Bad DKIM signatures over various whitespace problems #42
Description
Sometimes, emails get an invalid DKIM signature. I wrote about these to [email protected], but perhaps here's a better place. It's a long thread so I'll reproduce highlights of it here:
Using a fairly typical OpenSMTPD+rspamd setup, I'm finding that emails sent that have the ^L escape in them or end with a trailing space and a newline come out with an invalid DKIM signature. Something basic like:
filter rspamd proc-exec "filter-rspamd"
listen on ... filter rspamd
Everything else is otherwise pretty default and vanilla.
Here are two emails that exhibit the issue in mbox format, so you can open these with mutt -f ./file.mbx and then use b to bounce them through opensmtpd+rspamd.
$ base64 -d > naughty-email1.mbx
RnJvbSA5YjM1Mzg5NWViZGUyZDgzZTA5MTk4YTYzZGJjYmVlMmNmNTg5OWQ0IE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiAiSmFzb24gQS4gRG9uZW5mZWxkIiA8SmFzb25AengyYzQuY29t
PgpEYXRlOiBUdWUsIDI2IEp1bCAyMDIyIDAwOjIwOjIxICswMjAwClN1YmplY3Q6IHRlc3QgY29y
cnVwdGlvbiB3aXRoIGEgXkwgbWVzc2FnZQpNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVR5cGU6
IHRleHQvcGxhaW47IGNoYXJzZXQ9VVRGLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogOGJp
dAoKZGlmZiAtLWdpdCBhL0xJQ0VOU0VTIGIvTElDRU5TRVMKaW5kZXggY2QwNGZiNmU4NC4uNTMw
ODkzYjFkYyAxMDA2NDQKLS0tIGEvTElDRU5TRVMKKysrIGIvTElDRU5TRVMKQEAgLTM4OSwyNiAr
Mzg5LDMgQEAgQ29weXJpZ2h0IDIwMDEgYnkgU3RlcGhlbiBMLiBNb3NoaWVyIDxtb3NoaWVyQG5h
LW5ldC5vcm5sLmdvdj4KICBZb3Ugc2hvdWxkIGhhdmUgcmVjZWl2ZWQgYSBjb3B5IG9mIHRoZSBH
TlUgTGVzc2VyIEdlbmVyYWwgUHVibGljCiAgTGljZW5zZSBhbG9uZyB3aXRoIHRoaXMgbGlicmFy
eTsgaWYgbm90LCBzZWUKICA8aHR0cHM6Ly93d3cuZ251Lm9yZy9saWNlbnNlcy8+LiAgKi8KLQwK
ClRoZSBhYm92ZSBzaG91bGQgY2F1c2UgaXNzdWVzLgo=
$ base64 -d > naughty-email2.mbx
RnJvbSA5YjM1Mzg5NWViZGUyZDgzZTA5MTk4YTYzZGJjYmVlMmNmNTg5OWQ0IE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpEYXRlOiBNb24sIDEwIE9jdCAyMDIyIDE2OjE5OjM5ICswMjAwCkZyb206
IGphc29uQHp4MmM0LmNvbQpUbzogamFzb25AengyYzQuY29tClN1YmplY3Q6IG9oIG5vIGFub3Ro
ZXIgb25lIG9mIHRoZXNlIHRlc3RzCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQtVHlwZTogdGV4
dC9wbGFpbjsgY2hhcnNldD11dGYtOApDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUKCiAK
Try sending these messages through OpenSMTPD + rspamd, and you'll find that invariably the signature is wrong.