You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be nice to have a more precise output why the verification fails (No signature/Body hash mismatch/failed to retrieve key/signature failed to verify) - I did not etst all of them, some may already be shown.
Furthermore I'd like to se if bodyhash fails but signature is ok and if the bodyhash it ok but the signature fails.)
I understand that for a mailserver it is pointless to verify the signature if the body hash mismatches (and vice-versa) but for debugging and forensics that would be an useful information
The text was updated successfully, but these errors were encountered:
I think the error result is already pretty detailed, at least as long as showing detailed error reasons is enabled in the advanced options.
If you think there is still something missing please explicitly say which error you encountered but was not reported in detail enough by the add-on.
bodyhash fails but signature is ok
Yes this is currently missing, in a sense that if the bodyhash mismatches the add-on will not bother checking the signature.
Would be interesting to know more about how and why you need this information.
So far I only very rarely was interested in this myself, and more out of curiosity than a need.
bodyhash it ok but the signature fails
The add-on is already distinguishing between a DKIM_SIGERROR_BADSIG (Signature is wrong) and DKIM_SIGERROR_CORRUPT_BH (E-Mail was modified) error, both in the logs and the user interface.
Depending on what you intend to verify it may be enough that the signature is valid, as it verifies the metadata fields that are included in the signature (e.g. there really was an email sent from sender to receiver with this timestamp). Furthermore modifications of the body may have several legitimate (or at least automatic & non-malicous) reasons, for example the outlook issues posted here (#300). Depending on how the email was tranfered and stored, there may be legitimate modifications that break the body hash which are just artefact of storage format and conversions. I did not verify details, but DKIM is originally intended to be validated by the server on arival, so mail servers do not necessarily care about keeping email unchanged such that DKIM can be validated afterwards.
(unverified) examples may be encoding issues (7bit outlook-encoding, ASCII, UFT8, UTF16) format conversions (e.g. msg format of outlook), conversions between CRLF and LF (Windows vs. Linux newline) and others.
Ideally people would document what legitimate changed are done to emails on which servers/clients/mail gateways ("Warning: external email", "Virus alert", ...) and other components of the communication such that a DKIM verifier like this add-on can (temporily) undo such changes to distingush legitimate changes from illegit manipulations, but that is a lot of effort and not easy to do
It would be nice to have a more precise output why the verification fails (No signature/Body hash mismatch/failed to retrieve key/signature failed to verify) - I did not etst all of them, some may already be shown.
Furthermore I'd like to se if bodyhash fails but signature is ok and if the bodyhash it ok but the signature fails.)
I understand that for a mailserver it is pointless to verify the signature if the body hash mismatches (and vice-versa) but for debugging and forensics that would be an useful information
The text was updated successfully, but these errors were encountered: