IETF Logo Mail Archive

Re: [Ietf-dkim] Question about lone CR / LF

"Murray S. Kucherawy" <superuser@gmail.com> Sat, 03 February 2024 21:14 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92158C14F699 for <ietf-dkim@ietfa.amsl.com>; Sat, 3 Feb 2024 13:14:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Ex3GC6NuBNl for <ietf-dkim@ietfa.amsl.com>; Sat, 3 Feb 2024 13:14:03 -0800 (PST)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B903C14F689 for <ietf-dkim@ietf.org>; Sat, 3 Feb 2024 13:14:03 -0800 (PST)
Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-a27e7b70152so123186766b.0 for <ietf-dkim@ietf.org>; Sat, 03 Feb 2024 13:14:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706994841; x=1707599641; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OPLqryTtdfIBFBTFwPq8XWTkY6o1W6lcdjO3EZ5fEeA=; b=Pa8E4wRThYkH+qqm3e+LO84OD+54lzJhsUDQo+3kPKWtXfGY4l+iIYYZ2xlhsGgGe7 6VNBpnPTywKaoIAynZ+TMN/dv4cPMFzJzvlvWGR0mYBrJAlGmM2/vGHiSrSNtt1NxZ9X BcfM5C/qV1VtoTpLk7TGKnbrkGOEePuRQE2nZ/rxEw8ium90u02hnK90H+Yid/Pb7xsC /QhzFh/Ll3RSCNZOgUm5nyWmXixTcXuSAj+CL5KSBSe3A8ecTyde7FW3tc1/unafAMMs vf9e3Yr1pDe8ifO+wsv+CpwuF9ciI4RR8GhCmrYPBMtFZs7JT+HAYmYvbFlrRw8w4W9x IGlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706994841; x=1707599641; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OPLqryTtdfIBFBTFwPq8XWTkY6o1W6lcdjO3EZ5fEeA=; b=cuD63vE6DfyQJCramNTXEEA2aX2q6Tl350u8mg3vLz7VsDWpgmkrzVjbr0KjfPvtQu U1JX9OGBXQ3G9L1Ej3xuY8Dtjnl6ggEgrytCs/Zqek/JiSfG7BfJxCe9CnK3p9kyTAKO 2Rtoq68HisS3LPU1XO8Kr6bSqzFkj8IzuEm3zVZ+68jofely+YPlMVAAfhWP87ZR7Oeh R20ftM5GngpWP1mvIoKEMzhFzsc0lBSS2DZTM0su7iSZsOt5T9pkmW1vRy+gf3zjz6eX J2J9wELcMQwr4beq4ZPXYBvmkzXgRQqPI1f/A9rH1FM4mBBDgc1bT7eMLHBVrPrxxNta OCMw==
X-Gm-Message-State: AOJu0YxBjh03R5k1hBnleENHkE8Rvgqq7lKcclGVtdS4LWJhOpxEwV2P PhcbA2NklyOPmvCVdqbtnhhEbh4KZPRD2FrcF7ptkncDFc5q26UFcUoOuP7aJeS3UjDYjag5vrF edFitpCZcWFOTlHaoOBd5vr9sIEtOjVupUzE=
X-Google-Smtp-Source: AGHT+IH1z45m010JAaMzmGFkctdRRSD+nOU2utZDF7bddMURuHGxrc2fC8XtXQ12axDXDcsSZwNfopG1Z0/aBMCxC2w=
X-Received: by 2002:a17:907:9711:b0:a37:625d:396f with SMTP id jg17-20020a170907971100b00a37625d396fmr1533336ejc.5.1706994840997; Sat, 03 Feb 2024 13:14:00 -0800 (PST)
MIME-Version: 1.0
References: <20240202043446.AAF26820F0AD@ary.qy> <f9c11d1a-7799-4946-b95e-7c9c682d60ba@dcrocker.net>
In-Reply-To: <f9c11d1a-7799-4946-b95e-7c9c682d60ba@dcrocker.net>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Sat, 03 Feb 2024 13:13:47 -0800
Message-ID: <CAL0qLwZyXV11ZeULceA5sQbStky4ashJgBVmr_=8vaKZkykSiQ@mail.gmail.com>
To: dcrocker@bbiw.net
Cc: John Levine <johnl@taugh.com>, ietf-dkim@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002193b1061080b538"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/4Z6dI0QKhHQB9sVhvauyj8-doBc>
Subject: Re: [Ietf-dkim] Question about lone CR / LF
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Feb 2024 21:14:07 -0000

On Sat, Feb 3, 2024 at 5:40 AM Dave Crocker <dhc@dcrocker.net> wrote:

> Having a DKIM module check for one aspect of RFC5322 conformance -- raises
> a need to make it a full RFC5322 compliance engine.
>
> If it doesn't, then the  attention to compliance is a random walk through
> whatever concerns are fashionable at the moment.  That is, is sprinkles
> stray bits of compliance code in a place that won't be -- and shouldn't be
> -- expected to have it.
>

I generally agree with the idea that there's a layering problem here, i.e.,
that a DKIM filter should be able to safely presume that its input will
comply with RFC5322 and not alter the message at all other than adding the
signature.  But on review, it seems like I've tiptoed over that line from
time to time in support of robustness in some form or another.  For
instance:

OpenDKIM will not sign a message that fails basic RFC5322 header checks
(e.g., "From" or "Date" is missing), but will place an
Authentication-Results field indicating the message is malformed.  At some
point, though, someone talked me into making it possible to bounce such a
message in the filter.  I wish I could remember the full context.

It also allows for specification of things that are likely to be rewritten
downstream (e.g., address canonicalization), which it can then simulate
when computing its hashes, in order to make validation of the signature at
the verifier more likely to succeed.[*]

It also optionally does LF to CRLF translation.  I'm fairly certain this is
to accommodate local/human SMTP injections since humans can't be expected
to type CRLFs when entering manual tests from a shell.  Again, though, this
only alters what's fed to the hash, as it expects the MTA will do this
conversion before the message is relayed en route to its destination; not
doing so dooms the signature to failure.

I think most of this is because the original milter interface, on which
this work was based, is an SMTP input filter.  Output filtering wasn't
originally available, meaning the filter saw the raw form of the input
rather than a "treated" form, and had to anticipate what the recipient
would see.

Maybe this illustrates the difference between pure software engineering and
applied software engineering?

-MSK

[*] The success of this feature is what makes me think a "list transforms"
extension to DKIM might also succeed.

v2.23.0 | Report a Bug | By Email