Re: [exim] Exim4 vs Gmail - DKIM algorithms incompatibility

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: Tomasz Kusy
CC: exim-users
Subject: Re: [exim] Exim4 vs Gmail - DKIM algorithms incompatibility
On Thu, Oct 31, 2013 at 6:58 AM, Tomasz Kusy <t.kusy@???> wrote:
> Hello,
> Tested on Exim version 4.72 with DKIM.
>
> We noticed weird problem.
> Some of messages sent to gmail didn't pass DKIM verification:
>
> Authentication-Results: mx.google.com;
>        dkim=fail (test mode) header.i=@xxxxxx.xx

>
> After hours of debug we found why:
>
>     PDKIM >> Hashed header data, canonicalized, in sequence >>>>>>>>>>>>>>
>     date:Thu,{SP}31{SP}Oct{SP}2013{SP}12:59:16{SP}+0100{CR}{LF}
> subject:Test:{SP}+200{SP}=?UTF-8?Q?punkt=C3=B3w?={SP}w{SP}xxxxxx!{SP}{CR}{LF}
> from:"XXXXX{SP}Newsletter"{SP}<newsletter@xxxxxxxx>{CR}{LF}
>     PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

>
> In this case subject had whitespace (marked as {SP}) at end of line (before
> {CR}{LF}) .
> To compute hash for headers, exim uses this {SP}, but gmail ignores it.
> The compare of hashes results in fail.
>
> I know that this whitespace shouldn't occur there, but exim4 allows that.


Are you signing with simple (ie strict) or relaxed? From the DKIM spec:

3.4.4.  The "relaxed" Body Canonicalization Algorithm
   The "relaxed" body canonicalization algorithm:
   o  Ignores all whitespace at the end of lines.  Implementations MUST
      NOT remove the CRLF at the end of the line.



If you are signing with simple, then Gmail is messing up by not
including that space as part of the canonicalization. If your are
signing with relaxed, then Exim is messing up by including that space
as part of the canonicalization.

...Todd

--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine