DKIM: disallow default acceptance of sha1 for verify

5 files changed, 19 insertions, 9 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index bb19e3915..c8b999c9f 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15113,15 +15113,20 @@ to handle IPv6 literal addresses.
 
 
 .new
-.option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1"
+.option dkim_verify_hashes main "string list" "sha256 : sha512"
 .cindex DKIM "selecting signature algorithms"
 This option gives a list of hash types which are acceptable in signatures,
 and an order of processing.
 Signatures with algorithms not in the list will be ignored.
 
-Note that the presence of sha1 violates RFC 8301.
-Signatures using the rsa-sha1 are however (as of writing) still common.
-The default inclusion of sha1 may be dropped in a future release.
+Acceptable values include:
+.code
+sha1
+sha256
+sha512
+.endd
+
+Note that the acceptance of sha1 violates RFC 8301.
 
 .option dkim_verify_keytypes main "string list" "ed25519 : rsa"
 This option gives a list of key types which are acceptable in signatures,
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 079b5a1ee..45d126ccd 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -14,6 +14,10 @@ JH/01 Avoid costly startup code when not strictly needed.  This reduces time
 
 JH/02 Early-pipelining support code is now included unless disabled in Makefile.
 
+JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to
+      RFC 8301.  They can still be enabled, using the dkim_verify_hashes main
+      option.
+
 
 Exim version 4.93
 -----------------
diff --git a/src/src/globals.c b/src/src/globals.c
index 87ff2e65f..b874c4669 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -831,7 +831,7 @@ void   *dkim_signatures		 = NULL;
 uschar *dkim_signers             = NULL;
 uschar *dkim_signing_domain      = NULL;
 uschar *dkim_signing_selector    = NULL;
-uschar *dkim_verify_hashes       = US"sha256:sha512:sha1";
+uschar *dkim_verify_hashes       = US"sha256:sha512";
 uschar *dkim_verify_keytypes     = US"ed25519:rsa";
 BOOL	dkim_verify_minimal      = FALSE;
 uschar *dkim_verify_overall      = NULL;
diff --git a/test/confs/4500 b/test/confs/4500
index 502de4a19..c7335327e 100644
--- a/test/confs/4500
+++ b/test/confs/4500
@@ -13,6 +13,7 @@ acl_smtp_dkim = check_dkim
 acl_smtp_data = check_data
 
 log_selector = +dkim_verbose
+dkim_verify_hashes = sha256 : sha512 : sha1
 
 queue_only
 queue_run_in_order
diff --git a/test/stderr/4507 b/test/stderr/4507
index 48d4d9fa9..1c45d0955 100644
--- a/test/stderr/4507
+++ b/test/stderr/4507
@@ -9,22 +9,22 @@
 >>> host in helo_try_verify_hosts? no (option unset)
 >>> host in helo_accept_junk_hosts? no (option unset)
 >>> xxx in helo_lookup_domains? no (end of list)
->>> processing "accept" (TESTSUITE/test-config 43)
+>>> processing "accept" (TESTSUITE/test-config 44)
 >>> accept: condition test succeeded in inline ACL
 >>> end of inline ACL: ACCEPT
 >>> host in ignore_fromline_hosts? no (option unset)
 >>> using ACL "check_dkim"
->>> processing "warn" (TESTSUITE/test-config 34)
+>>> processing "warn" (TESTSUITE/test-config 35)
 >>> check logwrite = signer: $dkim_cur_signer bits: $dkim_key_length
 >>>                = signer: test.ex bits: 1024
 LOG: 10HmaX-0005vi-00 signer: test.ex bits: 1024
 >>> warn: condition test succeeded in ACL "check_dkim"
->>> processing "accept" (TESTSUITE/test-config 37)
+>>> processing "accept" (TESTSUITE/test-config 38)
 >>> accept: condition test succeeded in ACL "check_dkim"
 >>> end of ACL "check_dkim": ACCEPT
 LOG: 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
 >>> using ACL "check_data"
->>> processing "accept" (TESTSUITE/test-config 41)
+>>> processing "accept" (TESTSUITE/test-config 42)
 >>> check logwrite = ${authresults {$primary_hostname}}
 >>>                = Authentication-Results: myhost.test.ex;
 >>> 	dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1