> On Apr 26, 2022, at 10:18 AM, Robert L Mathews via mailop <mailop@mailop.org> > wrote: > > We've recently been getting more complaints about seemingly valid messages > that are rejected when we forward them. Tracking down the problem, it happens > when: > > 1. The message that we receive from a third party has line lengths that > exceed 998 bytes in violation of RFC 5322 2.1.1; > > 2. The message envelope sender uses SPF "-all"; > > 3. The message has a valid, aligned DKIM signature matching the From header > when it arrives; > > 4. Postfix wraps the message at 998 bytes when forwarding it due to > <https://www.postfix.org/postconf.5.html#smtp_line_length_limit>; > > 5. This breaks the DKIM signature in the forwarded copy, because addition of > the "CR-LF-SP" changes the DKIM body hash; > > 6. The forwarding destination finds no valid DKIM signature, so it uses the > SPF "-all" and rejects it with a message like this Gmail example: "550 5.7.26 > This message does not have authentication information or fails to pass > authentication checks". > > How do other people handle this problem? I've seen suggestions of simply > preventing Postfix from doing any wrapping, like: > > https://github.com/trusteddomainproject/OpenDMARC/issues/166 > > It feels a little evil to just pass non-SMTP compliant messages on to others, > but on the other hand, changing the body of a message that has a DKIM > signature is clearly wrong, too.
The pedantic* answer here might be to make postfix smart enough to not apply this logic *if* there's a DKIM signature with simple/simple in the canonicalization. Postfix itself has zero knowledge of these headers, so adding conditionals to tweak this would probably be more trouble than it's worth. The only way this will pass into gmail is if postfix practices that age-old adage of computing: garbage in, garbage out. -Dan -- * Because you can't have pedantic without "Dan" _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
