Murray S. Kucherawy wrote: > On Thu, 10 Jan 2008, Alin N�~Cstac wrote: >> Will you accept a patch that does just that? For proving my point >> (that DKIM should also accept valid domain signatures on subdomain >> messages), please see example from the appendix A of the RFC 4871. > > Note that RFC4871 doesn't define anything having to do with SSP. SSP > (and thus the logic implemented in the dkim_policy() function) is > defined by draft-ietf-dkim-ssp-01. The attached patches fixes the issue I've told you about: - subdomain-identity.patch adds the [EMAIL PROTECTED] if and only if SubDomains=yes and the sender address is [EMAIL PROTECTED] Also, I think dkim-filter could be improved by always adding [EMAIL PROTECTED] when message has been sent over an authenticated SMTP session and username is equal with local part of the sender address. However, this is regarded as local policy which I understand of being outside the dkim-filter's scope.
- verify-subdomain.patch correct dkim_policy() It will return DKIM_PRESULT_VALIDOSIG state if sender domain address is a subdomain of the signer domain and used key TXT entry don't have "t=s" in it. I didn't take into account the SSP's "t" tag (IMO there is no need to do it) and I was forced to use dkim_param_get(..,"i") because dkim->dkim_signer is not set when dkim-filter verifies a signature. A proper way of doing that would be to populate dkim_signer with "i" value before dkim_policy() is called. In conclusion, these patches corrects the behavior of dkim-filter regarding subdomain signing. The only specification taking into account was the RFC 4871. Please observe it has nothing to do with anything regarded as local policy by the aforementioned RFC. Cheers, Alin
diff -Nru dkim-milter-2.4.2.orig/dkim-filter/dkim-filter.c dkim-milter-2.4.2/dkim-filter/dkim-filter.c
--- dkim-milter-2.4.2.orig/dkim-filter/dkim-filter.c 2007-12-31 23:06:01.000000000 +0100
+++ dkim-milter-2.4.2/dkim-filter/dkim-filter.c 2008-01-12 12:54:14.000000000 +0100
@@ -2279,7 +2279,7 @@
connctx cc;
msgctx dfc;
char *p;
- char *user;
+ char *user, *domain;
#ifdef _FFR_VBR
char *vbr_cert = NULL;
char *vbr_type = NULL;
@@ -2287,6 +2287,7 @@
Header from;
Header hdr;
char addr[MAXADDRESS + 1];
+ bool subdomainidentity = FALSE;
assert(ctx != NULL);
@@ -2366,9 +2367,9 @@
/* extract the sender's domain */
sm_strlcpy(addr, from->hdr_val, sizeof addr);
- status = rfc2822_mailbox_split(addr, &user, &dfc->mctx_domain);
- if (status != 0 || user == NULL || dfc->mctx_domain == NULL ||
- user[0] == '\0' || dfc->mctx_domain[0] == '\0')
+ status = rfc2822_mailbox_split(addr, &user, &domain);
+ if (status != 0 || user == NULL || domain == NULL ||
+ user[0] == '\0' || domain[0] == '\0')
{
if (dolog)
{
@@ -2381,6 +2382,7 @@
dfc->mctx_status = DKIMF_STATUS_BADFORMAT;
return SMFIS_CONTINUE;
}
+ dfc->mctx_domain = domain;
/* assume we're not signing */
dfc->mctx_signalg = DKIM_SIGN_UNKNOWN;
@@ -2421,7 +2423,7 @@
}
}
- if (subdomains)
+ if (subdomains && !domainok)
{
for (p = strchr(dfc->mctx_domain, '.');
p != NULL && !domainok;
@@ -2459,6 +2461,9 @@
}
}
}
+
+ if (domainok)
+ subdomainidentity = TRUE;
}
}
@@ -2712,6 +2717,16 @@
if (dfc->mctx_dkim == NULL && status != DKIM_STAT_OK)
return dkimf_libstatus(ctx, "dkim_new()", status);
+ if (dfc->mctx_signing && subdomainidentity)
+ {
+ char identity[MAXADDRESS + 1];
+
+ snprintf(identity, sizeof identity, "@%s",
+ domain);
+
+ dkim_set_signer(dfc->mctx_dkim, identity);
+ }
+
#if _FFR_VBR
/* establish a VBR handle */
dfc->mctx_vbr = vbr_init(NULL, NULL, NULL);
diff -Nru dkim-milter-2.4.2.orig/libdkim/dkim.c dkim-milter-2.4.2/libdkim/dkim.c
--- dkim-milter-2.4.2.orig/libdkim/dkim.c 2007-12-31 23:55:11.000000000 +0200
+++ dkim-milter-2.4.2/libdkim/dkim.c 2008-01-12 14:32:15.000000000 +0200
@@ -4080,16 +4080,43 @@
sig = dkim->dkim_siglist[c];
if ((sig->sig_flags & DKIM_SIGFLAG_PASSED) != 0 &&
- sig->sig_bh == DKIM_SIGBH_MATCH &&
- strcasecmp(dkim->dkim_domain, sig->sig_domain) == 0)
+ sig->sig_bh == DKIM_SIGBH_MATCH)
{
- dkim->dkim_presult = DKIM_PRESULT_VALIDOSIG;
- *susp = FALSE;
- if (pcode != NULL)
- *pcode = policy;
- if (hcode != NULL)
- *hcode = handling;
- return DKIM_STAT_OK;
+ bool validOSig = false;
+ if (dkim->dkim_subdomain)
+ {
+ if ((sig->sig_flags & DKIM_SIGFLAG_NOSUBDOMAIN) == 0)
+ {
+ /* key policy can be used to sign subdomain messages */
+ u_char *p = dkim_param_get(sig->sig_taglist, "i");
+ if (p != NULL)
+ {
+ /* signature has an "i" tag */
+ char signer[MAXADDRESS + 1];
+ char *at;
+
+ memset(signer, '\0', sizeof signer);
+ dkim_qp_decode(p, signer, sizeof signer);
+ at = strchr(signer, '@');
+
+ /* identity's domain must match the sender domain */
+ validOSig = (at != NULL && strcasecmp(dkim->dkim_domain, at + 1) == 0);
+ }
+ }
+ }
+ else
+ validOSig = (strcasecmp(dkim->dkim_domain, sig->sig_domain) == 0);
+
+ if (validOSig)
+ {
+ dkim->dkim_presult = DKIM_PRESULT_VALIDOSIG;
+ *susp = FALSE;
+ if (pcode != NULL)
+ *pcode = policy;
+ if (hcode != NULL)
+ *hcode = handling;
+ return DKIM_STAT_OK;
+ }
}
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
