Ubuntu
opendkim package

Bug #1857618
Comment #3

Comment 3 for bug 1857618

Revision history for this message

Msd (msd+launchpad) wrote on 2019-12-27:

bug_21857618.php Edit (1.4 KiB, text/plain)

Hello David,

Thank you for your quick reply.

I attached a php script (bug_21857618.php) to reproduce the issue.

You can run it with `php bug_21857618.php <email address hidden> 0` to have an invalid DKIM signature.
You can run it with `php bug_21857618.php <email address hidden> 1` to have valid DKIM signature.

Just replace <email address hidden> by a valid DKIM-signed domain.

Look at the way "Suject:" is written in both cases.

Here is my opendkim conf file :

I tried the php script on a Debian 8 server with this simplified config file and the problem is already here :

```
# cat /etc/opendkim.conf
Syslog yes
UMask 002
KeyTable /etc/mail/KeyTable
SigningTable /etc/mail/SigningTable
OversignHeaders From
```

If you can't reproduce the case, I'm interesting that you send me a valid DKIM-signed email with the folded "Subject:" header.

---

> Perhaps some other component at your site or in transit is altering the
folding or line terminators? Anything unusual about your system and
configuration?

I tried on multiples servers (Ubuntu 18.04, Ubuntu 16.04, Debian 8) and the problem is here.

> Perhaps try setting Canonicalization to ‘relaxed/relaxed’
and see if the verification result changes

I haven't tried this but I only change a little bit the "Subject:" header for one time having a valid DKIM signature and the other an invalid signature. I don't think that this will solve the issue or if so I don't understand why.

Thank you again for your reply and your tests to reproduce the problem,

Guillaume

```
# dpkg -l | grep opendkim
ii libopendkim11 2.11.0~alpha-11build1 amd64 Library for signing and verifying DomainKeys Identified Mail signatures
ii opendkim 2.11.0~alpha-11build1 amd64 Milter implementation of DomainKeys Identified Mail
# dpkg -l | grep postfix
ii postfix 3.3.0-1ubuntu0.2 amd64 High-performance mail transport agent
# dpkg -l |grep php-cli
ii php-cli 1:7.2+60ubuntu1 all command-line interpreter for the PHP scripting language (default)
# cat /etc/postfix/main.cf | grep milter
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
```

Hello David,

Thank you for your quick reply.

I attached a php script (bug_21857618.php) to reproduce the issue.

You can run it with `php bug_21857618.php test@example.com 0` to have an invalid DKIM signature.
You can run it with `php bug_21857618.php test@example.com 1` to have valid DKIM signature.

Just replace test@example.com by a valid DKIM-signed domain.

Look at the way "Suject:" is written in both cases.

Here is my opendkim conf file :

```
# cat /etc/opendkim.conf
Syslog                  yes
LogResults              yes
LogWhy                  yes
UMask                   007
Socket                  local:/var/run/opendkim/opendkim.sock
PidFile                 /var/run/opendkim/opendkim.pid
OversignHeaders         From
TrustAnchorFile         /usr/share/dns/root.key
UserID                  opendkim
KeyTable                /etc/mail/KeyTable
SigningTable            /etc/mail/SigningTable
Mode                    s
SubDomains              yes
MultipleSignatures      yes
InternalHosts           refile:/etc/mail/InternalHosts
Socket                  inet:8891@localhost
```

I tried the php script on a Debian 8 server with this simplified config file and the problem is already here :

```
# cat /etc/opendkim.conf
Syslog                  yes
UMask                   002
KeyTable                /etc/mail/KeyTable
SigningTable            /etc/mail/SigningTable
OversignHeaders         From
```

If you can't reproduce the case, I'm interesting that you send me a valid DKIM-signed email with the folded "Subject:" header.

---

> Perhaps some other component at your site or in transit is altering the
folding or line terminators? Anything unusual about your system and
configuration?

I tried on multiples servers (Ubuntu 18.04, Ubuntu 16.04, Debian 8) and the problem is here.

> Perhaps try setting Canonicalization to ‘relaxed/relaxed’
and see if the verification result changes

Thank you again for your reply and your tests to reproduce the problem,

Guillaume

```
# dpkg -l | grep opendkim
ii  libopendkim11                         2.11.0~alpha-11build1                           amd64        Library for signing and verifying DomainKeys Identified Mail signatures
ii  opendkim                              2.11.0~alpha-11build1                           amd64        Milter implementation of DomainKeys Identified Mail
# dpkg -l | grep postfix
ii  postfix                               3.3.0-1ubuntu0.2                                amd64        High-performance mail transport agent
# dpkg -l |grep php-cli
ii  php-cli                               1:7.2+60ubuntu1                                 all          command-line interpreter for the PHP scripting language (default)
# cat /etc/postfix/main.cf | grep milter
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
```

Ubuntuopendkim package

Comment 3 for bug 1857618

Ubuntu
opendkim package