search

lieser / dkim_verifier

DKIM Verifier Extension for Mozilla Thunderbird
MIT License
213 stars 36 forks source link

Relax parsing of the `Authentication-Results` header #79

Closed magkopian closed 6 years ago

magkopian commented 7 years ago

Relax the parsing to allow some common RFC violations:

Bellow original post:

Hello, Looks like there is an issue with parsing the Authentication-Results header as it is set by the Zoho mail server.

For isolating the issue and preventing any confusion I have unchecked the Verify DKIM Signatures setting. Here is the resulting debug output.

2017-01-13 08:03:56 DKIM_Verifier.Logging   DEBUG   initialized

2017-01-13 08:03:59 DKIM_Verifier.Policy    DEBUG   DB initialized

2017-01-13 08:04:09 DKIM_Verifier.JSDNS CONFIG  changed DNS Servers to : [{server:"8.8.8.8", alive:true}, {server:"8.8.4.4", alive:true}]

2017-01-13 08:04:09 DKIM_Verifier.JSDNS CONFIG  changed DNS Servers to : [{server:"8.8.8.8", alive:true}, {server:"8.8.4.4", alive:true}]

2017-01-13 08:04:09 DKIM_Verifier.JSDNS INFO    Resolving _dmarc.example.com TXT by querying 8.8.8.8

2017-01-13 08:04:10 DKIM_Verifier.JSDNS DEBUG   _dmarc.example.com/TXT: Answer: v=DMARC1; p=none; sp=none; adkim=r; aspf=r; pct=100; fo=1; rua=mailto:hxfynrdk@ag.dmarcian.com,mailto:dmarc-rua@example.com; ruf=mailto:hxfynrdk@fr.dmarcian.com;

2017-01-13 08:04:10 DKIM_Verifier.DNSWrapper    DEBUG   result: ({data:["v=DMARC1; p=none; sp=none; adkim=r; aspf=r; pct=100; fo=1; rua=mailto:hxfynrdk@ag.dmarcian.com,mailto:dmarc-rua@example.com; ruf=mailto:hxfynrdk@fr.dmarcian.com;"], rcode:0, secure:false, bogus:false})

2017-01-13 08:04:10 DKIM_Verifier.DMARC DEBUG   DMARCPolicy: ({adkim:"r", pct:100, p:"none", domain:"example.com", source:"example.com"})

2017-01-13 08:04:10 DKIM_Verifier.Policy    DEBUG   shouldBeSigned: true; sdid: example.com; hideFail: false; foundRule: false

2017-01-13 08:04:10 DKIM_Verifier.AuthVerifier  ERROR   Error: Parsing error (resource://dkim_verifier/ARHParser.jsm:253:1) JS Stack trace: match@ARHParser.jsm:253:1 < parseResinfo@ARHParser.jsm:188:14 < _ARHParser_parse@ARHParser.jsm:162:21 < getARHResult@AuthVerifier.jsm:225:10 < _authVerifier_verify/promise<@AuthVerifier.jsm:116:20

2017-01-13 08:04:10 DKIM_Verifier.AuthVerifier  DEBUG   authResult: ({version:"2.0", dkim:[{version:"2.0", result:"none", res_num:40, result_str:"No Signature"}], spf:[], dmarc:[]})

And here are the email headers of the same email, note though that I have obscured the domain of my server with example.com, as well as its IP address with x.x.x.x.

Delivered-To: sales@example.com
Received-SPF: pass (zoho.com: domain of email.example.com designates 167.89.55.65 as permitted sender) client-ip=167.89.55.65; envelope-from=bounces+2344330-4453-sales=example.com@email.example.com; helo=o1.7nn.fshared.sendgrid.net;
Authentication-Results: mx.zoho.com;
    spf=pass (zoho.com: domain of email.example.com designates 167.89.55.65 as permitted sender)  smtp.mailfrom=bounces+2344330-4453-sales=example.com@email.example.com;
Return-Path: <bounces+2344330-4453-sales=example.com@email.example.com>
Received: from o1.7nn.fshared.sendgrid.net (o1.7nn.fshared.sendgrid.net [167.89.55.65]) by mx.zohomail.com
    with SMTPS id 1484246776936349.02854621594497; Thu, 12 Jan 2017 10:46:16 -0800 (PST)
Received: by filter0691p1mdw1.sendgrid.net with SMTP id filter0691p1mdw1-31661-5877CEF2-29
        2017-01-12 18:46:10.784231552 +0000 UTC
Received: from example.com (example.com [x.x.x.x])
    by ismtpd0002p1lon1.sendgrid.net (SG) with ESMTP id Rc1DMZOHQDuVuX5cYM7YzA
    for <sales@example.com>; Thu, 12 Jan 2017 18:46:10.503 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=example.com; 
    h=to:from:subject:mime-version:content-type:content-transfer-encoding; 
    s=s1; bh=528ZwQtSB/2qVd7MJNMPYs7ZD5s=; b=kBy78xq/dwwoTTFMtTEa3Hy
    S8Pj3G2b4EQMouyWSav2eZ2jSm3zDUdPnDPbIO6xY7pbRyEo5pcwHoY/exvoARcC
    XEKt8B2WCvBGCqv/BpyYwH8fZH1XMBMfVNsvDS2r3aI63kUzY6s5Acj9n8cukRls
    oVHFQjs1WRQh2y/x18nw=
Date: Thu, 12 Jan 2017 20:46:09 +0200
To: sales@example.com
From: "example.com" <no-reply@example.com>
Subject: =?UTF-8?B?zpXOuc60zr/PgM6/zq/Ot8+Dzrcgzp3Orc6xz4IgzqDOsc+BzrHOs86zzrXOu86vzrHPgg==?=
Message-ID: <87fcc4cddb8a79d1ead2905850ca77d8@example.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="b1_87fcc4cddb8a79d1ead2905850ca77d8"
Content-Transfer-Encoding: 8bit
X-SG-EID: gOUNDwUZ2BR4HKLzjgMW+kvYtWz9GDxsoMs56GxmdgeoFp6RARf2fwQv5KptcBDsahTrVj9mbfJcQc
 zuuKPQTdmUZuGS724CHVPHVtCkux44ObONv9Q9cdbzbji0Yk8iUse4CItwtLBTww8QcXyyRdSH89Wy
 ibMj1iyUXbKrYuuCVQp4VgENUkfgltg5XrDyvJUv1VedEIjkxEQVLIHE1tvMS/qwmM3EnmWvRx7+1w
 4=
X-ZohoMail: RSF_0  Z_38635583 SPT_1 Z_38638371 SPT_1 UDT_7 RF_0
X-Zoho-Virus-Status: 2

The extension reports No Signature on the DKIM field, which is to be expected I guess because the verification of the DKIM is disabled and Zoho doesn't verify DKIM, but the information about the SPF is also missing.

lieser commented 7 years ago

Thanks for reporting it.

The Problem is the ; at the end of the Authentication-Results header. If I remove it, the header is parsed without problems.

Note that, if I understand the RFC 7601 correctly, the ; at end of the header is not a valid syntax. So this is not a bug in the add-on, but rather a RFC violation by the Zoho mail server.

magkopian commented 7 years ago

Just noticed that Outlook does the same thing with Zoho. Here is an example of an Authentication-Results header form Outlook,

Authentication-Results: spf=pass (sender IP is 91.194.248.199)
 smtp.mailfrom=reply1.ebay.com; outlook.com; dkim=pass (signature was
 verified) header.d=reply1.ebay.com;outlook.com; dmarc=pass action=none
 header.from=reply1.ebay.com;

Seems like you are right about the violation of the RFC standard, but considering the fact that we can't actually do anything about it shouldn't we follow a less strict approach during parsing?

Also, apart from the Authentication-Results header there is also the Received-SPF header which could be used to obtain at least the SPF result, if the parsing of the Authentication-Results fails.

lieser commented 7 years ago

Although admittedly maybe not the most user friendly, the strict parsing is intentionally (if all verifiers ignore RFC violations, the signers have no motivation to follow them (or even notice them)). But I could introduce an option to relax the parsing.

The reading of the Received-SPF is probably not something I will implement myself, as I think the reading of the ARH is enough for most people. But if someone else implements it, I would be more than willing to integrate it in the add-on.

magkopian commented 7 years ago

That sounds like a great idea and I completely agree, the user should have the option to chose between a relaxed or a strict validation mode. Furthermore, I think it should be better to have strict mode enabled by default and allow the user to manually disable it for the problematic servers. A global option would also be good to exist, but not enabled by default.

lieser commented 6 years ago

The new pre release v2.0.0pre4 has an advanced option for relaxed parsing.

Note that the ARH from Outlook that you posted will still not work, as there the outlook.com; part is in the middle (and even multiple times). Before I invest more time into trying to also allowing this, could you please confirm that Outlook is still doing this?