Stupid Email Tricks

I’ve been working on adding play-by-email support to my turn-based game server. The first problem I hit was that the PGP signatures on the server’s messages were invalid when I checked them on my email client. This led to lots of debugging and unit tests in my crypto utility. That’s not really wasted effort, but it also wasn’t the problem.

It turns out that even though the RFC limit on line length is 1000 characters and there are well-known implementation limits that are only slightly lower, there exists somewhere in the chain from Google AppEngine to Apple Mail some chunk of code that inserts newlines into lines that are much shorter. I didn’t do exhaustive testing, but it seems to happen before 80. The perfectly valid signatures were being rendered invalid because somebody was altering the message after the server signed it and handed it off to the transport agent.

The solution I chose was to use WordUtils from commons-text and to wrap the message at 70 characters before signing. This seems to work. It’s just kind of dumb that it’s necessary, but it’s a good reminder that the thing in your inbox may not actually be the thing sent to you by whomever, and that PGP signing your messages is a good idea even if you don’t encrypt them.

Published by pirateguillermo

I play the bagpipes. I program computers. I support my family in their various endeavors, and I enjoy my wonderful life.

2 thoughts on “Stupid Email Tricks

  1. Dude. Just take the plunge and send multipart MIME content. PITA, but that’s the only way to be sure that some damn MTA or client won’t mess up your content.

    1. Yeah, you say that like it’s just an irritation, no big deal. And yet. I have now spent a day looking through examples and RFCs and writing test code just to give this a whirl and so far I can tell you that it would be easier just to transcribe the email messages onto paper and send them through the postal service. Seriously, wtf is wrong with these people? Why hasn’t anyone said, “So, you want your web service to be able to send emails to clients and you want those clients to be able to send emails back to the service, and you want all those emails to be signed and, as well, you want some of them to be encrypted. So, here’s what you’ve gotta do…”? Because I’m the only person in the whole wide world who does this sort of thing?

Leave a Reply