Hullo I’ve recently stumbled across this issue and wondered if it’s a/ common, b/ how it can be addressed.
SMTP headers are often ‘folded’ as they flow through MTAs. The standard approach to folding and unfolding is covered in rfcs 5322 and is relied on in 6377 (DKIM). Message signing (DKIM) is increasingly used to avoid spam/phishing and relies on consistent header formats when the signature is generated and validated. It is known that of the two folding mechanisms, one, called 'simpled', just assumes that the messages are not changed in any way, which is not, in general, practical. Unfortunately, the other folding mechanism (relaxed) is based on replacing <whitespace> with <CRLF><whitespace> (thus turning one line into two), and unfolding consists of deleting <CRLF> where it is preceded by <whitespace>. The approach is unfortunate as some headers don’t have any <whitespace>, so the unfolded header is different from the original (signed) version. So if one of these headers is included in the signature it will fail. AFAICT, Postfix folds headers and, if there is not whitespaces typically puts <CRLF><space> after a comma in the data structure of the header, thus breaking DKIM on unfolding (as there is an extra <space> character not in the original header used to construct the signature. This raises a few questions: - is my analysis correct: postfix header folding can break DKIM as described - is the problem common (not very, but it’s often silent, so it could just be that it’s not being found as it’s not being looked for) - is there a pragmatic fix in Postfix configuration (e.g. to increase ths maximum size of a header line?) - is it legitimate to fold without <whitespace> according to rfc 5322 - if there’s an issue of incompatibility between folding/unfolding of headers, how will this be addressed in the longer term Tim _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
