為什麼 sendmail 在標題中添加額外的輸入？

我在 CentOS 5 伺服器上執行了 SendMail 8.14.4。

日本的一個使用者正在發送一條消息，當它被伺服器處理時，SendMail 出於某種原因添加了一個額外的輸入符。

該電子郵件包含一個 X 標頭，其值（可能）包含國際字元。我說“大概”是因為當我使用 notepad++ 檢查 MIME 源時，我看到了類似STX和CAN.

我已經能夠將測試範圍縮小到這個：

如果我通過 Sendmail 發送它，它最終會像這樣離開 SendMail：

（更改了 ips、Q-ID 和主機名以保護無辜者）

現在顯然這裡有一個潛在的危險信號：標題值以引號開頭，但沒有結束語。這是 RFC 標準所要求的嗎？還是那部分是紅鯡魚？

最終結果是標頭值洩漏到消息正文中：

關於為什麼 sendmail 添加額外的輸入的任何想法？

這實際上非常簡單：RFC 2822 第 2.2.3 節允許使用長標題，其中標題是欄位名，後跟 a:以折疊並在下一行繼續，只要（簡化）下一行以空格開頭.

`>

The general rule is that wherever this standard allows for folding white space (not simply WSP characters), a CRLF may be inserted before any WSP. For example, the header field:

Subject: This is a test

can be represented as:

Subject: This  
is a test

Line 3 of the original input starts not with a space, but with the character c and does not contain a colon : which makes it neither the continuation of the previous header nor the next header field (§2.2).

That marks it as the end of the headers…

And the start of the body.

Sendmail “corrects” that malformed message and adds the required blank line between what it perceives as end of the the headers and start of the body.

A simple telnet mail session can reproduce that behaviour:

[user@example ~]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

<<< 220 example.com ESMTP Sendmail 8.14.4/8.14.4; Fri, 17 Jul 2015 20:29:26 +0200

helo localhost

<<< 250 example.com Hello localhost [127.0.0.1], pleased to meet you

mail from:me@localhost

<<< 250 2.1.0 me@localhost... Sender ok

RCPT TO:user@example.com

<<< 250 2.1.5 user@example.com... Recipient ok

data

<<< 354 Enter mail, end with "." on a line by itself

Subject: test
X-header: do not try
this at home

start the body
.
<<< 250 2.0.0 t6HITQXA020072 Message accepted for delivery
quit

Which results in similar message as your example:

[user@example ~/Maildir/new]$ cat 1437157845.20091_2.example.com

Return-Path: <me@example.com>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on example.com
X-Spam-Level:
X-Spam-Status: No, score=-1.9 required=5.0 tests=ALL_TRUSTED,BAYES_00,
       MISSING_HEADERS autolearn=no version=3.3.1
Received: from localhost (localhost [127.0.0.1])
       by example.com (8.14.4/8.14.4) with SMTP id t6HITQXA020072
       for herman@example.com; Fri, 17 Jul 2015 20:30:06 +0200
Date: Fri, 17 Jul 2015 20:29:26 +0200
From: me@example.com
Message-Id: <201507171830.t6HITQXA020072@example.com>
Subject: test
X-header: do not try

this at home

start the body

With an additional new line between the original header continuation and the “new” start of the body.`

引用自：https://serverfault.com/questions/706633