opendkim generate an invalid signature if one header is fold just after the header name
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
opendkim (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
opendkim generate an invalid signature if one header is fold just after the header name
Expected : the email is well signed.
Actual : Signature is invalid.
How to reproduce ? Send the email just below by replacing "example.com" by a valid DKIM-signed domain. I used postfix to send the email.
Here is a source .eml email that will fail to be correctly signed by opendkim :
```
From: <email address hidden>
To: <email address hidden>
Subject:
Folding_
Test
```
opendkim generate an invalid signature with this email because of the "Subject:" folding white space.
The signature is valid if the "Subject:" is written in one line :
```
Subject: Folding_
```
Ubuntu 18.04.3 LTS
opendkim : 2.11.0~
---
This bug occurs for all headers signed by opendkim (not only with "Subject:").
This syntax seems valid. At least Gmail, Outlook, Thunderbird display the subject correctly.
https:/
> Unfolding is accomplished by simply removing any CRLF
> that is immediately followed by WSP. Each header field should be
> treated in its unfolded form for further syntactic and semantic
> evaluation. An unfolded header field has no length restriction and
> therefore may be indeterminately long.
Gmail and opendkim itself consider the signature as invalid.
opendkim :
```
Authentication-
reason="fail (message has been altered)" header.
header.b=ABCDEF;
```
Gmail:
```
ARC-Authenticat
dkim=fail <email address hidden> header.s=xxxxxxx header.
```
My OpenDKIM installation (2.11.0~ alpha-11build1 on Ubuntu 18.04 Server)
can sign your message, and produces a valid signature.
Perhaps some other component at your site or in transit is altering the /tools. ietf.org/ html/rfc6376# section- 3.4.2)?
folding or line terminators? Anything unusual about your system and
configuration? Perhaps try setting Canonicalization to ‘relaxed/relaxed’
and see if the verification result changes
(https:/