From fe12ec888ef7b81ee0f5874ca6201ba11b0e9b19 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 5 Feb 2019 23:19:00 +0000 Subject: [PATCH] DKIM: ensure that dkim_domain elements are lowercased before use. Bug 2371 (cherry picked from commit f3c73adaa541ae54092467a29668ac32894ef1dc) --- doc/doc-docbook/spec.xfpt | 16 ++++++++++++++-- doc/doc-txt/ChangeLog | 2 ++ src/src/dkim.c | 1 + 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 08a0a974a..415c72712 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -39534,7 +39534,7 @@ senders). .cindex "DKIM" "signing" For signing to be usable you must have published a DKIM record in DNS. -Note that RFC 8301 says: +Note that RFC 8301 (which does not cover EC keys) says: .code rsa-sha1 MUST NOT be used for signing or verifying. @@ -39554,7 +39554,11 @@ These options take (expandable) strings as arguments. .option dkim_domain smtp string list&!! unset The domain(s) you want to sign with. After expansion, this can be a list. -Each element in turn is put into the &%$dkim_domain%& expansion variable +Each element in turn, +.new +lowercased, +.wen +is put into the &%$dkim_domain%& expansion variable while expanding the remaining signing options. If it is empty after expansion, DKIM signing is not done, and no error will result even if &%dkim_strict%& is set. @@ -39755,6 +39759,14 @@ dkim_verify_signers = $sender_address_domain:$dkim_signers If a domain or identity is listed several times in the (expanded) value of &%dkim_verify_signers%&, the ACL is only called once for that domain or identity. +.new +Note that if the option is set using untrustworthy data +(such as the From: header) +care should be taken to force lowercase for domains +and for the domain part if identities. +The default setting can be regarded as trustworthy in this respect. +.wen + If multiple signatures match a domain (or identity), the ACL is called once for each matching signature. diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index bc739ae2c..9313c7b28 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -20,6 +20,8 @@ JH/03 Debug output for ACL now gives the config file name and line number for JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause. +JH/05 DKIM: ensure that dkim_domain elements are lowercased before use. + Exim version 4.92 ----------------- diff --git a/src/src/dkim.c b/src/src/dkim.c index a0becd45b..96d7eba81 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -620,6 +620,7 @@ if (dkim_domain) /* Only sign once for each domain, no matter how often it appears in the expanded list. */ + dkim_signing_domain = string_copylc(dkim_signing_domain); if (match_isinlist(dkim_signing_domain, CUSS &seen_doms, 0, NULL, NULL, MCL_STRING, TRUE, NULL) == OK) continue; -- 2.25.1