-
Notifications
You must be signed in to change notification settings - Fork 35
Thunderbird's MailExtension (also called WebExtension) only provide a limited API, which is not sufficient for this add-on. The add-on therefore needs some privileged code (so called experiments) to add the missing functionality.
The current things done via the privileged code are:
- extending the header to show the DKIM result
- DNS queries
- getting access to the settings from older add-on versions
- storing the DKIM result for a mail
- calling some Thunderbird internal utility code
Note that add-ons published via addons.thunderbird.net (ATN) are subject to human review.
Note that extensions in older Thunderbird version there always running as privileged code.
Most mailing list are breaking DKIM signatures by editing the subject or adding a footer. You can hide the DKIM header for this e-mails by adding a sign rule (more about it here).
Besides a bug, it may also be your mail provider, altering the incoming e-mails, for example by changing the encoding of the e-mail. Known mail provider/server to do so:
- Outlook.com / Hotmail / Office365 / Microsoft SMTP Server
- Verizon (USA)
- Sendmail (for
text/plainif specified by the F=9 delivery agent flag, see5.4. M -- Define Mailerin the Sendmail Installation and Operation Guide) - Postfix if a line is to long (see smtp_line_length_limit option and https://tools.ietf.org/html/rfc5321#section-4.5.3.1.6)
- Senders known to sometimes exceed the default limit:
- Steam
- Mail providers that are known to be affected by this:
- Posteo
- Senders known to sometimes exceed the default limit:
In case the receiving server is altering incoming e-mails, enabling the reading of the Authentication-Results header instead of a client side verification may be an option for you.
Note for Outlook: Unfortunately Outlook writes the Authentication-Results header in an invalid format that the add-on can not read. So enabling the reading of the Authentication-Results header does not help for Outlook (more info here, adding support for it is tracked in issue #423). If you have also accounts from different providers in Thunderbird that work without a problem, keep in mind that the verification can also be disabled on an per account basis (https://github.com/lieser/dkim_verifier/wiki/Account-Options).
If you are not certain that the problem is caused by the mail provider, please report the issue and send some of the invalid e-mails as saved .eml files to lieser+dkim@posteo.net, so I can try to find out what the problem is. If you don't have such an e-mail without personal information that you don't want me to see, I could also first send you a signed e-mail.
Partially. The add-on does verify all DKIM signatures, but because of space considerations, only shows the result of one of the signatures.
The signature to be shown is determined by the following criteria:
-
The overall result of the verification (valid / temporary error / permanent error)
-
Whether there exist warnings for a valid signature
-
Whether the From address is in the SDID or the List-ID is in the SDID
The selector (the s=... tag in the DKIM signature) probably contains an underscore. This is not allowed by the DKIM specification.
More information on why is available in the issue 137.
As this does not have a security impact, the add-on still accepts underscores in selectors, and only gives a waring. The warning can be disabled by the Treat ill-formed AUID tag as advanced option of the add-on.
The add-on probably fails to connect to the first DNS server. Disable the loading of DNS servers from the OS configuration (this are tried first) and only include in the "DNS name server" field working DNS servers. More info about the DNS options can be found here.
Make sure you are using the libunbound resolver. The default JavaScript DNS library does not support DNSSEC. More info about the DNS options can be found here.
There are two possible causes for this.
1. A sign rule says the e-mail should be signed.
Search in the "Signers rules" and "Default signers rules" for the responsible rule. If the rule is in "Signers rules" either modify or remove it. If the rule is in "Default signers rules" please report it. Until this is fixed in the default rules you can either create a custom rule overwriting the responsible default one (example here) or disable the usage of the default rules completely.
As this is only a heuristic it can produce false result. If you encounter such a false result create a custom sign rule for the problematic domain explicitly saying e-mails from the domain do not have to be necessarily signed (example here).
In some cases there is a problem with the local DNS forwarder "dnsmasq" returning no result even if the key exists. Disable the loading of DNS servers from the OS configuration to use a different DNS server. More info about the DNS options can be found here.