On Thu, Oct 31, 2013 at 6:58 AM, Tomasz Kusy <t.kusy@???> wrote:
> Hello,
> Tested on Exim version 4.72 with DKIM.
>
> We noticed weird problem.
> Some of messages sent to gmail didn't pass DKIM verification:
>
> Authentication-Results: mx.google.com;
> dkim=fail (test mode) header.i=@xxxxxx.xx
>
> After hours of debug we found why:
>
> PDKIM >> Hashed header data, canonicalized, in sequence >>>>>>>>>>>>>>
> date:Thu,{SP}31{SP}Oct{SP}2013{SP}12:59:16{SP}+0100{CR}{LF}
> subject:Test:{SP}+200{SP}=?UTF-8?Q?punkt=C3=B3w?={SP}w{SP}xxxxxx!{SP}{CR}{LF}
> from:"XXXXX{SP}Newsletter"{SP}<newsletter@xxxxxxxx>{CR}{LF}
> PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
> In this case subject had whitespace (marked as {SP}) at end of line (before
> {CR}{LF}) .
> To compute hash for headers, exim uses this {SP}, but gmail ignores it.
> The compare of hashes results in fail.
>
> I know that this whitespace shouldn't occur there, but exim4 allows that.
Are you signing with simple (ie strict) or relaxed? From the DKIM spec:
3.4.4. The "relaxed" Body Canonicalization Algorithm
The "relaxed" body canonicalization algorithm:
o Ignores all whitespace at the end of lines. Implementations MUST
NOT remove the CRLF at the end of the line.
If you are signing with simple, then Gmail is messing up by not
including that space as part of the canonicalization. If your are
signing with relaxed, then Exim is messing up by including that space
as part of the canonicalization.
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
