Dan Mahoney via Postfix-users wrote in
<[email protected]>:
Ach, sigh, i bite. I still have deliveries enabled.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org;
s=prime2014; t=1780072473;
bh=YgPT68lrJBWKxzm07mq/GGgTx74LXecU994JYFXAgMM=;
h=From:Subject:Date:To;
You possibly want to say or do loudly to protect users, regarding
MIME attacks (eg noxxi
https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html
).
(Mind you that it is possible to request CVEs only for the fact
that a software does not use a "safe-by-default" strategy, which
yours would not shall the above be a default. And, eh, i will not
do so.)
Do you plan to do something to fix DKIM? *AKA* streamline it for
interoperability?
They never had interest or capability (that is unlikely though) to
fully penetrate what they were specifying. It is not only the
isspace()/isblank() handling of OpenDKIM, but ..
Because as of today, and for long, you see code like
[for bytes in body data]
char c = *p;
if(c == '\r'){
if(q > 0 && relaxed[q-1] == ' ')
q--;
}
...
relaxed[q++] = c;
but there is
obs-body = *((*LF *CR *((%d0 / text) *LF *CR)) / CRLF)
And i think it is wrong for eg SP CR SP CR SP CRLF.
(^didn't think much of that myself sofar. i write immediately.)
Now you may say that you know that, and this is one reason why you
have not chosen the "relaxed" body normalization, but only
"simple", which lets these things alone.
Right.
But you did use "relaxed" for headers once i looked last. And
there you may have
ccontent = ctext / quoted-pair / comment
quoted-pair = ("\" (VCHAR / WSP)) / obs-qp
obs-qp = "\" (%d0 / obs-NO-WS-CTL / LF / CR)
and at the same time i can see code like
[for bytes in a complete header line]
if(c == '\r' || c == '\n') /* Ignore CR & LF */
continue;
in "relaxed" header normalization, whereas i for example include
them.
In general it seems to me lack of advice regarding these is what
i failed to get positive feedback from people who do no good to
DKIM (not sorry to say this is you).
RFC 5322(-bis) says these things MUST be understood.
(And i am fine with that, not to be misunderstood.)
And then, you know, milters do not even come over with CRLF, like
Mr. Assmann said (on this list iirc):
Header continuation lines are separated with LF, and milters
SHOULD NOT use CRLF but only LF for these, too: it is up to the
MTA to adjust that.
So any lone LF (or CR; i asked on the DKIM list years ago, but
they even found it funny i think; they have a very strange sense
of humour, indeed) will cause breakage, too.
And isn't this a bad idea for "simple", to "let anything alone",
then, either?
So much love for DNSSEC from my side, but i think those people
never were interested in creating an interoperable environment for
"mailop". This should be fixed very first.
(The little DKIM signer i wrote does it "right", by the way, for
at least CR, which is very complicated, .. and it is of course
very wrong, given that "lone LF" just cannot be treated right by
milters, which is why i still think the above code, mostly from
2009 if i remember right, is the only *sane* way to do DKIM *in
practice*, but *these people* have no idea of what they are doing,
nor have they enough character to reflect that. I do not know why
you are silenced for telling the truth, .. what a mess.)
Since no DKIM software i ever looked at, as far as i remember, has
any interest in understanding "quoted-pair" at all, and if it
would be me, you know, i *will* do this for this DMARC-freed email
world i am dreaming of, they should not need to, *but* they should
ignore any LF and CR, like the above code, in very widespread use
(still), does *since 2009*. *OH, MY GOOÐNESS*.
Thank you.
And a nice weekend i wish everybody.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
