trusteddomainproject/OpenDMARC

OpenDMARC Authentication-Results parsing doesn't adhere to RFC's, causing valid data to be ignored or listed as invalid

MrPeteH opened this issue · 0 comments

MrPeteH commented

Various RFC-compliant DKIM and ARC softwares produce headers that OpenDMARC has a hissy fit about. I've tracked down the issue to lack of RFC compliance in OpenDMARC header parsing. This issue report provides a few sample headers that OpenDMARC doesn't like, then describes the challenge in some specificity. (FWIW, the same problem exists in OpenARC parsing.)

SUMMARY OF TWO KEY PARSE ISSUES

  1. OpenDMARC doesn't parse CFWS whitespace properly (Folding White Space and Comments.) This ABNF is ubiquitous in key headers.
  2. OpenDMARC doesn't parse AuthServe-ID as dot-atom - appears to assume it is FQDN?

SAMPLES CAUSING TROUBLE (ALL are RFC-compliant headers)

  1. Produced by OpenDKIM on my own server. (Problem: the comment is standard CFWS and breaks parsing)

     dkim=pass (1024-bit key; unprotected) header.d=their.dom.ain header.i=@their.dom.ain header.a=rsa-sha256 header.s=1000073432 header.b=eKmreZ4p;
 dkim-atps=neutral

  2. Produced by DKIM on a popular hosting service (not sure what SW they use) (Problem: the AuthServe-ID is dot-atom)

     rspamd-786cb55f77-65p7t;
 auth=pass smtp.auth=sample-host smtp.mailfrom=user@dom.ain

etc.

DISCUSSION OF THE ISSUE
AFAIK (from experience -- see above -- and code examination), OpenDMARC parsing is not RFC-compatible with CFWS. What's that?

(ARC-)Authentication-Results header definition ABNF make many references to RFC 5322 CFWS -- Folding White Space and Comments -- which is essentially folded white space plus any amount of [ \t\n] white space plus optional, nestable, () comments which can contain any text at all other than "(", ")" or "\".

Here are ABNF references in the RFC's:

As a dev, that sounds complex to me. I searched for some help towards a functioning implementation. To get us started, here is a regexp definition for CFWS, extracted from http://www.watersprings.org/pub/id/draft-seantek-mail-regexen-01.html#rfc.section.3.2

(?(DEFINE)
 (?<FWS>(?:[\t ]*\r\n)?[\t ]+)
 (?<CFWS>(?:(?&FWS)?(?&comment))+(?&FWS)?|(?&FWS))
 (?<ctext>[!-'*-\[\]-~])
 (?<ccontent>(?&ctext)|(?&quoted_pair)|(?&comment))
 (?<comment>\((?:(?&FWS)?(?&ccontent))*(?&FWS)?\))
 (?<quoted_pair>\\[ -~])
)