1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • Sendmail Folding To/CC Headers and Breaking DKIM Signatures

    From Phil! Gold@21:1/5 to All on Wed Sep 29 14:43:05 2021
    I'm running Sendmail 8.14.7 (on a Scientific Linux 7 system), and I'm running into a problem where Sendmail sometimes breaks DKIM signatures on forwarded messages.

    More specifically:

    1. I have accounts on the system with either aliases or .forward files that direct Sendmail to cause all incoming messages to those accounts to be forwarded to external email addresses on different domains.

    2. When Sendmail forwards messages, it sometimes reformats To: or CC: headers. Specifically, if it has a number of recipients on a single line, it will (sometimes) fold the header onto multiple lines and will place only one or two recipients on each
    line.

    3. If the message's original DKIM signature included the To or CC header and used the simple canonicalization scheme, validation of that signature will now fail.

    4. If the target of the forwarding uses DMARC (and the original sender's domain has a DMARC policy), the forwarded message will now fail DMARC validation and (subject to policy) may be rejected by the target mail server.

    I would like the above chain of events not to happen. I can't control the DMARC settings used by people who send us mail, and I can't tell my account owners not to forward their mail. Can I prevent Sendmail from altering email headers as it forwards
    messages? Is there something else I can do?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to All on Thu Sep 30 05:37:55 2021
    Phil! Gold wrote:

    3. If the message's original DKIM signature included the To or CC header and used
    the simple canonicalization scheme, validation of that signature will now fail.

    Ask the sender not to use "simple"?

    forward their mail. Can I prevent Sendmail from altering email headers as it forwards messages? Is there something else I can do?

    Unfortunately that requires a code change. Maybe you can write a
    patch to add an option for sendmail to act as "pure MTA" which does
    not modify headers?

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.
    --
    A: Because it messes up the order in which people normally read text.
    Q: Why is top-posting such a bad thing?
    A: Top-posting.
    Q: What is the most annoying thing on usenet?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Phil! Gold@21:1/5 to All on Thu Sep 30 06:10:13 2021
    On Thursday, September 30, 2021 at 1:37:57 AM UTC-4, Claus Aßmann wrote:
    Phil! Gold wrote:
    DKIM signature ... simple canonicalization scheme, validation of that signature will now fail.
    Ask the sender not to use "simple"?

    I can ask individual sites to change their DKIM parameters, but I don't expect I'll gain much traction with that approach. Especially since simple is part of the RFC. And I can't anticipate every other site that will happen to send mail to any one of
    my users in the future and check ahead of time to see what their exact DKIM parameters are.

    Can I prevent Sendmail from altering email headers as it forwards messages?
    Unfortunately that requires a code change. Maybe you can write a
    patch to add an option for sendmail to act as "pure MTA" which does
    not modify headers?

    Okay. I'll have to spend some time figuring out whether patching sendmail or switching to a different MTA will be a better solution for us.

    Thanks!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)