Re: DKIM plugin
On Jul 25, 2007, at 13:59, Matthew Harrell wrote: Okay, here's a working version of the plugin I have. Awesome! Any chance you can add them to the Google Issue tracker? http://code.google.com/p/smtpd/issues/list - ask -- http://develooper.com/ - http://askask.com/
Re: DKIM plugin
Awesome! Any chance you can add them to the Google Issue tracker? http://code.google.com/p/smtpd/issues/list Does it work alright for you? I have slightly updated versions here http://alecto.bittwiddlers.com/files/qpsmtpd/dkimsign http://alecto.bittwiddlers.com/files/qpsmtpd/dkimcheck which have a size check since it put a seriously high load on my computer when I sent a 12 MB message. Those are the latest versions I'm running I didn't even know about the Issue Tracker but I'll check into it this afternoon and see what I have to do. I know there are a number of improvements that could be made to the programs -- Matthew Harrell I don't suffer from insanity - Bit Twiddlers, Inc. I enjoy every minute of it. [EMAIL PROTECTED]
Re: DKIM plugin
Okay, here's a working version of the plugin I have. You can get Mail::DKIM
from here http://jason.long.name/dkimproxy/ along with a program that I used
as a template, dkimproxy, and that works with Postfix. Rather than puzzling
out how to get that kind of a program to work for qmail I integrated the
methods into the attached plugin. I run the plugin with this line in the
plugins file
dkimsign selector=alecto domains=bittwiddlers.com,bitnerd.com
keyfile=/etc/ssl/certs/dkim-alecto.private
and have it set up to only sign messages being sent from allowable relay
clients (so I know it's originating here) and being sent from one of the
specified domains. It seems to work fine with all of the automated test
filters I tried it against. If anyone finds a problem or fixes anything
please let me know so I can update my version.
My next task will be to finish my dkimcheck plugin which will check the
DKIM / DomainKey signature on incoming messages
--
Matthew Harrell I don't suffer from insanity -
Bit Twiddlers, Inc. I enjoy every minute of it.
[EMAIL PROTECTED]
=head1 NAME
dkimsign -- Compute and insert a DKIM signature into a message
=head1 DESCRIPTION
This plugin will check the message against the specified list of domains
and DKIM sign it if it's from an address that it's authorized to sign for.
=head1 CONFIG
There are three required parameters for this plugin to work correctly:
the selector name, the domains it can sign for, and the private keyfile.
All other arguments are optional and have sane default values.
=over 4
=item domains=[signing domains]
This parameter defines the comma separated list of domains for which the
plugin will sign messages.
=item keyfile=[/path/to/private.key]
This is the path to the private DKIM key that messages will be signed with.
=item selector=[selector name]
This is the selector name for the key that is signing.
=item method=[simple|nowsp|relaxed|nofws]
Select the canonicalization method. Currently defaults to relaxed
=item type=[dkim|domainkeys]
Whether to do DKIM or DomainKeys signing. Currently only DKIM is supported
=back
=head1 TODO
Add in the ability to specify a regex for the key name so different keys
can be specified for different domains.
Add in DomainKeys signing (inherent in the DKIM library).
=cut
use strict;
use Mail::DKIM;
use Mail::DKIM::Signer;
# enable support for pretty signatures, if available
# seems to break when using qmail but works for postfix?
#eval require Mail::DKIM::TextWrap;
sub register {
my ( $self, $qp, @args ) = @_;
my %args;
$self-{_method} = relaxed;
$self-{_type} = dkim;
for ( @args ) {
if ( /^domains=([\.\,a-z0-9A-Z]*)$/ ) {
$self-{_domains} = $1;
}
elsif ( /^keyfile=(\/[\/\-\_\.a-z0-9A-Z]*)$/ ) {
$self-{_keyfile} = $1;
}
elsif ( /^method=(simple|nowsp|relaxed|nofws)$/ ) {
$self-{_method} = $1;
}
elsif ( /^selector=([\.a-z0-9A-Z]*)$/ ) {
$self-{_selector} = $1;
}
elsif ( /^type=(dkim|domainkeys)$/ ) {
$self-{_type} = $1;
}
else {
$self-log(LOGERROR, Unrecognized argument '$_' to dkimsign plugin);
return undef;
}
}
# $self-log ( LOGNOTICE, dkimsign args: domains: . $self-{_domains}
# . keyfile: . $self-{_keyfile} . method:
# . $self-{_method} . selector: . $self-{_selector}
# . type: . $self-{_type} );
unless ( $self-{_domains} ) {
$self-log ( LOGERROR, No domains defined );
return undef;
}
unless ( $self-{_keyfile} ) {
$self-log ( LOGERROR, No keyfile defined );
return undef;
}
unless ( $self-{_selector} ) {
$self-log ( LOGERROR, No selector defined );
return undef;
}
1;
}
sub hook_data_post {
my ( $self, $transaction ) = @_;
# don't bother to continue if we're not allowed to relay for this client
#
unless ( $self-qp-connection-relay_client ) {
return DECLINED;
}
my @domains = split ( ,, $self-{_domains} );
my $address = $transaction-sender-host;
# ensure that the domain we're sending from is one of the signing domains
#
foreach my $domain ( @domains ) {
# $self-log ( LOGNOTICE, DKIM: comparing $domain to $address );
if ( $domain eq $address ) {
my $dkim = new Mail::DKIM::Signer (
Domain = $address,
KeyFile = $self-{_keyfile},
Method = $self-{_method},
Selector = $self-{_selector},
);
# take all the headers, reformat them to eliminate cr/lf and push into
# dkim. dkim seems particular about the cr/lf
#
my %hdrs = %{ $transaction-header-header_hashref() };
foreach my $key ( keys %hdrs ) {
my $val = join ( , @{$hdrs{$key}} );
$val =~ s/[\n\r]//g;
# $self-log ( LOGNOTICE, Hdr: . $key . : . $val );
$dkim-PRINT ( $key . : . $val . \x0D\x0A );
}
# push the body of the message on
Re: DKIM plugin
Attached is a simple DKIM signature checking plugin. Prints the results
to the log and as a header in the message
--
Matthew Harrell I love defenseless animals,
Bit Twiddlers, Inc. especially in a good gravy.
[EMAIL PROTECTED]
=head1 NAME
dkimcheck -- Check the DKIM / DomainKeys signatures in a message
=head1 DESCRIPTION
If an incoming message has a DKIM signature then this plugin will check
the validify of the message and report the results as a header in the
mail message
=head1 CONFIG
None needed right now
=head1 TODO
Add check for DomainKeys
Add in ability to reject messages that fail the check
=cut
use strict;
use Mail::DKIM;
use Mail::DKIM::Verifier;
sub hook_data_post {
my ($self, $transaction) = @_;
# if this isn't signed, just move along
return DECLINED unless $transaction-header-get( 'DKIM-Signature' );
my $dkim = new Mail::DKIM::Verifier;
# take all the headers, reformat them to eliminate cr/lf and push into
# dkim. dkim seems particular about the cr/lf
#
my %hdrs = %{ $transaction-header-header_hashref() };
foreach my $key ( keys %hdrs ) {
my $val = join ( , @{$hdrs{$key}} );
$val =~ s/[\n\r]//g;
# $self-log ( LOGNOTICE, Hdr: . $key . : . $val );
$dkim-PRINT ( $key . : . $val . \x0D\x0A );
}
# push the body of the message on ensuring the cr/lf are correct
#
$transaction-body_resetpos;
while ( my $line = $transaction-body_getline ) {
chomp ( $line );
$line =~ s/\015$//;
# $self-log ( LOGNOTICE, Body: . $line );
$dkim-PRINT ( $line . \x0D\x0A );
}
$dkim-CLOSE;
# get the key policy - need to act on this
#
my $policy = $dkim-fetch_author_policy;
my $policy_result = $policy-apply ( $dkim );
# print the result
#
$transaction-header-replace ( X-DKIM-Authentication: ,
domain: . $dkim-signature-domain .
, selector: . $dkim-signature-selector .
, result: . $dkim-result_detail .
, policy: . $policy_result );
$self-log ( LOGNOTICE, dkimcheck: domain: . $dkim-signature-domain .
, selector: . $dkim-signature-selector .
, result: . $dkim-result_detail .
, policy: . $policy_result );
return DECLINED;
}
Re: DKIM plugin
: Both John Peacock and myself had a stab at this a while ago but I never : got libdkim to compile correctly - though from memory John might have - : and so I ditched the idea. You can probably find our discussions in the : mailing list archives. Yeah, I did see that discussion but noticed that there was also a standard Debian package for both libdkim and libdkim-perl so I figured that whatever the problem was it had been resolved. : Be good to develop a plug-in that validates and signs... Well my skills at using the qpsmtpd framework are pretty minimal and it's been a while since I've done any perl programming but I was able to get a signing plugin to mostly work when I hacked at it last night. It's supremely ugly and I'm having an issue getting DKIM to recognize the headers but that's probably related to me having to rebuild the message. The DKIM library wants the entire (headers and body) message passed into it so it can account for any headers it can find. Is there a way I can get the entire, unaltered message inside hook_data_post? Right now I'm attemting to loop through and rebuild the headers and then push them and the body to the library. -- Matthew Harrell Dogs have masters, Bit Twiddlers, Inc. cats have staff [EMAIL PROTECTED]
Re: DKIM plugin
Matthew Harrell wrote: I was just getting ready to write a plugin to create DKIM signatures for qpsmtpd but I thought I would check and see if anyone has already done it. What I'm looking for is something that will create the proper DKIM signature on properly relayed emails before they go out. A google search didn't show anything. While it's easy enough to integrate postfix with dkimproxy it looks like it would be a bit of a pain with qmail unless I want to write a qmail-queue replacement. Matthew Both John Peacock and myself had a stab at this a while ago but I never got libdkim to compile correctly - though from memory John might have - and so I ditched the idea. You can probably find our discussions in the mailing list archives. Be good to develop a plug-in that validates and signs... Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: PGP signature signature.asc Description: OpenPGP digital signature
Re: DKIM plugin
John Peacock wrote: the Makefile. There are also some Windows-only macros that need replacing. It's a complete bodge, if you ask me. Maybe I'll get something running tomorrow... John I am just contemplating starting work on this again (even have hopes of doing a DKIM signing plug-in also). Did you get any further with this? I lodged a bug with the libdkim people but got no response. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: DKIM plugin
James Turnbull wrote: Hi all, Does anyone know of a DKIM plugin? I found the DomainKeys plugin and am wondering if anyone has developed one for DKIM also? I was starting to work on one, but I can't get the libdkim distro to compile with a modern GCC (I sent them an e-mail, but never heard back after the initial ACK). It's hard to write a plugin if you cannot generate a suitably signed message. I also have a [natural] bias that I won't spend [that much] time on something that I'm not willing/able to run myself. John
Re: DKIM plugin
John Peacock wrote: I was starting to work on one, but I can't get the libdkim distro to compile with a modern GCC (I sent them an e-mail, but never heard back after the initial ACK). It's hard to write a plugin if you cannot generate a suitably signed message. I also have a [natural] bias that I won't spend [that much] time on something that I'm not willing/able to run myself. Yes - just discovered that little compilation problem. I'll raise it with them and see if I get a response. Thanks James Turnbull
Re: DKIM plugin
James Turnbull wrote: Yes - just discovered that little compilation problem. I'll raise it with them and see if I get a response. Actually, it's not such a little problem. Apparently, the authors only develop on Windows, so the *nix Makefile is basically non-functional. I've gotten as far as replacing my system OpenSSL with the latest 0.9.8c release and rewritten the Makefile. There are also some Windows-only macros that need replacing. It's a complete bodge, if you ask me. Maybe I'll get something running tomorrow... John
