Re: [ietf-smtp] Stray <LF> in the middle of messages

John C Klensin <john-ietf@jck.com> Sat, 06 June 2020 21:52 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 212663A0DCA; Sat, 6 Jun 2020 14:52:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b7TK4QaCsy8N; Sat, 6 Jun 2020 14:52:25 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D600E3A0DC9; Sat, 6 Jun 2020 14:52:25 -0700 (PDT)
Received: from [198.252.137.10] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1jhgjl-000Mu1-EF; Sat, 06 Jun 2020 17:52:21 -0400
Date: Sat, 06 Jun 2020 17:52:15 -0400
From: John C Klensin <john-ietf@jck.com>
To: =?UTF-8?Q?Valdis_Kl=C4=93tnieks?= <valdis.kletnieks@vt.edu>
cc: dcrocker@bbiw.net, Leo Gaspard <ietf=40leo.gaspard.io@dmarc.ietf.org>, ietf-smtp@ietf.org
Message-ID: <9039D9D02E9653D0708BA52F@PSB>
In-Reply-To: <444397.1591473993@turing-police>
References: <87ftb8p1ii.fsf@llwynog.ekleog.org> <1bf01c85-3276-270b-a517-70bf15e09043@dcrocker.net> <CECAD420DF51202689DE4E81@PSB> <444397.1591473993@turing-police>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/GQb_lxOCTmIwFfLIeylWVmmYChk>
Subject: Re: [ietf-smtp] Stray <LF> in the middle of messages
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jun 2020 21:52:27 -0000


--On Saturday, June 6, 2020 16:06 -0400 Valdis Klētnieks
<valdis.kletnieks@vt.edu> wrote:

> On Sat, 06 Jun 2020 14:15:49 -0400, John C Klensin said:
>> I would add one additional cautionary note: we now have
>> several security-related tools, in difference degrees of
>> active use, that digitally sign message bodies, headers, or
>> both.  If something sees a bare LF and converts it after
>> those signatures are computed. testing them will typically
>> fail.
> 
> I'm unaware of anything that does digital signatures that
> doesn't already mandate the use of a canonical encoding that
> would prevent a bare LF from escaping.  I suppose that
> somewhere, somebody wrote a signature routine that was
> expecting canonical input and failed to check for same and
> flag an error
> 
> On the other hand, the case can be made that causing the
> signature to invalidate isn't an error - and possibly even
> rises to a 2119 SHOULD fail.

I think this gets into the range of kicking of dead horses, but
the point is that sending bare LFs (or bare CRs) is looking for
trouble, whether it is misinterpretation of intended

   foo
      bar

sequences, messing up of signatures, or being confused with a
spammer (and/or complete idiot who hasn't managed to fix those
problems in nearly 40 years).   If a submission server has
private agreements with its clients about those things and how
to fix them, so be it as long as they get fixed.  But, for an
SMTP sender (or submission server) to send that stuff out not
only violates the spec if they intended to have LF interpreted
as CRLF but counts on whatever happens downstream to apply the
same interpretation... and they probably won't.

   john