From 5945e818ca7428688f274669fc16d381ebbc7334 Mon Sep 17 00:00:00 2001 From: Scott Kitterman Date: Mon, 11 Feb 2019 13:32:37 -0500 Subject: [PATCH] =?UTF-8?q?=20-=20Add=20additional=20Sendmail=20configurat?= =?UTF-8?q?ion=20information=20to=20README=20from=20OpenDKIM=20=20=20=20up?= =?UTF-8?q?date=20based=20on=20input=20from=20=D0=94=D0=B8=D0=BB=D1=8F?= =?UTF-8?q?=D0=BD=20=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2=20(LP?= =?UTF-8?q?:=20#1801619)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGES | 4 ++++ README | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+) diff --git a/CHANGES b/CHANGES index 06cd982..ab6c19e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +1.0.1 UNRELEASED + - Add additional Sendmail configuration information to README from OpenDKIM + update based on input from Дилян Палаузов (LP: #1801619) + 1.0.0 2018-05-11 - Minor documentation updates - Deleted reference to obsolete syslog target in unit file diff --git a/README b/README index d91a378..5efdeff 100644 --- a/README +++ b/README @@ -77,6 +77,57 @@ Milter support should be present by default in most versions of sendmail these days, but if not included in your Sendmail build, see: http://www.elandsys.com/resources/sendmail/milter.html +ISSUES USING SENDMAIL TO SIGN AND VERIFY +======================================== + +When using the sendmail MTA in both signing and verifying mode, there are +a few issues of which to be aware that might cause operational problems +and deserve consideration. + +(a) When the MTA will be used for relaying emails, e.g. delivering to other + hosts using the aliases mechanism, it is important not to break + signatures inserted by the original sender. This is particularly sensitive + particular when the sending domain has published a "reject" DMARC policy. + + By default, sendmail quotes to address header fields when there are no + quotes and the display part of the address contains a period or an + apostrophe. However, opendkim only sees the raw, unmodified form of + the header field, and so the content that gets verified and what gets + signed will not be the same, guaranteeing the attached signature is not + valid. + + To direct sendmail not to modify the headers, add this to your sendmail.mc: + + conf(`confMUST_QUOTE_CHARS', `') + +(b) As stated in sendmail's KNOWNBUGS file, sendmail truncates header field + values longer than 256 characters, which could mean truncating the domain + of a long From: header field value and invalidating the signature. + You may wish to consider increasing MAXNAME in sendmail/conf.h to mitigate + changing the messages and invalidating their signatures. This change + requires recompiling sendmail. + +(c) Similar to (a) above, sendmail may wrap very long single-line recipient + fields for presentation purposes; for example: + + To: very long name ,anotherloo...ong name b + + ...might be rewritten as: + + To: very long name , + anotherloo...ong name b + + This rewrite is also done after opendkim has seen the message, meaning + the signature opendkim attaches to the message does not match the + content it signed. There is not a known configuration change to + mitigate this mutation. + + The only known mechanism for dealing with this is to have distinct + instances of opendkim do the verifying (inbound) and signing (outbound) + so that the version that arrives at the signing instance is already + in the rewritten form, guaranteeing the input and output are the same + and thus the signature matches the payload. + For Postfix: Integration of dkimpy-milter into Postfix is like any milter (See Postfix's