Hello David, Thank you for your quick reply.
I attached a php script (bug_21857618.php) to reproduce the issue. You can run it with `php bug_21857618.php [email protected] 0` to have an invalid DKIM signature. You can run it with `php bug_21857618.php [email protected] 1` to have valid DKIM signature. Just replace [email protected] by a valid DKIM-signed domain. Look at the way "Suject:" is written in both cases. Here is my opendkim conf file : ``` # cat /etc/opendkim.conf Syslog yes LogResults yes LogWhy yes UMask 007 Socket local:/var/run/opendkim/opendkim.sock PidFile /var/run/opendkim/opendkim.pid OversignHeaders From TrustAnchorFile /usr/share/dns/root.key UserID opendkim KeyTable /etc/mail/KeyTable SigningTable /etc/mail/SigningTable Mode s SubDomains yes MultipleSignatures yes InternalHosts refile:/etc/mail/InternalHosts Socket inet:8891@localhost ``` I tried the php script on a Debian 8 server with this simplified config file and the problem is already here : ``` # cat /etc/opendkim.conf Syslog yes UMask 002 KeyTable /etc/mail/KeyTable SigningTable /etc/mail/SigningTable OversignHeaders From ``` If you can't reproduce the case, I'm interesting that you send me a valid DKIM-signed email with the folded "Subject:" header. --- > Perhaps some other component at your site or in transit is altering the folding or line terminators? Anything unusual about your system and configuration? I tried on multiples servers (Ubuntu 18.04, Ubuntu 16.04, Debian 8) and the problem is here. > Perhaps try setting Canonicalization to ‘relaxed/relaxed’ and see if the verification result changes I haven't tried this but I only change a little bit the "Subject:" header for one time having a valid DKIM signature and the other an invalid signature. I don't think that this will solve the issue or if so I don't understand why. Thank you again for your reply and your tests to reproduce the problem, Guillaume ``` # dpkg -l | grep opendkim ii libopendkim11 2.11.0~alpha-11build1 amd64 Library for signing and verifying DomainKeys Identified Mail signatures ii opendkim 2.11.0~alpha-11build1 amd64 Milter implementation of DomainKeys Identified Mail # dpkg -l | grep postfix ii postfix 3.3.0-1ubuntu0.2 amd64 High-performance mail transport agent # dpkg -l |grep php-cli ii php-cli 1:7.2+60ubuntu1 all command-line interpreter for the PHP scripting language (default) # cat /etc/postfix/main.cf | grep milter milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891 ``` ** Attachment added: "bug_21857618.php" https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1857618/+attachment/5315817/+files/bug_21857618.php -- You received this bug notification because you are a member of Ubuntu Mail Server, which is subscribed to opendkim in Ubuntu. https://bugs.launchpad.net/bugs/1857618 Title: opendkim generate an invalid signature if one header is fold just after the header name Status in opendkim package in Ubuntu: New Bug description: opendkim generate an invalid signature if one header is fold just after the header name Expected : the email is well signed. Actual : Signature is invalid. How to reproduce ? Send the email just below by replacing "example.com" by a valid DKIM-signed domain. I used postfix to send the email. Here is a source .eml email that will fail to be correctly signed by opendkim : ``` From: <[email protected]> To: <[email protected]> Subject: Folding_White_Space_and_too_long_subject_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Test ``` opendkim generate an invalid signature with this email because of the "Subject:" folding white space. The signature is valid if the "Subject:" is written in one line : ``` Subject: Folding_White_Space_and_too_long_subject_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ``` Ubuntu 18.04.3 LTS opendkim : 2.11.0~alpha-11build1 --- This bug occurs for all headers signed by opendkim (not only with "Subject:"). This syntax seems valid. At least Gmail, Outlook, Thunderbird display the subject correctly. https://www.ietf.org/rfc/rfc5322.txt : > Unfolding is accomplished by simply removing any CRLF > that is immediately followed by WSP. Each header field should be > treated in its unfolded form for further syntactic and semantic > evaluation. An unfolded header field has no length restriction and > therefore may be indeterminately long. Gmail and opendkim itself consider the signature as invalid. opendkim : ``` Authentication-Results: xxx.example.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=example.com header.b=ABCDEF; ``` Gmail: ``` ARC-Authentication-Results: i=1; mx.google.com; dkim=fail [email protected] header.s=xxxxxxx header.b="a/aaaaaa"; ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1857618/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~ubuntu-mail-server Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-mail-server More help : https://help.launchpad.net/ListHelp
