OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: DKIM message forwarding, body altered

From: David Jonas (djonasvitalwerks.com)
Date: Tue Dec 02 2008 - 12:02:37 CST

Victor Duchovni wrote:
> On Mon, Dec 01, 2008 at 05:55:28PM -0800, David Jonas wrote:
>
>
>> We provide forwarding to external accounts (e.g. gmail.com) and it
>> appears that in some cases postfix is invalidating the DKIM signatures.
>> The most prominent and obvious case is eBay and PayPal where gmail is
>> now bouncing/dropping messages where the signature doesn't match.
>>
>
> What version of Postfix are you using?
>
>
2.3.8 and 2.4.6-- yea, we're a little behind. Perhaps I'll bring us up
to 2.5 today.

>> I caused ebay to send an email to a gmail address and then to an address
>> that forwards. Doing a diff between the messages show this:
>>
>> # diff -u ebay-fail.txt ebay-pass.txt
>> ...
>> -92,6 +83,7
>> Designated trademarks and brands are the property of their respective
>> owner=
>> s.
>> eBay and the eBay logo are registered trademarks or trademarks of eBay,
>> Inc=
>> -=20
>> +.=20
>> eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125.
>>
>
> Most likely Ebay sending software fails to implement RFC 821/2821/5281
> correctly:
>
> http://tools.ietf.org/html/rfc5321#section-4.5.2
>
> not much you can do about that. Postfix can't possibly know all
> the places in which the Ebay software screwed up.
>
> The RFC is quite clear, leading "." characters in SMTP are stripped
> regardless of the following character. Some MTAs only trim "." when
> the next character is also a ".", but this violates the RFC.
>
>
I will attempt to file a bug with eBay/PayPal. Thanks. I'm going to try
to set up a clean environment (no processing at all) to make sure this
is definitely real and not just a side effect. Nothing touches the body
right now, but the message does get juggled a bit before being sent out
again.
>> Adding a "." to that line in the version that doesn't verify causes the
>> message to verify.
>>
>> Is there something I can do to keep postfix from altering this? Am I
>> barking up the right tree, or should I be verifying these and resigning
>> them? Should I just tell my customers, "tough luck, use your gmail
>> account directly?"
>>
>
> Always good to encourage users to use direct routes. In a spam-averse
> world, forwarding often loses to anti-spam strategies that use or
> build origin reputation.
>
>
Indeed. I would like to due away with it altogether on our system. It is
the source of much trouble.