Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DKIM signing performs conversion to 7-bit #224

Closed
breedbekkikker opened this issue Jan 29, 2016 · 2 comments
Closed

DKIM signing performs conversion to 7-bit #224

breedbekkikker opened this issue Jan 29, 2016 · 2 comments
Labels
bug Something isn't working

Comments

@breedbekkikker
Copy link

The DKIM Sign function performs a 7-bit MIME conversion of the message body before calculating the body hash. DKIM RFC states that such a conversion "is outside the scope of DKIM". This conversion breaks any already signed 8-bit MIME messages (or, depending on how MimeKit is used in the custom implementation, in an incorrect body hash).

I would suggest to remove the 7-bit conversion from the DKIM Sign function or to make it optional when calling the Sign function.
@jstedfast jstedfast added the bug Something isn't working label Jan 29, 2016
@jstedfast
Copy link
Owner

So the reason that I did that was because before you can send via SMTP, you will need to force the message into the 7bit or 8bit encoding, depending on what the server supports/requires (e.g. an SMTP server that does not support the 8BITMIME extension will require that messages be in the 7bit encoding).

By forcing it into the 7bit encoding, it is safe for either.

This is the strategy used by S/MIME and OpenPGP as well.

You might say, "but Jeff, what if we know that my SMTP server supports 8BITMIME? Why force it into 7bit?"

Here's the problem with that: Your SMTP server is not the final destination for most of the email you send (in general). So while your SMTP server may support 8BITMIME, the destination SMTP server might not, which means that your SMTP server will be forced to re-encode the message before passing it along to the next SMTP server. If the message was cryptographically signed while the message was in the 8bit encoding, then it will no longer verify in that case.

Now... that said, the scenario you describe is also valid and one that I regrettably did not foresee because I was probably a bit too myopic in my estimation of how MimeKit's DKIM signing logic would be used (which is to say that I had assumed it would only be used by the originator and not somewhere along the transport route).

jstedfast added a commit that referenced this issue Jan 29, 2016
@jstedfast
Do not force messages to be in the 7bit encoding when DKIM signing
eebf7bf 
Fixes issue #224
@breedbekkikker
Copy link
Author

I completely agree with your comment. Additionally, if the destination SMTP server does not support 8BITMIME, RFC also allows to not deliver the message and send an NDR to the sender. I would opt to not convert to 7-bit encoding to not break signed messages.

Thanks again for your prompt response and fix!

@jstedfast jstedfast mentioned this issue Oct 27, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jstedfast @breedbekkikker