From ae63862ba6f6ee0c17ec865cc6cf0eebb3ca2389 Mon Sep 17 00:00:00 2001 From: Mad Alex Date: Wed, 30 Jan 2019 13:57:36 +0000 Subject: Fix dkim_verify_signers option. Bug 2366 Testsuite coverage by jgh. Broken-by: d342446f29 --- doc/doc-txt/ChangeLog | 3 + src/src/smtp_in.c | 1 - test/confs/4508 | 33 ++++++++++ test/confs/4520 | 2 +- test/log/4508 | 25 ++++++++ test/scripts/4500-DKIM/4508 | 149 ++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 211 insertions(+), 2 deletions(-) create mode 100644 test/confs/4508 create mode 100644 test/log/4508 create mode 100644 test/scripts/4500-DKIM/4508 diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index e2dd71b2b..7da07ad46 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -191,6 +191,9 @@ JH/41 Fix the loop reading a message header line to check for integer overflow, and more-often against header_maxsize. Previously a crafted message could induce a crash of the recive process; now the message is cleanly rejected. +JH/42 Bug 2366: Fix the behaviour of the dkim_verify_signers option. It had + been totally disabled for all of 4.91. Discovery and fix by "Mad Alex". + Exim version 4.91 ----------------- diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index af2cdb285..86f87eae1 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -2084,7 +2084,6 @@ f.dkim_disable_verify = FALSE; dkim_collect_input = 0; dkim_verify_overall = dkim_verify_status = dkim_verify_reason = NULL; dkim_key_length = 0; -dkim_verify_signers = US"$dkim_signers"; #endif #ifdef EXPERIMENTAL_DMARC f.dmarc_has_been_checked = f.dmarc_disable_verify = f.dmarc_enable_forensic = FALSE; diff --git a/test/confs/4508 b/test/confs/4508 new file mode 100644 index 000000000..dae4a8aba --- /dev/null +++ b/test/confs/4508 @@ -0,0 +1,33 @@ +# Exim test configuration 4508 + +SERVER= + +.include DIR/aux-var/std_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +acl_smtp_rcpt = accept +acl_smtp_dkim = check_dkim +acl_smtp_data = check_data + +log_selector = +dkim_verbose +dkim_verify_signers = DYNAMIC_OPTION + +queue_only +queue_run_in_order + +# ----- ACL --------- + +begin acl + +check_dkim: + accept + logwrite = DKIM: acl called - signer: $dkim_cur_signer bits: $dkim_key_length + +check_data: + accept logwrite = overall \$dkim_verify_status: $dkim_verify_status + logwrite = ${authresults {$primary_hostname}} + +# End diff --git a/test/confs/4520 b/test/confs/4520 index 89769230f..1a8e34f9e 100644 --- a/test/confs/4520 +++ b/test/confs/4520 @@ -14,7 +14,7 @@ acl_smtp_rcpt = accept logwrite = rcpt acl: macro: _DKIM_SIGN_HEADERS acl_smtp_dkim = accept logwrite = dkim_acl: signer: $dkim_cur_signer bits: $dkim_key_length h=$dkim_headernames acl_smtp_data = accept logwrite = data acl: dkim status $dkim_verify_status -dkim_verify_signers = $dkim_signers : FAKE +dkim_verify_signers = $dkim_signers DDIR=DIR/aux-fixed/dkim diff --git a/test/log/4508 b/test/log/4508 new file mode 100644 index 000000000..4a031f285 --- /dev/null +++ b/test/log/4508 @@ -0,0 +1,25 @@ + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: acl called - signer: test.ex bits: 1024 +1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded] +1999-03-02 09:44:33 10HmaX-0005vi-00 overall $dkim_verify_status: pass +1999-03-02 09:44:33 10HmaX-0005vi-00 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256 +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded] +1999-03-02 09:44:33 10HmaY-0005vi-00 overall $dkim_verify_status: +1999-03-02 09:44:33 10HmaY-0005vi-00 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256 +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: acl called - signer: nothere.example.com bits: 0 +1999-03-02 09:44:33 10HmaZ-0005vi-00 overall $dkim_verify_status: none +1999-03-02 09:44:33 10HmaZ-0005vi-00 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256 +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: acl called - signer: test.ex bits: 1024 +1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded] +1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: acl called - signer: different.example.com bits: 1024 +1999-03-02 09:44:33 10HmbA-0005vi-00 overall $dkim_verify_status: pass:none +1999-03-02 09:44:33 10HmbA-0005vi-00 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256 +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net diff --git a/test/scripts/4500-DKIM/4508 b/test/scripts/4500-DKIM/4508 new file mode 100644 index 000000000..b9eaabe05 --- /dev/null +++ b/test/scripts/4500-DKIM/4508 @@ -0,0 +1,149 @@ +# DKIM verify, dkim_verify_signers option +# +exim -DSERVER=server -DDYNAMIC_OPTION='$dkim_signers' -bd -oX PORT_D +**** +# +# Same as default. This should pass. +# - sha256, 1024b +# Mail original in aux-fixed/4500.msg1.txt +# Sig generated by: perl aux-fixed/dkim/sign.pl --algorithm=rsa-sha256 \ +# --method=simple/simple < aux-fixed/4500.msg1.txt +client 127.0.0.1 PORT_D +??? 220 +HELO xxx +??? 250 +MAIL FROM: +??? 250 +RCPT TO: +??? 250 +DATA +??? 354 +DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to + :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1 + 6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP + Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh + +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY= +From: mrgus@text.ex +To: bakawolf@yahoo.com +Date: Thu, 19 Nov 2015 17:00:07 -0700 +Message-ID: +Subject: simple test + +This is a simple test. +. +??? 250 +QUIT +??? 221 +**** +killdaemon +# +exim -DSERVER=server -DDYNAMIC_OPTION='' -bd -oX PORT_D +**** +# Empty. Should avoid calling dkim ACL. +# - sha256, 1024b +# Mail original in aux-fixed/4500.msg1.txt +# Sig generated by: perl aux-fixed/dkim/sign.pl --algorithm=rsa-sha256 \ +# --method=simple/simple < aux-fixed/4500.msg1.txt +client 127.0.0.1 PORT_D +??? 220 +HELO xxx +??? 250 +MAIL FROM: +??? 250 +RCPT TO: +??? 250 +DATA +??? 354 +DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to + :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1 + 6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP + Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh + +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY= +From: mrgus@text.ex +To: bakawolf@yahoo.com +Date: Thu, 19 Nov 2015 17:00:07 -0700 +Message-ID: +Subject: simple test + +This is a simple test. +. +??? 250 +QUIT +??? 221 +**** +killdaemon +# +exim -DSERVER=server -DDYNAMIC_OPTION='nothere.example.com' -bd -oX PORT_D +**** +# Different domain. Should fail DKIM verify. +# - sha256, 1024b +# Mail original in aux-fixed/4500.msg1.txt +# Sig generated by: perl aux-fixed/dkim/sign.pl --algorithm=rsa-sha256 \ +# --method=simple/simple < aux-fixed/4500.msg1.txt +client 127.0.0.1 PORT_D +??? 220 +HELO xxx +??? 250 +MAIL FROM: +??? 250 +RCPT TO: +??? 250 +DATA +??? 354 +DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to + :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1 + 6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP + Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh + +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY= +From: mrgus@text.ex +To: bakawolf@yahoo.com +Date: Thu, 19 Nov 2015 17:00:07 -0700 +Message-ID: +Subject: simple test + +This is a simple test. +. +??? 250 +QUIT +??? 221 +**** +killdaemon +# +exim -DSERVER=server -DDYNAMIC_OPTION='test.ex : different.example.com' -bd -oX PORT_D +**** +# Mixed set. Should get one DKIM verify pass. +# - sha256, 1024b +# Mail original in aux-fixed/4500.msg1.txt +# Sig generated by: perl aux-fixed/dkim/sign.pl --algorithm=rsa-sha256 \ +# --method=simple/simple < aux-fixed/4500.msg1.txt +client 127.0.0.1 PORT_D +??? 220 +HELO xxx +??? 250 +MAIL FROM: +??? 250 +RCPT TO: +??? 250 +DATA +??? 354 +DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to + :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1 + 6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP + Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh + +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY= +From: mrgus@text.ex +To: bakawolf@yahoo.com +Date: Thu, 19 Nov 2015 17:00:07 -0700 +Message-ID: +Subject: simple test + +This is a simple test. +. +??? 250 +QUIT +??? 221 +**** +killdaemon +# +no_stdout_check +no_msglog_check -- cgit v1.2.3