nanog mailing list archives
opendkim (was: Re: Gmail (thus Nanog) rejecting ipv6 email)
From: Bjørn Mork <bjorn () mork no>
Date: Mon, 04 Apr 2022 14:58:38 +0200
"John Levine" <johnl () iecc com> writes:
It appears that Michael Thomas <mike () mtcc com> said:On 4/3/22 12:12 PM, Bjørn Mork wrote:On a slightly related subject... This DKIM failure surprised me, but at least I verified that many NANOG subscribers have mailservers returning DMARC failure reports ;-)Oh wow, you should report that to Murray.It's on Github, so you can open an issue and if you're feeling inspired a fork and a patch. There's currently 67 open issues and 15 pull requests so don't hold your breath. https://github.com/trusteddomainproject/OpenDKIM
There is absolutely nothing wrong with opendkim.
Sorry for this off-topic noise. opendkim is an excellent tool, which
helped me find the real problem with a simple "Diagnostics yes" in the
config file.
My problem was caused by bad interaction between nullmailer and
sendmail. Turns that out nullmailer removes quotes around the
display-name unless required, while sendmail adds quotes it consider
necessary. The end-result is a Cc header looking exacly like the one I
sent. Only problem is that it wasn't that header opendkim got.
1) I submitted this to nullmailer:
Cc: John Levine <johnl () iecc com>,
"North American Network Operators' Group" <nanog () nanog org>
2) nullmailer forwarded this to sendmail:
Cc: John Levine <johnl () iecc com>,
North American Network Operators' Group <nanog () nanog org>
3) opendkim signed the mail using the unquoted Cc header
4) sendmail added quotes and forwarded this:
Cc: John Levine <johnl () iecc com>,
"North American Network Operators' Group" <nanog () nanog org>
5) validation failed since the header signature was based on the
unquoted version.
The header modifications in transit is the real bug. IMHO neither
nullmailer nor sendmail should change the Cc header here. They should
rather reject the mail if they don't like the headers. But I can't see
any reasons for that. Both the quoted and the unquoted versions are
fine according to my understanding of RFC5322.
Any hints on how to configure sendmail to avoid this are appreciated.
I can always patch nullmailer. But the same problem can be triggerd by
any client submitting an unquoted display-name with an apostrophe to
sendmail. Possibly also other characters which are allowed in an atom.
I do understand why most people just go with gmail...
Bjørn
Current thread:
- Re: Gmail (thus Nanog) rejecting ipv6 email, (continued)
- Re: Gmail (thus Nanog) rejecting ipv6 email Niels Bakker (Apr 02)
- Re: [nanog] Re: Gmail (thus Nanog) rejecting ipv6 email Dan Mahoney (Gushi) (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email from poorly configured senders John Levine (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email Bjørn Mork (Apr 03)
- Re: Gmail (thus Nanog) rejecting ipv6 email John Levine (Apr 03)
- Re: Gmail (thus Nanog) rejecting ipv6 email Randy Bush (Apr 03)
- Re: Gmail (thus Nanog) rejecting ipv6 email Bjørn Mork (Apr 03)
- Re: Gmail (thus Nanog) rejecting ipv6 email Bjørn Mork (Apr 03)
- Re: Gmail (thus Nanog) rejecting ipv6 email Michael Thomas (Apr 03)
- Re: Gmail (thus Nanog) rejecting ipv6 email John Levine (Apr 03)
- opendkim (was: Re: Gmail (thus Nanog) rejecting ipv6 email) Bjørn Mork (Apr 04)
- Re: opendkim Bjørn Mork (Apr 04)
- Re: [nanog] opendkim (was: Re: Gmail (thus Nanog) rejecting ipv6 email) Dan Mahoney (Gushi) (Apr 04)
- Re: Gmail (thus Nanog) rejecting ipv6 email John Levine (Apr 03)
- Re: Gmail (thus Nanog) rejecting ipv6 email Niels Bakker (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email nanog (Apr 03)
- Re: Gmail (thus Nanog) rejecting ipv6 email Andy Ringsmuth (Apr 03)
- Re: Gmail (thus Nanog) rejecting ipv6 email Andy Smith (Apr 04)
- Re: Gmail (thus Nanog) rejecting ipv6 email Andy Ringsmuth (Apr 04)
- Re: Gmail (thus Nanog) rejecting ipv6 email Robert Kisteleki (Apr 04)