On April 29, 2024 9:27:20 PM UTC, Steffen Nurpmeso via Postfix-users <postfix-users@postfix.org> wrote: >Tim Coote via Postfix-users wrote in > <d7c84b22-180c-4e2f-bd0b-3bb5c7d29...@coote.org>: > |Thanks very much for the detailed response. My original issue was why \ > |dkim signatures were failing on some emails from email lists when arriving \ > |at my Postfix based domain (postfix-3.4.10-1.fc30.x86_64 - I know it \ > |needs updating: and that may be the only reasonable answer). I have \ > |only seen this sort of issue from two sources. So I tried subscribing \ > |to one of them with a gmail address and found the folded header differen\ > |ce, which, if the lines were merged meant that dkim signature verification \ > |worked (using dkimpy). (tbh, I thought I’d done very well at this \ > |point as I’d spotted what had gone wrong for DKIM). > | > |That’s why I formed a hypothesis that (my) Postfix had changed this \ > |long header - as you note this is < 998 stmp limit. I presume it’s \ > |not directly involved now, as smtp_line_length_limit is the default (998) > | > |So, I tried creating an email using python and sending that to an account \ > |in my domain - that had the same <cr><lf><space> inserted after the \ > |‘,’ in the ‘List-Unsubscribe’ header. But if I use the python to send \ > |to an account in gmail, the behaviour is different from the externally \ > |sourced email as the 'List-Unsubscribe’, when observed with the gmail \ > |client in a browser does have an extra <space>, but no <cr><lf>. > | > |I clearly need to do several more experiments to work out what is going \ > |on. It’s non-trivial when you control so little of the whole chain. > >Note that in practice only exim and the DKIM library it uses (from >2009) produce really standard-conforming results, all other >implementations i have tested have some edge cases. For example, >opendkim and rspamd (as of git) use (at least in pars, or always) >the C function isspace(3) to normalize whitespace, which is not >allowed according to the DKIM RFC. They all do it wrong. The >most minimum and in practice very likely non-failing (or not at >all) is dkimpy (which uses the python function trim(), but only as >the very last step). My upcoming sign-only milter will only >support relaxed/relaxed, but is hard-conforming, too.
If you have examples of cases where dkimpy is wrong, please file bugs or email me off list. It aims to support the RFC requirements with only minimal tweaks for interoperability. Scott K _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
