Re: SA DKIM related bug 6462 - Possibly Gmail, Sendmail and/or Thunderbird related?

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 16 Dec 2011 00:14:16 -0800 (PST)

On Thu, 15 Dec 2011, Kevin A. McGrail wrote:
> In this case, I do know the key is correct because I've pinpointed and
> had corroboration that Sendmail is the culprit changing the To: header.
> I then reverse engineered the changes by having the pre-sendmail
> processing file and figuring out what Sendmail was doing by behavior.
> I could then edit the text and see that the signature was indeed valid.

In this case, yes. But I was speaking generally. You're trying to
resolve what you claim is a systemic problem, so I'm responding in the
general case.

> I'd liked to be proved wrong. But I'm giving data and encouraging people to
> recreate my research.

I did that, and I agree that sendmail is probably making the change at
least in some cases. The question is why, and what to do about it.

> I wouldn't even try that in a live implementation... All my research to date
> tells me that this is a systemic issue with sendmail that DKIM signers need
> to be aware of. In my opinion, it sounds like if this information is
> validated, DKIM should consider changing the default signature to relaxed
> coupled with a major recommendation to use relaxed. Sendmail is a very big
> player and this is a very real-world issue not just an edge case.

Most signers use relaxed for the header mode already.

> The particular case I have pinned down is a user with an external MUA
> using Gmail. I have not been able to reproduce the issue with Gmail's
> web-based interface. I also spot checked my logs and had at least 200
> cases in 12 hours on a small server showing the issue to be larger
> rather than smaller.

I'll ask my contacts inside Gmail and see if they'll confirm this.

> The signature in the example files I include are showing relaxed.
>
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=gmail.com; s=gamma;
> h=message-id:date:from:user-agent:mime-version:to:subject:references
> :in-reply-to:content-type:content-transfer-encoding;
> bh=lYVEKO5MXo+cAf5wUNc37hh7jXayzO+c4Y+wRG+SgFM=;
> b=crv4nFgQznK2NjBYYqd+Y0fuUN916hhWZmP4wtRVc2YdluezVLOFOQTSIR1aLGuIbF
> KHDGEFJy4w2nnhJmKyiPaF3F0FNzbxTE2hzCqTWp/fusy+Pr8uHJeorIIawm1+cwIcFf
> uMNmIWrxPS77QKNNAx3P+N6Qnyv+qcT0tWM+A=
>
> So relaxed doesn't seem to fix the issue if the To: header's case is
> changed somewhere between signing and verifying.

Signing with relaxed header mode forces everything to lowercase, so merely
changing "PCCC" to "pccc" is not enough to invalidate this signature. If
what you say is true then something else is also changing to cause what
you're seeing.

-MSK
Received on Fri Dec 16 2011 - 08:14:32 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:22 PST