"John Levine" <jo...@iecc.com> writes:
> It appears that Michael Thomas <m...@mtcc.com> said:
>>
>>On 4/3/22 12:12 PM, Bjørn Mork wrote:
>>> On a slightly related subject... This DKIM failure surprised me, but at
>>> least I verified that many NANOG subscribers have mailservers returning
>>> DMARC failure reports ;-)
>>
>>Oh wow, you should report that to Murray.
>
> It's on Github, so you can open an issue and if you're
> feeling inspired a fork and a patch. There's currently
> 67 open issues and 15 pull requests so don't hold your breath.
>
> https://github.com/trusteddomainproject/OpenDKIM
There is absolutely nothing wrong with opendkim.
Sorry for this off-topic noise. opendkim is an excellent tool, which
helped me find the real problem with a simple "Diagnostics yes" in the
config file.
My problem was caused by bad interaction between nullmailer and
sendmail. Turns that out nullmailer removes quotes around the
display-name unless required, while sendmail adds quotes it consider
necessary. The end-result is a Cc header looking exacly like the one I
sent. Only problem is that it wasn't that header opendkim got.
1) I submitted this to nullmailer:
Cc: John Levine <jo...@iecc.com>,
"North American Network Operators' Group" <nanog@nanog.org>
2) nullmailer forwarded this to sendmail:
Cc: John Levine <jo...@iecc.com>,
North American Network Operators' Group <nanog@nanog.org>
3) opendkim signed the mail using the unquoted Cc header
4) sendmail added quotes and forwarded this:
Cc: John Levine <jo...@iecc.com>,
"North American Network Operators' Group" <nanog@nanog.org>
5) validation failed since the header signature was based on the
unquoted version.
The header modifications in transit is the real bug. IMHO neither
nullmailer nor sendmail should change the Cc header here. They should
rather reject the mail if they don't like the headers. But I can't see
any reasons for that. Both the quoted and the unquoted versions are
fine according to my understanding of RFC5322.
Any hints on how to configure sendmail to avoid this are appreciated.
I can always patch nullmailer. But the same problem can be triggerd by
any client submitting an unquoted display-name with an apostrophe to
sendmail. Possibly also other characters which are allowed in an atom.
I do understand why most people just go with gmail...
Bjørn
