Den 06.05.2026 21:51, skrev Steffen Nurpmeso via Postfix-users:
Håkon Alstadheim via Postfix-users wrote in
<[email protected]>:
|I am having trouble that mail to some recipients from an outlook user is
|getting DKIM fail. I /believe/ (*) this is because a header with an
|empth first line, like:
|
|> References:
|> <cabw_nmrffv9cx-xfrqjwbbazddabzgr_8bhqcb7mfm_yg+m...@mail.gmail.com>
|> <[email protected]>
|
|is "fixed" by upstream to not start with an empty line, thus breaking
|dkim signing. Mail leaving my host has DKIM signature containing:
|
|[...]References:=0D=0A=09<CABW_NmRF[...]
This header should not undergo Content-Transfer-Encoding, like
quoted-printable in the example. It has no business with MIME.
The mailer user agent or whatever generates this is wrong, as
it breaks the RFC 5321 defined allowed content of References.
Ah, I think I may have been unclear, that is an excerpt from the DKIM
header, captured in a BCC before it leaves my site. In full:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=alstadheim.priv.no;
s=smtp; t=1771261642;
bh=Q04ywDo9fUvXOthKMQpElrCh7t//CDHVHODNDguzHN4=;
h=From:To:Subject:Date:References:In-Reply-To:From;
z=From:=20"[email protected]"=20<[email protected]>|To:
=20"[email protected]"=20<[email protected]>|Subject:=20=3D?is
o-8859-1?Q?Alstadheim_-_vegg_mot_s=3DF8r?=3D|Date:=20Mon,=2016=20F
eb=202026=2017:07:19=20+0000|References:=0D=0A=09<CABW_NmRFFV9cx-X
[email protected]>=0D=0A=20<012f0
[email protected]>|In-Reply-To:=20<012
[email protected]>;
b=gpWn7k/vE1ZxqC/fA2nboJmB7Sq+xzZPKoiWIgxFPRP7BmKcGGZN+VWzSR3UJBt+G
qotacJuHYqpvCzH871IebkdmV7qiC1I7FlR94nasjnUkcUAN/pPuQ7Qc5PmJhE6x7P
HLViZH/QG3kEwzsvG1w5iYFPpjnWO5uJ0M7xL+U8=
I take this to indicate that the mail that was signed contained those
hex characters (uncoded), which the BCC file does indeed, except that
the line-ending is only 0xA, with no 0xD when it is stored locally on disk.
It is possibly questionable whether postfix should reject this, or
correct this, or whatever.
Beside this DKIM works on the raw data, and therefore should
see exactly what you show above. It does not even know whether
that is right or wrong, is has no business with content
verification, it only normalizes the data stream according to
rules (whitespace, mostly), in order to be able to
cryptographically verify what is has seen, portably.
|Putting a header_checks with "/^References:[\x0a\x0d\x09\x20]+(.*)/
|REPLACE References: $1" seems to have fixed dkim-signing, but I've
|noticed that attached ("nested") emails also get edited, and I'd like to
|*only* edit the actual message headers, leaving attachments alone.
|Anybody have a recipe for that?
|
|* Note: I don't *know* that I'm on the right track here. I've had
|trouble getting hold of mails as they look at the receiving end, and not
|all mails fail, maybe because the headers don't have empty lines, maybe
|because I'm totally wrong in my understanding.
This is very mysterious. Especially since what you say you have
removed is actually bytes that are part of the normalization
pattern of DKIM..
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
