Jan 11 2018
06:43 AM
- last edited on
Feb 06 2023
04:00 AM
by
TechCommunityAP
Jan 11 2018
06:43 AM
- last edited on
Feb 06 2023
04:00 AM
by
TechCommunityAP
Is it normal for Exchange Online Protection to modify the body of messages in transit? It seems like this would break DKIM, S/MIME, and PGP signatures, among other concerns.
Body of message in transit, as enqueued to Exchange Online Protection
--f403043c34cc657e800562729e22 Content-Type: text/plain; charset="UTF-8" test 123 --f403043c34cc657e800562729e22 Content-Type: text/html; charset="UTF-8" <div dir="ltr">test 123</div> --f403043c34cc657e800562729e22--
Body of message after processed by Exchange Online Protection
--f403043c34cc657e800562729e22 Content-Type: text/plain; charset="UTF-8" X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB2833;27:Kggba7aJSKdGRUbWQbPxXD6C/Sek7kTm9NiDQTjQ4dXJqlkZ74IZBgkd+mj0Y+pXNC/C5iEbJImUyYsMJ4cZzQcKg3+bNgqEWYXZIQb7hV7hnAr4EPNNG+G8E3Mr4Jh4 X-Microsoft-Antispam-Message-Info: fRiLCE20IMgZ5HIhJaOajYDVyoaLHNGwogh7E3vvNj1oJoMf114SUWJlNk7kgN1/ test 123 --f403043c34cc657e800562729e22 Content-Type: text/html; charset="UTF-8" X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB2833;27:Kggba7aJSKdGRUbWQbPxXD6C/Sek7kTm9NiDQTjQ4dXJqlkZ74IZBgkd+mj0Y+pXNC/C5iEbJImUyYsMJ4cZzQcKg3+bNgqEWYXZIQb7hV7hnAr4EPNNG+G8E3Mr4Jh4 X-Microsoft-Antispam-Message-Info: fRiLCE20IMgZ5HIhJaOajYDVyoaLHNGwogh7E3vvNj1oJoMf114SUWJlNk7kgN1/ <meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr">test 123</div> --f403043c34cc657e800562729e22--
Jan 11 2018 10:35 AM
Those seem like just additional headers that are added by EOP, or am I missing something here?
Jan 11 2018 12:36 PM
They are not being added as headers of the message, as defined by https://tools.ietf.org/html/rfc5322 (which would not affect the DKIM signature). They're being added as MIME body part headers within a multipart construct, as defined by https://tools.ietf.org/html/rfc2045 (DKIM does not have a mechanism for signatures to survive this type of modification.)
This makes it impossible for clients to validate DKIM signatures, which seems to not honor the spirit of the DKIM internet standard https://tools.ietf.org/html/rfc6376
2.2. Verifiers Elements in the mail system that verify signatures are referred to as Verifiers. These may be MTAs, Mail Delivery Agents (MDAs), or MUAs. In most cases, it is expected that Verifiers will be close to an end user (reader) of the message or some consuming agent such as a mailing list exploder.
I'm wondering if that's intentional.
May 24 2024 11:16 PM