Re: OpenDKIM bug ? from Scott Kitterman on 2019-01-11 (OpenDKIM Users mailing list)

From: Scott Kitterman <ietf-dkim_at_kitterman.com>
Date: Fri, 11 Jan 2019 16:14:49 -0500

On Friday, January 11, 2019 02:48:24 PM Ken wrote:
> Hello Scott,
>
> > Microsoft's auth header fields were non-standard in non-trivial ways.
>
> Business as usual in Microsoft land :\ .. and to be honest I couldn't care
> less about the header read errors
>
> > so as long as the DKIM signatures are still verified.
>
> That's the problem. These emails (only these emails) fail verification
> because the DKIM signature can't be retrieved from the email header
> information which needs to be done to compare against DNS.
>
> At least that's what I thought until I started to dig deeper into their
> DKIM signatures.
>
>
>
> *Average DKIM Header*
> *DKIM-Signature:* v=1; a=rsa-sha256; d=zdnet.online.com; s=s1024-1.bh;
> c=simple/simple; q=dns/txt; i=_at_zdnet.online.com; t=1547046787;
> h=From:Subject:Date:To:Content-Type;
> bh=IoNR9I+c6LM7pnapv5950eUw69Kz0w3jw3v8/X2dGQY=;
> b=LmiDF2yR7vNzhPtGZAjBZLNXlgilXjmNMZRB6bI/oyD1RjNiDg7BVwyrZ/y89jVe
> e5zN7gQVIN9oIhxGAib7b8lE9Etrz7I0pWk2qoD8QbA3in2M6Het+L8vr5WlTlRb
> wV0M/hEfglbHWVhuNB4it55IHlBjhpVo0x5u1FCmGoA=;
>
>
>
> *O365 DKIM Header**DKIM-Signature:* v=1; a=rsa-sha256; c=relaxed/relaxed; d=
> leviton.com
> ;s=selector1;h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-E
> xchange-SenderADCheck;bh=8EjjEZKj36w4Nao7GzqLl/S20+XjekqO4lyJd7e3jtE=;b=bfqJ
> 71mN8kSAnN6+nNJDJ8po3bb9ddjVNv8BldyXjdZYV485HsI9S667IUjq+cPVX+Ha8IEbv6uRDjwv
> AEeWNpPvEAKFILAXgCqRaUNie008iena5Z5zwp0s19Ti/oYfxlaJ/5chDJ/zYkVfyRTT75PDB3Az
> 4LM4XZdpasv4jA0=
>
> I'm now wondering, could the lack of spacing between variables be the
> problem?
>
> O365 has: v=; a=; c=; - then looses spacing- d=;s=;h=;bh=
>
> Average emails will have consistent spacing between variables
> v=a; a=; d=; s=; c=; i=; h=; bh=;
>
> If that is the problem, is there anything that can be done, aside from
> Microsoft fixing their mess?

It's an error.

RFC 6376 3.5 says:

> The DKIM-Signature value is a tag-list as described in Section 3.2

Section 3.2 says:

> tag-list = tag-spec *( ";" tag-spec ) [ ";" ]
> tag-spec = [FWS] tag-name [FWS] "=" [FWS] tag-value [FWS]

FWS (for RFC 6376) is defined in Section 2.8:

> WSP = SP / HTAB
> LWSP = *(WSP / CRLF WSP)
> FWS = [*WSP CRLF] 1*WSP

The formal definition is in RFC 5234.

What that adds up to is at least one space or htab between the semi-colon and
the next tag is required.

Scott K
Received on Fri Jan 11 2019 - 21:15:31 PST

This archive was generated by hypermail 2.3.0 : Sat Jan 12 2019 - 06:00:01 PST