Rspamd: [BUG] DKIM signature check fails on mixed l= values

Created on 2 Dec 2020  路  5Comments  路  Source: rspamd/rspamd

Prerequisites

Describe the bug
When an email includes multiple DKIM signatures with the same canonicalisation algorithm but different l= tag values then only the first signature passes and the following ones fail.

Main problem that occurs is that some DMARC checks fail. If the sender has signed the email with a l= tag and intermediate MTA adds another signature using the same canonicalisation but without l= then Rspamd validates the non-aligning signature from the MTA but fails the aligning signature from the sender and thus also fails DMARC.

Steps to Reproduce

  1. Scan this message with Rspamd
  2. First signature passes, second one fails
  3. Sending the same email to Gmail results in both signatures as passed

Expected behavior
Rspamd correctly validates both signatures.

Versions

rspamd --version
Rspamd daemon version 2.6

Additional Information

bug

All 5 comments

l tag is brain damaged by design. I was very reluctant to support it as there are almost no good reasons for it to exists.

Yeah, I agree, I was super surprised to see that someone (a large company) actually uses it.

It should work now :)

Awesome, we'll try it out!

I built rspamd from sources and can confirm that all my test emails now have a passing DKIM/DMARC. Thank you!

Was this page helpful?
0 / 5 - 0 ratings