Relax parsing of the Authentication-Results header

[magkopian]

Relax the parsing to allow some common RFC violations:

• allow trailing ; at the end
• allow / in the b-tag, even if it is not in a quoted-string (DKIM_Verifier.AuthVerifier Parsing error #49, DMARC status sometimes not shown when it should be #71)

Bellow original post:

Hello,
Looks like there is an issue with parsing the Authentication-Results header as it is set by the Zoho mail server.

For isolating the issue and preventing any confusion I have unchecked the Verify DKIM Signatures setting. Here is the resulting debug output.

2017-01-13 08:03:56	DKIM_Verifier.Logging	DEBUG	initialized

2017-01-13 08:03:59	DKIM_Verifier.Policy	DEBUG	DB initialized

2017-01-13 08:04:09	DKIM_Verifier.JSDNS	CONFIG	changed DNS Servers to : [{server:"8.8.8.8", alive:true}, {server:"8.8.4.4", alive:true}]

2017-01-13 08:04:09	DKIM_Verifier.JSDNS	CONFIG	changed DNS Servers to : [{server:"8.8.8.8", alive:true}, {server:"8.8.4.4", alive:true}]

2017-01-13 08:04:09	DKIM_Verifier.JSDNS	INFO	Resolving _dmarc.example.com TXT by querying 8.8.8.8

2017-01-13 08:04:10	DKIM_Verifier.JSDNS	DEBUG	_dmarc.example.com/TXT: Answer: v=DMARC1; p=none; sp=none; adkim=r; aspf=r; pct=100; fo=1; rua=mailto:hxfynrdk@ag.dmarcian.com,mailto:dmarc-rua@example.com; ruf=mailto:hxfynrdk@fr.dmarcian.com;

2017-01-13 08:04:10	DKIM_Verifier.DNSWrapper	DEBUG	result: ({data:["v=DMARC1; p=none; sp=none; adkim=r; aspf=r; pct=100; fo=1; rua=mailto:hxfynrdk@ag.dmarcian.com,mailto:dmarc-rua@example.com; ruf=mailto:hxfynrdk@fr.dmarcian.com;"], rcode:0, secure:false, bogus:false})

2017-01-13 08:04:10	DKIM_Verifier.DMARC	DEBUG	DMARCPolicy: ({adkim:"r", pct:100, p:"none", domain:"example.com", source:"example.com"})

2017-01-13 08:04:10	DKIM_Verifier.Policy	DEBUG	shouldBeSigned: true; sdid: example.com; hideFail: false; foundRule: false

2017-01-13 08:04:10	DKIM_Verifier.AuthVerifier	ERROR	Error: Parsing error (resource://dkim_verifier/ARHParser.jsm:253:1) JS Stack trace: match@ARHParser.jsm:253:1 < parseResinfo@ARHParser.jsm:188:14 < _ARHParser_parse@ARHParser.jsm:162:21 < getARHResult@AuthVerifier.jsm:225:10 < _authVerifier_verify/promise<@AuthVerifier.jsm:116:20

2017-01-13 08:04:10	DKIM_Verifier.AuthVerifier	DEBUG	authResult: ({version:"2.0", dkim:[{version:"2.0", result:"none", res_num:40, result_str:"No Signature"}], spf:[], dmarc:[]})

And here are the email headers of the same email, note though that I have obscured the domain of my server with example.com, as well as its IP address with x.x.x.x.

Delivered-To: sales@example.com
Received-SPF: pass (zoho.com: domain of email.example.com designates 167.89.55.65 as permitted sender) client-ip=167.89.55.65; envelope-from=bounces+2344330-4453-sales=example.com@email.example.com; helo=o1.7nn.fshared.sendgrid.net;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of email.example.com designates 167.89.55.65 as permitted sender)  smtp.mailfrom=bounces+2344330-4453-sales=example.com@email.example.com;
Return-Path: <bounces+2344330-4453-sales=example.com@email.example.com>
Received: from o1.7nn.fshared.sendgrid.net (o1.7nn.fshared.sendgrid.net [167.89.55.65]) by mx.zohomail.com
	with SMTPS id 1484246776936349.02854621594497; Thu, 12 Jan 2017 10:46:16 -0800 (PST)
Received: by filter0691p1mdw1.sendgrid.net with SMTP id filter0691p1mdw1-31661-5877CEF2-29
        2017-01-12 18:46:10.784231552 +0000 UTC
Received: from example.com (example.com [x.x.x.x])
	by ismtpd0002p1lon1.sendgrid.net (SG) with ESMTP id Rc1DMZOHQDuVuX5cYM7YzA
	for <sales@example.com>; Thu, 12 Jan 2017 18:46:10.503 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=example.com; 
	h=to:from:subject:mime-version:content-type:content-transfer-encoding; 
	s=s1; bh=528ZwQtSB/2qVd7MJNMPYs7ZD5s=; b=kBy78xq/dwwoTTFMtTEa3Hy
	S8Pj3G2b4EQMouyWSav2eZ2jSm3zDUdPnDPbIO6xY7pbRyEo5pcwHoY/exvoARcC
	XEKt8B2WCvBGCqv/BpyYwH8fZH1XMBMfVNsvDS2r3aI63kUzY6s5Acj9n8cukRls
	oVHFQjs1WRQh2y/x18nw=
Date: Thu, 12 Jan 2017 20:46:09 +0200
To: sales@example.com
From: "example.com" <no-reply@example.com>
Subject: =?UTF-8?B?zpXOuc60zr/PgM6/zq/Ot8+Dzrcgzp3Orc6xz4IgzqDOsc+BzrHOs86zzrXOu86vzrHPgg==?=
Message-ID: <87fcc4cddb8a79d1ead2905850ca77d8@example.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_87fcc4cddb8a79d1ead2905850ca77d8"
Content-Transfer-Encoding: 8bit
X-SG-EID: gOUNDwUZ2BR4HKLzjgMW+kvYtWz9GDxsoMs56GxmdgeoFp6RARf2fwQv5KptcBDsahTrVj9mbfJcQc
 zuuKPQTdmUZuGS724CHVPHVtCkux44ObONv9Q9cdbzbji0Yk8iUse4CItwtLBTww8QcXyyRdSH89Wy
 ibMj1iyUXbKrYuuCVQp4VgENUkfgltg5XrDyvJUv1VedEIjkxEQVLIHE1tvMS/qwmM3EnmWvRx7+1w
 4=
X-ZohoMail: RSF_0  Z_38635583 SPT_1 Z_38638371 SPT_1 UDT_7 RF_0
X-Zoho-Virus-Status: 2

The extension reports No Signature on the DKIM field, which is to be expected I guess because the verification of the DKIM is disabled and Zoho doesn't verify DKIM, but the information about the SPF is also missing.

[lieser]

Thanks for reporting it.

The Problem is the ; at the end of the Authentication-Results header. If I remove it, the header is parsed without problems.

Note that, if I understand the RFC 7601 correctly, the ; at end of the header is not a valid syntax. So this is not a bug in the add-on, but rather a RFC violation by the Zoho mail server.

[magkopian]

Just noticed that Outlook does the same thing with Zoho. Here is an example of an Authentication-Results header form Outlook,

Authentication-Results: spf=pass (sender IP is 91.194.248.199)
 smtp.mailfrom=reply1.ebay.com; outlook.com; dkim=pass (signature was
 verified) header.d=reply1.ebay.com;outlook.com; dmarc=pass action=none
 header.from=reply1.ebay.com;

Seems like you are right about the violation of the RFC standard, but considering the fact that we can't actually do anything about it shouldn't we follow a less strict approach during parsing?

Also, apart from the Authentication-Results header there is also the Received-SPF header which could be used to obtain at least the SPF result, if the parsing of the Authentication-Results fails.

[lieser]

Although admittedly maybe not the most user friendly, the strict parsing is intentionally (if all verifiers ignore RFC violations, the signers have no motivation to follow them (or even notice them)). But I could introduce an option to relax the parsing.

The reading of the Received-SPF is probably not something I will implement myself, as I think the reading of the ARH is enough for most people. But if someone else implements it, I would be more than willing to integrate it in the add-on.

[magkopian]

That sounds like a great idea and I completely agree, the user should have the option to chose between a relaxed or a strict validation mode. Furthermore, I think it should be better to have strict mode enabled by default and allow the user to manually disable it for the problematic servers. A global option would also be good to exist, but not enabled by default.

[lieser]

The new pre release v2.0.0pre4 has an advanced option for relaxed parsing.

Note that the ARH from Outlook that you posted will still not work, as there the outlook.com; part is in the middle (and even multiple times). Before I invest more time into trying to also allowing this, could you please confirm that Outlook is still doing this?