Strictness of Signer == Sender check for S/MIME signed mails


as I found out, Release 5.4.0 included a fix for a problem that it was not verified that the signer of a mail is also the sender (Header-From) of the mail. I appreciate this fix as it is very important for the integrity of signatures!

However, I noticed today that some mails are marked as having an invalid signature because of the casing of the senders local part:

W, [2023-03-31T16:35:08.745676#532864-778060] WARN -- : S/MIME mail signed by but sender is

While this is the correct behaviour according to the Mail RFC (RFC2821, Section 2.4: “The local-part of a mailbox MUST BE treated as case sensitive.”), most mail clients do not care and ignore the casing. An example in Thunderbird (Outlook does the same):

According to the Robustness Principle, it might be good to ignore the casing for the localpart as this is the reality how mail is handled. However, AppleMail is an example for a large mail client that actually enforces casing.

I leave it up for discussion / your choice if it would be better sticking to the RFC or to pragmatism. All I can say is that casing in mails and certificates regularly creates problems for us.