IETF Logo Mail Archive

Re: [Ietf-dkim] Question about lone CR / LF

John R Levine <johnl@taugh.com> Fri, 02 February 2024 03:05 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B3FCC14F5F5 for <ietf-dkim@ietfa.amsl.com>; Thu, 1 Feb 2024 19:05:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="IvWDUMhY"; dkim=pass (2048-bit key) header.d=taugh.com header.b="N+909GAe"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMwyrGkCoBi8 for <ietf-dkim@ietfa.amsl.com>; Thu, 1 Feb 2024 19:05:33 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE52CC14F6AB for <ietf-dkim@ietf.org>; Thu, 1 Feb 2024 19:05:08 -0800 (PST)
Received: (qmail 55197 invoked from network); 2 Feb 2024 03:05:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=d79b65bc5be2.k2402; bh=WTjX6xrNdms0lhHYCOWlyBkpxBavNDDjGvaVko3DxN4=; b=IvWDUMhYfZkO/WZsYqI/a/29M0j9KRRHwA+uZGgL+XBwp4c7NefJU3hM03J0i40rV3mLACTXDoZ1cHNNFWq3ReXeV+vOroM9caupRqbrfYu7Bl9EXsHnscdTQG39Hxa+7UGKDGrEEhScKToyyfAI3tKauUSzkmnMkyhgbx72oUYfL7o8R4COnA2zlVT+98BKo6OLQoGIvqy5MboOw2tgSK36MDWDhCIsUkp5xlTVFjV+iKXTZA4H/EA+FFFjKikYs40RTXNFmIHSJpFbEzupPD0h9zuBlYcMsBGzgYw1w9eRVEkKIEbNV1yMnqt8nrUzXlwkEyOqV2kVwtJw+6vbXg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=d79b65bc5be2.k2402; bh=WTjX6xrNdms0lhHYCOWlyBkpxBavNDDjGvaVko3DxN4=; b=N+909GAeCRBaiPPNSA3WXAJl30o8hgIGHucvVIdzwkGXHl941gMyoqfLss1Z+pYSX53/YsSufXksX42JQ2KrFu8QzriPnTbgjAdw406g57eC8RZKaXeQMyUTd8MErNVAxaD8J6f8zgnTVQvyixvIr7IScgp2qIkV9CG8ucwNG6oT6YvjE0tYtY74gneXiY4dE9yqokIyxDqPstHZFztoh00wW+L4OVFANqX1kxHfo2vQzRRbDRxfD8BRVTrOIeLi8SeL1eLDtEc49jbQW7pBFWs4qpPR0IXsYPwmL2uAMg2h9t2G3IopyLxTDVm88k1TZBYl8XT7mBy2Tv/3+YsZhg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 02 Feb 2024 03:05:06 -0000
Received: by ary.qy (Postfix, from userid 501) id 240A7820D9F1; Thu, 1 Feb 2024 22:05:05 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id ADD07820D9D3; Thu, 1 Feb 2024 22:05:05 -0500 (EST)
Date: Thu, 01 Feb 2024 22:05:05 -0500
Message-ID: <e2753f82-cc7b-d220-cd42-2afb3f5865be@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Dave Crocker <dcrocker@bbiw.net>
Cc: ietf-dkim@ietf.org
X-X-Sender: johnl@ary.qy
In-Reply-To: <95f2ba17-a81e-4adc-97d0-6c7387ade5f5@dcrocker.net>
References: <20240201180340.852B6820560B@ary.qy> <E8C1422D-4A9C-412A-BF5E-D07CABD2BFE2@callas.org> <95f2ba17-a81e-4adc-97d0-6c7387ade5f5@dcrocker.net>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/HQ9z5TJArFhzs6EHCE8ZO6a1AB0>
Subject: Re: [Ietf-dkim] Question about lone CR / LF
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2024 03:05:39 -0000

On Thu, 1 Feb 2024, Dave Crocker wrote:
>> Me, I would*not* put in code looking for bare CRs or LFs. ...

> A 5322 processor gets to decide what is a valid message.  That's not DKIM's 
> job.  And DKIM has no inherent reason to care about CR or LF on their own, as 
> distinct from any other character on its own.

Layering is a fine principle, but it's not how DKIM has ever worked in 
practice.  Two weeks ago we had a long discussion about oversigning, so 
DKIM validators can catch messages with multiple From: or Subject: headers 
which have never been valid in any version of 822/2822/5322 but show up 
anyway.

For the specific issue of bare CR or LF, I was reminded on another list 
that there is a trendy attack called SMTP smuggling which depends on mail 
software inconsistently accepting bare CR or LF, and mail providers are 
busy patching to fix it.

Read all about it here: https://smtpsmuggling.com/

I realize that there are plenty of ancient mail messages in archives with 
bare CR or LF, but none of them are going to be signed or verified now. 
You're not doing your users any favors by signing or verifiying a 
message-like thing that contains them.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email