Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DKIM uses length field while discouraged by RFC #1964

Closed
KlaasBonnema opened this issue Feb 14, 2020 · 5 comments
Closed

DKIM uses length field while discouraged by RFC #1964

KlaasBonnema opened this issue Feb 14, 2020 · 5 comments

Comments

@KlaasBonnema
Copy link

PHPMailer 6.1.4 always includes the length field l= in a DKIM key. RFC 5672 section 3.5 discourages using the length field because it opens possible attack vectors. Since it is an optional field anyway it should be left out of the DKIM key.
@Synchro
Copy link
Member

Synchro commented Feb 14, 2020

That sounds reasonable. Care to make a PR?

@KlaasBonnema
Copy link
Author

KlaasBonnema commented Feb 14, 2020 via email

@Synchro
Copy link
Member

Synchro commented Feb 14, 2020

Ah, you're new here! A PR is a pull request – fork the project, make the changes necessary to implement what you propose (ideally with accompanying tests), then request that it be merged back into this project. It sounds like you know what you're doing with DKIM - please take a look at my DKIM validator project too.

@KlaasBonnema
Copy link
Author

I'll have to look into that. My immediate issue is with static::$LE and DKIM. It blocks migration to PHPMailer. I currently use DKIM Validator plugin in Thunderbird and check-auth@validator.port25.com for DKIM validations. Is a PR for one issue only or could I combine several issues?

@Synchro
Copy link
Member

Synchro commented Feb 14, 2020
edited

Generally it's a good idea to keep them separate as it keeps things on-topic for each one. The advantage of the validator being in PHP is that it can be used from within a closed and automated test environment and doesn't need any other tools.

Regarding the LE thing, generally I'd recommend avoiding using mail() as a sending mechanism at all. It's got inherent security holes, and it's slower than using SMTP to localhost. As a secondary effect, it also means you never need to use LF line breaks.

Synchro added a commit that referenced this issue Feb 15, 2020
@Synchro
DKIM tweaks, see #1962, #1964, #1965
b744973
Synchro added a commit that referenced this issue Feb 15, 2020
@Synchro
Don't use the l tag in DKIM signature, fixes #1964
0430ae6
@Synchro Synchro closed this as completed Feb 15, 2020
Synchro added a commit that referenced this issue Feb 17, 2020
@Synchro
DKIM tweaks (#1969)
b294b44 
* DKIM tweaks, see #1962, #1964, #1965

* Don't use the `l` tag in DKIM signature, fixes #1964

* CS

* CS

* Fix order of operations, see #1962

* Remove trailing line break from output of `DKIM_Add()`, see #1962
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Synchro @KlaasBonnema