Re: Strict canonicalization considered harmful

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Mon, 8 Dec 2014 16:10:35 -0800 (PST)

On Sat, 6 Dec 2014, Alessandro Vesely wrote:
> Blackops and sendmail tried to validate messages whose headers respectively
> contained the following fields:
> From: "Display phrase of 51, total line length line of 76" <vesely_at_tana.it>
> From: "Display phrase of 51, total line length line of 76" <vesely_at_tana.it>
> (those two apparently identical fields came back from those two validators.)
>
> The corresponding field in a bcc to myself was:
> From: "Display phrase of 51, total line length line of 76" <vesely_at_tana.it>

One obvious thing is that double-space at the front. Certain versions of
sendmail consume the leading space in a way transparent to milter, so it's
there in the transported version but absent in what's passed to the
filter. opendkim attempts to determine if the MTA it's talking to has the
capability not to do that, but not all versions do. The MTA flag of
interest is SMFIP_HDR_LEADSPC.

>> However, I just sent an empty message (using alpine as the MUA) through
>> blackops.org to sendmail.net and it came back fine.
>
> What length did you try?

Zero, or at least I never typed any body into alpine. It's possible it
created a non-empty message of some kind, but that was my test.

I just also did this:

medusa[1873]% sendmail sa-test_at_sendmail.net
From: msk_at_blackops.org
To: sa-test_at_sendmail.net
Subject: Empty message test
^D

This also came back with a GOOD result.

>> I'm not sure if your results mean DKIM validators are buggy, or a lot
>> of infrastructure monkeys with empty messages, or both, or something
>> else.
>
> Buggy validators is the most relevant point.

Possibly. It's hard to tell without more data.

>> It would be interesting to know what results you get for simple/relaxed and
>> relaxed/simple as that would give us some hints about whether it's a header
>> problem or a body problem. I would put my money on the latter (though not very
>> much of it).
>
> Not to cash your money in, but body was empty.

To really be sure, you need to arrange that both ends capture the
canonicalized bodies, and then compare them. I can set up the
blackops.org filter to send those ("SendReports") if you think that would
be helpful. It uses the method described in RFC6651, so you'll also have
to tweak your signing key record to make the request.

-MSK
Received on Tue Dec 09 2014 - 00:10:56 PST