DandelionNStuff/dkimpy-milter-smtputf8
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Add additional Sendmail configuration information to README from OpenDKIM

Browse Source 
update based on input from Дилян Палаузов (LP: #1801619)
This commit is contained in:
Scott Kitterman
2019-02-11 13:32:37 -05:00
parent f38fed3bee
commit 5945e818ca
2 changed files with 55 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGES
+4
View File
@@ -1,3 +1,7 @@
1.0.1 UNRELEASED
- Add additional Sendmail configuration information to README from OpenDKIM
update based on input from Дилян Палаузов (LP: #1801619)
1.0.0 2018-05-11 1.0.0 2018-05-11
- Minor documentation updates - Minor documentation updates
- Deleted reference to obsolete syslog target in unit file - Deleted reference to obsolete syslog target in unit file
README
+51
View File
@@ -77,6 +77,57 @@ Milter support should be present by default in most versions of sendmail
these days, but if not included in your Sendmail build, see: these days, but if not included in your Sendmail build, see:
http://www.elandsys.com/resources/sendmail/milter.html http://www.elandsys.com/resources/sendmail/milter.html
ISSUES USING SENDMAIL TO SIGN AND VERIFY
========================================
When using the sendmail MTA in both signing and verifying mode, there are
a few issues of which to be aware that might cause operational problems
and deserve consideration.
(a) When the MTA will be used for relaying emails, e.g. delivering to other
hosts using the aliases mechanism, it is important not to break
signatures inserted by the original sender. This is particularly sensitive
particular when the sending domain has published a "reject" DMARC policy.
By default, sendmail quotes to address header fields when there are no
quotes and the display part of the address contains a period or an
apostrophe. However, opendkim only sees the raw, unmodified form of
the header field, and so the content that gets verified and what gets
signed will not be the same, guaranteeing the attached signature is not
valid.
To direct sendmail not to modify the headers, add this to your sendmail.mc:
conf(`confMUST_QUOTE_CHARS', `')
(b) As stated in sendmail's KNOWNBUGS file, sendmail truncates header field
values longer than 256 characters, which could mean truncating the domain
of a long From: header field value and invalidating the signature.
You may wish to consider increasing MAXNAME in sendmail/conf.h to mitigate
changing the messages and invalidating their signatures. This change
requires recompiling sendmail.
(c) Similar to (a) above, sendmail may wrap very long single-line recipient
fields for presentation purposes; for example:
To: very long name <a@example.org>,anotherloo...ong name b <b@example.org>
...might be rewritten as:
To: very long name <a@example.org>,
anotherloo...ong name b <b@example.org>
This rewrite is also done after opendkim has seen the message, meaning
the signature opendkim attaches to the message does not match the
content it signed. There is not a known configuration change to
mitigate this mutation.
The only known mechanism for dealing with this is to have distinct
instances of opendkim do the verifying (inbound) and signing (outbound)
so that the version that arrives at the signing instance is already
in the rewritten form, guaranteeing the input and output are the same
and thus the signature matches the payload.
For Postfix: For Postfix:
Integration of dkimpy-milter into Postfix is like any milter (See Postfix's Integration of dkimpy-milter into Postfix is like any milter (See Postfix's