Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Swift_Signers_DKIMSigner: Setting custom return-path breaks DKIM signature #442

Closed
tomsommer opened this issue Mar 18, 2014 · 10 comments

Comments

@tomsommer
Copy link

@tomsommer tomsommer commented Mar 18, 2014

DKIM signature fails if you set a custom return-path with ->setReturnPath()

Tested by sending to dktest@exhalus.net: "auth result: fail (message has been altered)"

@xdecock

This comment has been minimized.

Copy link
Member

@xdecock xdecock commented Mar 18, 2014

Have you tried avoiding signing return-path as it must be the first header
IT should not be part of the signature
Le 18 mars 2014 08:38, "tomsommer" notifications@github.com a écrit :

DKIM signature fails if you set a custom return-path with ->setReturnPath()


Reply to this email directly or view it on GitHubhttps://github.com//issues/442
.

@tomsommer

This comment has been minimized.

Copy link
Author

@tomsommer tomsommer commented Mar 18, 2014

Adding

$dkim = new Swift_Signers_DKIMSigner(...);
$dkim->ignoreHeader('Return-Path');

solves the problem, but obviously this should be the default.

@xdecock

This comment has been minimized.

Copy link
Member

@xdecock xdecock commented Mar 18, 2014

I'm off for a week but i'll submit a patch for this
Le 18 mars 2014 09:38, "tomsommer" notifications@github.com a écrit :

Adding

$dkim = new Swift_Signers_DKIMSigner(...);$dkim->ignoreHeader('Return-Path');

solves the problem, but obviously this should be the default.


Reply to this email directly or view it on GitHubhttps://github.com//issues/442#issuecomment-37909582
.

@tomsommer

This comment has been minimized.

Copy link
Author

@tomsommer tomsommer commented Mar 18, 2014

I've done some more testing. GMail passes DKIM if Return-Path is not in the signature. But a lot of other online tests will fail. Perhaps something is wrong with the signature calculation if return-path is ignored.

@xdecock

This comment has been minimized.

Copy link
Member

@xdecock xdecock commented Mar 18, 2014

No should not be, if it's not in the dkim-signature header

On Tue, Mar 18, 2014 at 10:40 AM, tomsommer notifications@github.comwrote:

I've done some more testing. GMail passes DKIM if Return-Path is not in
the signature. But a lot of other online tests will fail. Perhaps something
is wrong with the signature calculation if return-path is ignored.


Reply to this email directly or view it on GitHubhttps://github.com//issues/442#issuecomment-37913977
.

Xavier De Cock
GPG Fingerprint: 93CA EE3F 9F57 5BE1 AE4A 794D 3C74 CA9E E7A5 0C1B
GPG Id: 0xE7A50C1B

@tomsommer

This comment has been minimized.

Copy link
Author

@tomsommer tomsommer commented Mar 18, 2014

The "bug" also applies to Swift_Signers_DomainKeySigner btw.

Swift_Signers_DomainKeySigner should also ignore the "DKIM-Signature" header, which it doesn't.

Basically both signers should ignore Return-Path, Received, Comments, Keywords, Bcc, Resent-Bcc and DKIM-Signature headers

@judgej

This comment has been minimized.

Copy link

@judgej judgej commented Apr 23, 2014

This has just started affecting me over the last few weeks. DKIM has been happily working, and passing, through SwiftMailer and a Laravel site. An increasing number of users have started reporting that they are not receiving their activation emails. Trying it myself today, and I find Google Apps is marking my activation email with a DKIM fail.

I have set the headers listed above to be ignored, and now DKIM passes. The only header that was in my include list was Bcc. Obviously Bcc recipients do not appear in the mail the recipient receives, so it makes sense that it cannot be used in the signature. Whether SwiftMailer was actually including Bcc in the signature, or whether it was ignoring it anyway but still listing it in the "h=" field, is unclear. What I do know, is that the setup we have WAS working and getting a PASS from Google a month ago, but is now getting DKIM FAIL from Google and Hotmail, and we haven't changed how we send emails in that period. Setting Bcc to ignore, plus the other headers listed in the previous comment, fixes it for us.

@EmmanuelVella

This comment has been minimized.

Copy link

@EmmanuelVella EmmanuelVella commented Jun 11, 2014

Same issue here, ignoring manually the Return-Path header solves the problem.

@xdecock

This comment has been minimized.

Copy link
Member

@xdecock xdecock commented Jun 11, 2014

Hello, it's needed to exclude the return-path from the list of headers as
it must stay the first header of the enveloppe, and as such will not be
present after the dkim-signature header.

Xavier

On Wed, Jun 11, 2014 at 11:42 AM, Emmanuel Vella notifications@github.com
wrote:

Same issue here, ignoring manually the Return-Path header solves the
problem.


Reply to this email directly or view it on GitHub
#442 (comment)
.

Xavier De Cock
GPG Fingerprint: 93CA EE3F 9F57 5BE1 AE4A 794D 3C74 CA9E E7A5 0C1B
GPG Id: 0xE7A50C1B

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Jun 11, 2014

So, should the above list of headers be set to be ignored by default? It sounds like everyone needs to manually set them as ignored, but it makes sense that the library includes the common ignore-header list as a default list, if those headers should never (and that is an assumption without knowing more) be included in the DKIM hash.

For example, Bcc should certainly never be included, because it will never reach the destination server - that is the point of Bcc, splitting the recipients off to separate emails as early as possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.