On Thu, 1 Feb 2024, Dave Crocker wrote:
Me, I would*not* put in code looking for bare CRs or LFs. ...
A 5322 processor gets to decide what is a valid message. That's not DKIM's
job. And DKIM has no inherent reason to care about CR or LF on their own, as
distinct from any other character on its own.
Layering is a fine principle, but it's not how DKIM has ever worked in
practice. Two weeks ago we had a long discussion about oversigning, so
DKIM validators can catch messages with multiple From: or Subject: headers
which have never been valid in any version of 822/2822/5322 but show up
anyway.
For the specific issue of bare CR or LF, I was reminded on another list
that there is a trendy attack called SMTP smuggling which depends on mail
software inconsistently accepting bare CR or LF, and mail providers are
busy patching to fix it.
Read all about it here: https://smtpsmuggling.com/
I realize that there are plenty of ancient mail messages in archives with
bare CR or LF, but none of them are going to be signed or verified now.
You're not doing your users any favors by signing or verifiying a
message-like thing that contains them.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
