Re: SA DKIM related bug 6462 - Possibly Gmail, Sendmail and/or Thunderbird related?

From: Kevin A. McGrail <KMcGrail_at_PCCC.com>
Date: Thu, 15 Dec 2011 23:03:09 -0500

Hi Claus, thanks for responding.

>
>> mail from: kmcgrail_at_pccc.com
> mail from:<kmcgrail_at_pccc.com>
>
>> 250 2.1.0 kmcgrail_at_pccc.com... Sender ok
>> rcpt to: rOoT_at_TaLoN1.PcCc.CoM
> rcpt to:<rOoT_at_TaLoN1.PcCc.CoM>
>
> See RFC 821ff.
>
> In:
>> To: root_at_talon1.pccc.com
> Out:
>> To: root_at_TaLoN1.PcCc.CoM
I'm unsure of the points above. Are you saying that RFC 821 says that
the envelope rcpt to: will purposefully create the To: header?

Or are you showing that I didn't use <> to properly format the email
address. If the latter, I don't believe it's material to the
situation. But I will test this as well as with a non-root user as you
sagely warn below.

If you are saying the former, do you have a recommendation on how this
situation should be resolved? Please understand, I'm not referring to
this even as a bug. It might be nothing more than a widespread and
common configuration issue. But if a player as large as Google is
signing with DKIM based on the To: Header and the To: Header is changing
in Sendmail because of the envelope data, I'd like to understand why and
suggest the best course of action for resolving the issue for everyone.

BTW, what is RFC 821ff? I'm not familiar with the extra ff part and
googling it wasn't any help.

> What's in your .mc file? Do you use some masquerading?

I tested this on more than one system. However, to remove a lot of
variables, I also tested a stock centos system running a stock centos
sendmail installation. The stock MC (dnl lines removed) is:

divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
define(`confDEF_USER_ID',``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `20000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_QUEUEWARN', `1d')dnl
define(`confTO_QUEUERETURN', `10d')dnl
define(`confQUEUE_LA', `12')dnl
define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
define(`confMAX_DAEMON_CHILDREN', 50)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
FEATURE(`accept_unresolvable_domains')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
> Do you use
> this kind of mixed case in your local DNS or /etc/hosts or whatever
> you told sendmail to use for name resolution? As sendmail doesn't
> make up that data it has to get it from somewhere.
I don't believe Sendmail is making up the data or getting it from DNS. I
believe the MUA is providing it from address books as it gives it to the
MSA/MTA.

For example, sometimes in my mail client, I use KMcGrail_at_PCCC.com.

It appears, when AXB is responding to me using Thunderbird via Gmail, I
noticed that the DKIM validation failed. Based on the attached files,
one file showing an email saved from a milter prior to sendmail
processing and one saved after sendmail processing, you'll note the To:
header is changed to the lower-case _at_pccc.com. This changing of the To:
header breaks the ability to verify the DKIM signature.

 From further testing corroborated on this list, it appears sendmail is
definitely changing the To: header based on the envelope rcpt to: data.
You can see this in the Received header of the attached files from Gmail.

My concern is that this is going to be a widespread issue and DKIM
and/or Sendmail should be advising regarding the issue and a recommended
resolution.
>
> PS: you shouldn't use "root" for testing as it treated in a special
> way in sm8.

Using angle-brackets and a non-root user shows the same behavior.
Sendmail appears to replace the To: header with the email address used
in the rcpt to: envelope data.

If the message below were signed prior to injection with the To: taken
into account, I conjecture it would fail validation because of the
change in case on the To: header.

The attached emails are a real-world example of this occurring with
Gmail so this is not just a test case. The testing with root and the
user below is simply to show how you can recreate the situation where
the To: header has the email address re-written based on the envelope
data. It appears to occur with root, non-root and with complete or
incomplete email address syntax.

Manual Injection:
[root_at_talon1 mail]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 talon1.pccc.com ESMTP Sendmail 8.13.1/8.13.1; Thu, 15 Dec 2011
22:56:50 -0500
helo pccc.com
250 talon1.pccc.com Hello localhost.localdomain [127.0.0.1], pleased to
meet you
mail from: <kmcgrail_at_PCCC.com>
250 2.1.0 <kmcgrail_at_PCCC.com>... Sender ok
rcpt to: <KMcGrail_at_Talon1.PCCC.com>
250 2.1.5 <KMcGrail_at_Talon1.PCCC.com>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Subject: Test with envelope rcpt to: <KMcGrail_at_Talon1.PCCC.com> and To:
of kmcgrail_at_talon1.pccc.com
To: "Billy Bob Joe Smith" <kmcgrail_at_talon1.pccc.com>


This is a test with an envelope rcpt to: <KMcGrail_at_Talon1.PCCC.com> and
To: of kmcgrail_at_talon1.pccc.com
.
250 2.0.0 pBG3uoCR029483 Message accepted for delivery

Mbox File:
 From kmcgrail_at_PCCC.com Thu Dec 15 22:57:33 2011
Return-Path: <kmcgrail_at_PCCC.com>
Received: from pccc.com (localhost.localdomain [127.0.0.1])
         by talon1.pccc.com (8.13.1/8.13.1) with SMTP id pBG3uoCR029483
         for <KMcGrail_at_Talon1.PCCC.com>; Thu, 15 Dec 2011 22:57:02 -0500
Date: Thu, 15 Dec 2011 22:56:50 -0500
From: kmcgrail_at_PCCC.com
Message-Id: <201112160357.pBG3uoCR029483_at_talon1.pccc.com>
Subject: Test with envelope rcpt to: <KMcGrail_at_Talon1.PCCC.com> and To:
of kmcgrail_at_talon1.pccc.com
To: "Billy Bob Joe Smith" <kmcgrail_at_Talon1.PCCC.com>


This is a test with an envelope rcpt to: <KMcGrail_at_Talon1.PCCC.com> and
To: of kmcgrail_at_talon1.pccc.com




Regards,
KAM

Received on Fri Dec 16 2011 - 04:03:21 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:22 PST