[jira] [Commented] (JAMES-3742) MIME-Version header is changed, breaking DKIM signatures

Mon, 03 Jun 2024 08:02:09 -0700 


    [ 
https://issues.apache.org/jira/browse/JAMES-3742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17851682#comment-17851682
 ] 

Benoit Tellier commented on JAMES-3742:
---------------------------------------

2 years of inactivity on this important topic.

I propose to move forward, implement the proposed change AND add a system 
variable in order to allow bypassing this just in case someone find a 
legitimate reason to change mime versions...

We could further improve the proposed code in order to check the mime version 
is 1.0 with optional comment. and not set it again if this is 1.0.

> MIME-Version header is changed, breaking DKIM signatures
> --------------------------------------------------------
>
>                 Key: JAMES-3742
>                 URL: https://issues.apache.org/jira/browse/JAMES-3742
>             Project: James Server
>          Issue Type: Bug
>          Components: James Core
>    Affects Versions: 2.3.2
>            Reporter: Paul Chown
>            Priority: Major
>
> We are using James to forward mails from external email servers to customer 
> accounts.
> Some email clients create emails with the following headers:
> {noformat}
> Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>         d=xxxx.gappssmtp.com; s=20210112;
>         
> h=from:content-transfer-encoding:mime-version:subject:message-id:date:to;
>         bh=...;
>         b=...{noformat}
> So the message is signed by the originator including the {{Mime-Version}} 
> header. The problem is that if we set an additional header with 
> {{SetMimeHeaderHandler}} or invoke the SpamAssassin service then the method 
> {{MimeMessage.updateHeaders()}} is invoked which sets a new mime version 
> header:
> {noformat}
> MIME-Version: 1.0{noformat}
> thereby breaking the DKIM signature from the original sender. We can add our 
> own signature using the new header, but this isn't aligned with the sender 
> domain so it doesn't help. It's probably debatable whether the original Mac 
> mail client mime version header is valid, but it is what it is.
> This seems to be completely broken, but the behaviour is baked into the 
> {{MimeMessage}} class and we can't see any way around it. How can we preserve 
> the original mime-version header and the DKIM signature?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to