signature on verification if the message arrived
with bare CRs or LFs. That should be fairly uncommon, however.

Received on Tue Jan 15 2013 - 20:01:43 PST

This archive was generated by hypermail 2.3.0 : Tue Jan 15 2013 - 20:09:01 PST