From dd33c4e6ffe39f57f9f6e19fd3284823e44dfe82 Mon Sep 17 00:00:00 2001 From: "Heiko Schlittermann (HS12-RIPE)" Date: Sun, 3 Dec 2017 18:17:43 +0100 Subject: [PATCH] DKIM: Ignore non-DKIM TXT records in DNS response. Bug 2207 --- src/src/dkim.c | 7 ++++-- test/confs/4504 | 1 + test/dnszones-src/db.test.ex | 2 ++ test/log/4504 | 6 +++++ test/scripts/4500-DKIM/4504 | 45 ++++++++++++++++++++++++++++++++++++ 5 files changed, 59 insertions(+), 2 deletions(-) create mode 120000 test/confs/4504 create mode 100644 test/log/4504 create mode 100644 test/scripts/4500-DKIM/4504 diff --git a/src/src/dkim.c b/src/src/dkim.c index 5e97c1b79..9731a63d9 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -73,6 +73,9 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN) return PDKIM_FAIL; /*XXX better error detail? logging? */ } + + /* check if this looks like a DKIM record */ + if (strncasecmp(answer, "v=dkim", 6) != 0) continue; return PDKIM_OK; } @@ -148,7 +151,7 @@ if (!(s = sig->domain)) s = US""; logmsg = string_append(logmsg, 2, "d=", s); if (!(s = sig->selector)) s = US""; logmsg = string_append(logmsg, 2, " s=", s); -logmsg = string_append(logmsg, 7, +logmsg = string_append(logmsg, 7, " c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed", "/", sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed", " a=", dkim_sig_to_a_tag(sig), @@ -371,7 +374,7 @@ for (sig = dkim_signatures; sig; sig = sig->next) dkim_verify_status = dkim_exim_expand_query(DKIM_VERIFY_STATUS); dkim_verify_reason = dkim_exim_expand_query(DKIM_VERIFY_REASON); - + if ((rc = dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr)) != OK) return rc; } diff --git a/test/confs/4504 b/test/confs/4504 new file mode 120000 index 000000000..da89833c9 --- /dev/null +++ b/test/confs/4504 @@ -0,0 +1 @@ +4503 \ No newline at end of file diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 73db57f9c..18a2fe00a 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -505,5 +505,7 @@ ses._domainkey TXT "v=DKIM1; n=halfkilo; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eA ses_sha1._domainkey TXT "v=DKIM1; h=sha1; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eAQxd9didJ0/+05iDwJOqT6ly826Vi8aGPecsBiYK5/tAT97fxXk+dPWMZp9kQxtknEzYjYjAydzf+HQ2yJMCAwEAAQ==" ses_sha256._domainkey TXT "v=DKIM1; h=sha256; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eAQxd9didJ0/+05iDwJOqT6ly826Vi8aGPecsBiYK5/tAT97fxXk+dPWMZp9kQxtknEzYjYjAydzf+HQ2yJMCAwEAAQ==" +sel2._domainkey TXT "v=spf1 mx a include:spf.nl2go.com -all" +sel2._domainkey TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB" ; End diff --git a/test/log/4504 b/test/log/4504 new file mode 100644 index 000000000..a4dee26bc --- /dev/null +++ b/test/log/4504 @@ -0,0 +1,6 @@ + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024 +1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel2 c=simple/simple a=rsa-sha512 b=1024 [verification failed - signature did not verify (headers probably modified in transit)] +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net diff --git a/test/scripts/4500-DKIM/4504 b/test/scripts/4500-DKIM/4504 new file mode 100644 index 000000000..5de9e7948 --- /dev/null +++ b/test/scripts/4500-DKIM/4504 @@ -0,0 +1,45 @@ +# DKIM verify, sha512 +# +exim -DSERVER=server -bd -oX PORT_D +**** +# +# This should pass, only Mail::DKIM::Signer does not handle rsa-sha512. +# - sha512, 1024b +# Mail original in aux-fixed/4500.msg1.txt +# Sig generated by: perl aux-fixed/dkim/sign.pl --algorithm=rsa-sha512 \ +# --method=simple/simple < aux-fixed/4500.msg1.txt +# +# TODO - until we have that we can only test internal consistency, +# signing vs. verification. +# +client 127.0.0.1 PORT_D +??? 220 +HELO xxx +??? 250 +MAIL FROM: +??? 250 +RCPT TO: +??? 250 +DATA +??? 354 +DKIM-Signature: v=1; a=rsa-sha512; c=simple/simple; d=test.ex; h=from:to + :date:message-id:subject; s=sel2; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1 + 6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP + Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh + +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY= +From: mrgus@text.ex +To: bakawolf@yahoo.com +Date: Thu, 19 Nov 2015 17:00:07 -0700 +Message-ID: +Subject: simple test + +This is a simple test. +. +??? 250 +QUIT +??? 221 +**** +# +killdaemon +no_stdout_check +no_msglog_check -- 2.25.1