We've recently been getting more complaints about seemingly valid
messages that are rejected when we forward them. Tracking down the
problem, it happens when:
1. The message that we receive from a third party has line lengths that
exceed 998 bytes in violation of RFC 5322 2.1.1;
2. The message envelope sender uses SPF "-all";
3. The message has a valid, aligned DKIM signature matching the From
header when it arrives;
4. Postfix wraps the message at 998 bytes when forwarding it due to
<https://www.postfix.org/postconf.5.html#smtp_line_length_limit>;
5. This breaks the DKIM signature in the forwarded copy, because
addition of the "CR-LF-SP" changes the DKIM body hash;
6. The forwarding destination finds no valid DKIM signature, so it uses
the SPF "-all" and rejects it with a message like this Gmail example:
"550 5.7.26 This message does not have authentication information or
fails to pass authentication checks".
How do other people handle this problem? I've seen suggestions of simply
preventing Postfix from doing any wrapping, like:
https://github.com/trusteddomainproject/OpenDMARC/issues/166
It feels a little evil to just pass non-SMTP compliant messages on to
others, but on the other hand, changing the body of a message that has a
DKIM signature is clearly wrong, too.
(And yes, I agree that ideally nobody should use SPF "-all", nobody
should use forwarding, and everyone should send SMTP-compliant messages,
but those are beyond my control.)
--
Robert L Mathews
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
