search

ddavness / power-mailinabox

A Mail-in-a-Box with extra capabilities and more customizability. Not just for power users!
Creative Commons Zero v1.0 Universal
168 stars 31 forks source link

[DKIM] Use of relaxed/simple cannonicalization can lead to invalid DKIM signatures for long header lines #118

Open ichdasich opened 1 year ago

ichdasich commented 1 year ago

This issue comes from mail-in-a-box upstream, see https://github.com/mail-in-a-box/mailinabox/issues/2239.

Copy-Paste summary of the issue:

Currently, mail in a box configures opendkim to use relaxed/simple canonicalization (ll34 https://github.com/mail-in-a-box/mailinabox/blob/main/setup/dkim.sh ). This can lead to verification issues with long To: headers; Specifically, whitespaces/\r\n/\n get injected, which let verification fail, see https://www.rfc-editor.org/rfc/rfc6376#section-3.4 and https://www.rfc-editor.org/rfc/rfc6376#section-3.5.

(I am currently a bit unsure why this is an issue for relaxed/simple being used; Technically this should be a simple/(relaxed|simple) issue).

This does only cause issues for very long To: headers.

Reproducing the issue

To test this:

This issue also reproduces when sending to, e.g., google. To test that, start a test (or create a long to yourself), but this time before sending the test message, add a gmail address to the To: as well. You will see that the mail is not validated by Gmail anymore.

Suggested solution

Switch to relaxed/relaxed canonicalization for DKIM signing.

UltraHKR commented 1 year ago

This is how a normal email looks... image

This is the error as an example when sending to a lots of recipients image

NOTE: I was testing my mail server with a tool ichdasich helped develop, and found this error... which ichdasich graciously filed as a bug far better than i could.

UltraHKR commented 1 year ago

According to RFC6376 Section 3.4

It should be better to run relaxed, which allows some minor modification the mail-header.