Skip to content

Commit

Permalink
added option to excluded headers from DKIM signing
Browse files Browse the repository at this point in the history
1. Added -X option to dkim.cpp to specify headers to be excluded from
   signing
2. Added env variable EXCLUDE_DKIMSIGN to specifiy headers to be
   excluded from signing
3. exclude Arc-Authentication-Results header from DKIM signing
  • Loading branch information
mbhangui committed Nov 20, 2023
1 parent 546adc5 commit 57470ae
Show file tree
Hide file tree
Showing 8 changed files with 120 additions and 47 deletions.
5 changes: 5 additions & 0 deletions indimail-mta-x/doc/ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,11 @@ Release 3.0.6-1.1 Start 25/10/2023 End XX/XX/XXXX
28. smtpd.c: fixed control filename for blackholedrcpt, blackholedrcptpatterns
29. qmail.c: fixed NULLQUEUE
30. tests/test-indimail-mta: added test for blackholedrcpt, blackholdsender
- 20/11/2023
31. qmail-dkim.c: Added env variable EXCLUDE_DKIMSIGN to exclude headers from
DKIM signing
32. qmail-dkim.c: Added Arc-Authentication-Results header to list of headers
excluded from DKIM signing

* Tue Oct 17 2023 18:34:04 +0000 Manvendra Bhangui <indimail-mta@indimail.org> 3.0.5-1.1%{?dist}
Release 3.0.5-1.1 Start 11/09/2023 End 17/10/2023
Expand Down
19 changes: 10 additions & 9 deletions indimail-mta-x/qmail-dkim.9
Original file line number Diff line number Diff line change
Expand Up @@ -296,17 +296,18 @@ to sign messages sent by that host. \fBDKIMVERIFY\fR should be set for all
other hosts.
If neither \fBDKIMSIGN\fR nor \fBDKIMVERIFY\fR are set, then \fBDKIMSIGN\fR
will be set to @controldir@/domainkeys/%/default. The % will be replaced by
the domain in the From: header. If such a file does not exist, then it will
be set to @controldir@/domainkeys/default. If such a private key exists, it
will be used to sign the domain. You can also set \fBDKIMKEY\fR to chose a
key different from @controldir@/domainkeys/%/default. \fBDKIMKEY\fR can
also have % character that will be replaced by the domain in the From:
header. If the private key does not exist, qmail-dkim will exit with return
code 35.
will be set to \fI@controldir@/domainkeys/%/default\fR. The % will be
replaced by the domain in the From: header. If such a file does not exist,
then it will be set to \fI@controldir@/domainkeys/default\fR. If such a
private key exists, it will be used to sign the domain. You can also set
\fBDKIMKEY\fR to chose a key different from
\fI@controldir@/domainkeys/%/default\fR. \fBDKIMKEY\fR can also have %
character that will be replaced by the domain in the From: header. If the
private key does not exist, qmail-dkim will exit with return code 35.
By default \fBqmail-dkim\fR will use all of the headers when signing a
message.
message. You an exclude headers from gettng signed by setting a colon
separated list of headers in \fBEXCLUDE_DKIMSIGN\fR environment variable.
.SH NOTES
If the environment variable \fBCONTROLDIR\fR is set, \fBqmail-dkim\fR uses
Expand Down
31 changes: 26 additions & 5 deletions indimail-mta-x/qmail-dkim.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* $Id: qmail-dkim.c,v 1.75 2023-02-17 11:49:48+05:30 Cprogrammer Exp mbhangui $
* $Id: qmail-dkim.c,v 1.76 2023-11-20 11:03:04+05:30 Cprogrammer Exp mbhangui $
*/
#include "hasdkim.h"
#ifdef HASDKIM
Expand Down Expand Up @@ -98,12 +98,29 @@ sigbug()
int DKIM_CALL
SignThisHeader(const char *szHeader)
{
char *excl = 0, *cptr, *ptr;
int i;

if ((!strncasecmp((char *) szHeader, "X-", 2) && strncasecmp((char *) szHeader, "X-Mailer:", 9))
|| strncasecmp((char *) szHeader, "Received:", 9) == 0
|| strncasecmp((char *) szHeader, "Authentication-Results:", 23) == 0
|| !strncasecmp((char *) szHeader, "Received:", 9)
|| !strncasecmp((char *) szHeader, "Authentication-Results:", 23)
|| !strncasecmp((char *) szHeader, "Arc-Authentication-Results:", 27)
|| !strncasecmp(szHeader, "DKIM-Signature:", 15)
|| !strncasecmp(szHeader, "DomainKey-Signature:", 20)
|| strncasecmp((char *) szHeader, "Return-Path:", 12) == 0)
|| !strncasecmp((char *) szHeader, "Return-Path:", 12))
return 0;
if (!(excl = env_get("EXCLUDE_DKIMSIGN")))
return 1;
for (i = 0, cptr = ptr = excl; *ptr; ptr++) {
if (*ptr == ':') {
if (strncasecmp((char *) szHeader, cptr, i) == 0)
return 0;
cptr = ptr + 1;
i = 0;
} else
i++;
}
if (strncasecmp((char *) szHeader, cptr, i) == 0)
return 0;
return 1;
}
Expand Down Expand Up @@ -1251,7 +1268,7 @@ main(int argc, char **argv)
void
getversion_qmail_dkim_c()
{
static char *x = "$Id: qmail-dkim.c,v 1.75 2023-02-17 11:49:48+05:30 Cprogrammer Exp mbhangui $";
static char *x = "$Id: qmail-dkim.c,v 1.76 2023-11-20 11:03:04+05:30 Cprogrammer Exp mbhangui $";

#ifdef HASDKIM
x = sccsidmakeargsh;
Expand All @@ -1265,6 +1282,10 @@ getversion_qmail_dkim_c()

/*
* $Log: qmail-dkim.c,v $
* Revision 1.76 2023-11-20 11:03:04+05:30 Cprogrammer
* Added env variable EXCLUDE_DKIMSIGN to exclude headers from DKIM signing
* exclude Arc-Authentication-Results header from DKIM signing
*
* Revision 1.75 2023-02-17 11:49:48+05:30 Cprogrammer
* added env variable NODKIMKEYS to disable reading of dkimkeys control file
* disable dkimkeys when doing DKIMSIGNEXTRA
Expand Down
56 changes: 28 additions & 28 deletions indimail-mta-x/qmail-smtpd.9
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,12 @@ exit. This option gets activated only when the first argument to
.SH DESCRIPTION
\fBqmail-smtpd\fR receives mail messages via the Simple Mail Transfer
Protocol (SMTP) and invokes the program defined by \fBQMAILQUEUE\fR
environment variables to deposit the message into the outgoing queue. If
environment variable to deposit the message into the outgoing queue. If
\fBQMAILQUEUE\fR isn't defined then @prefix@/sbin/qmail-queue is used as a
default.

\fBqmail-smtpd\fR uses @sysconfdir@ as its working directory which can be
changed by setting \fBSYSCONFDIR\fR environment variable.
\fBqmail-smtpd\fR uses \fI@sysconfdir@\fR as its working directory which
can be changed by setting \fBSYSCONFDIR\fR environment variable.

.B qmail-smtpd
must be supplied several environment variables;
Expand Down Expand Up @@ -1090,14 +1090,14 @@ DNS checks are prohibited for sender addresses (Mail from:) included here.
Addresses can be expressed individually and/or for a domain:

.EX
god@heaven.af.mil
@heaven.af.mil
god@heaven.af.mil
@heaven.af.mil
.EE

If the environment variable \fBNODNSCHECK\fR is set, \fBqmail-smtpd\fR will
ignore \fInodnscheck\fR and the DNS check will be disabled in general. A
line in \fInodnschecks\fR may be of the form \fB@\fIhost\fR, meaning every
address att \fIhost\fR.
ignore \fInodnscheck\fR and the DNS check will be disabled. A line in
\fInodnschecks\fR may be of the form \fB@\fIhost\fR, meaning every address
at \fIhost\fR.

.TP 5
\fIrcpthosts\fR
Expand All @@ -1112,8 +1112,8 @@ Exception: If the environment variable \fBRELAYCLIENT\fR is set,
\fIrcpthosts\fR may include wildcards:

.EX
heaven.af.mil
.heaven.af.mil
heaven.af.mil
.heaven.af.mil
.EE

Envelope recipient addresses without @ signs are
Expand All @@ -1139,8 +1139,8 @@ Addresses in
may be wildcarded:

.EX
192.168.0.1:
192.168.1.:
192.168.0.1:
192.168.1.:
EE
.TP 5
Expand All @@ -1154,8 +1154,8 @@ optional string should be null.
Addresses in \fIrelaydomains\fR may be wildcarded:
.EX
heaven.af.mil:
.heaven.af.mil:
heaven.af.mil:
.heaven.af.mil:
.EE
.TP 5
Expand All @@ -1170,8 +1170,8 @@ If \fIrelaymailfrom.cdb\fR is present, it will be searched first.
Examples:
.EX
joeblow@domain1.com
@domain2.com
joeblow@domain1.com
@domain2.com
.EE
.TP 5
Expand Down Expand Up @@ -1220,12 +1220,12 @@ A \fIrecipients\fR file is always constructed like 'domain:cdb',
'domain|pam', or simply 'cdb':
.EX
!nocheck.com
@mydomain.com:users/recipients.cdb
example.com|ldap_pam ldapserver host port DN passwd
*:control/fastforward.cdb
*|ldap_pam otherserver
!*
!nocheck.com
@mydomain.com:users/recipients.cdb
example.com|ldap_pam ldapserver host port DN passwd
*:control/fastforward.cdb
*|ldap_pam otherserver
!*
.EE
Legacy format:
Expand Down Expand Up @@ -1625,27 +1625,27 @@ greylisting the environment variable \fBGREYIP\fR is used. For the default
values (loopback address 127.0.0.1, port 19999 use,
.EX
GREYIP="127.0.0.1@1999"
GREYIP="127.0.0.1@1999"
.EE
Alternatively a different IP address and/or port can be specified as
in these examples,
.EX
GREYIP="192.168.1.50"
GREYIP="::1@1999"
GREYIP="192.168.1.33@1999"
GREYIP="192.168.1.50"
GREYIP="::1@1999"
GREYIP="192.168.1.33@1999"
.EE
Exception:
If the environment variable \fBRELAYCLIENT\fR is set (see details on this
above), greylisting does not occur.
above), greylisting does not occur.
Greylisting may be explicitly disabled by setting \fBGREYIP\fR to an empty
string,
.EX
GREYIP=""
GREYIP=""
.EE
Clearly \fBqmail-greyd\fR must be available to respond to greylisting
Expand Down
8 changes: 7 additions & 1 deletion libdkim2-x/dkim.9
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,13 @@ If set to - then it will not be included
Bypass DNS and use \fIselectorRecord\fR instead of fetching the record
using DNS.

.TP
-X \fIexclude_headers\fR
\fIexclude_headers\fR is a colon separated list of headers to be excluded
from DKIM signing. You can also set list of headers to be excluded by
setting \fBEXCLUDE_DKIMSIGN\fR environment variable. The -X option takes
precedence.

.TP
-V
Sets verbose output
Expand Down Expand Up @@ -205,7 +212,6 @@ rejected later at delivery time, or in the mail reader. In that case you
need not set \fBDKIMVERIFY\fR or set it as "p" as the maximum.

.SH "SEE ALSO"
dktest(8),
qmail-dk(8),
qmail-dkim(8),
dknewkey(8),
Expand Down
35 changes: 32 additions & 3 deletions libdkim2-x/dkim.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
#define TMPDIR "/tmp"
#endif

static char *callbackdata;
static char *callbackdata, *excl;
const char *defaultkey = "private";
char *program;
typedef struct
Expand Down Expand Up @@ -85,6 +85,7 @@ usage()
fprintf(stderr, "y <selector> the selector tag DEFAULT=basename of privkeyfile\n");
fprintf(stderr, "s <privkeyfile> sign the message using the private key in privkeyfile\n");
fprintf(stderr, "T DNSText Use DNSText as domainkey text record instead of using DNS\n");
fprintf(stderr, "X excl Exclude header excl from signing\n");
fprintf(stderr, "V set verbose mode\n");
fprintf(stderr, "H this help\n");
exit(1);
Expand All @@ -93,13 +94,33 @@ usage()
int DKIM_CALL
SignThisHeader(const char *szHeader)
{
char *cptr, *ptr;
int i;

/*
* GHBH-Arc:Arc-Authentication-Results:ABCD-EFGH
*/
if ((!strncasecmp(szHeader, "X-", 2) && strncasecmp(szHeader, "X-Mailer:", 9))
|| !strncasecmp(szHeader, "Received:", 9)
|| !strncasecmp(szHeader, "Authentication-Results:", 23)
|| !strncasecmp(szHeader, "Arc-Authentication-Results:", 27)
|| !strncasecmp(szHeader, "DKIM-Signature:", 15)
|| !strncasecmp(szHeader, "DomainKey-Signature:", 20)
|| !strncasecmp(szHeader, "Return-Path:", 12))
return 0;
if (!excl)
return 1;
for (i = 0, cptr = ptr = excl; *ptr; ptr++) {
if (*ptr == ':') {
if (strncasecmp((char *) szHeader, cptr, i + 1) == 0)
return 0;
cptr = ptr + 1;
i = 0;
} else
i++;
}
if (strncasecmp((char *) szHeader, cptr, i) == 0)
return 0;
return 1;
}

Expand Down Expand Up @@ -534,8 +555,9 @@ main(int argc, char **argv)
sopts.nIncludeCopiedHeaders = 0;
strcpy(sopts.szRequiredHeaders, "NonExistent");
sopts.pfnHeaderCallback = SignThisHeader;
excl = getenv("EXCLUDE_DKIMSIGN");
while (1) {
if ((ch = getopt(argc, argv, "lqtfhHSvVp:b:c:d:i:s:x:y:z:T:")) == -1)
if ((ch = getopt(argc, argv, "lqtfhHSvVp:b:c:d:i:s:x:X:y:z:T:")) == -1)
break;
switch (ch)
{
Expand Down Expand Up @@ -710,6 +732,9 @@ main(int argc, char **argv)
case 'T':
callbackdata = optarg;
break;
case 'X':
excl = optarg;
break;
} /*- switch (ch) */
}
if (bSign) { /*- sign */
Expand Down Expand Up @@ -882,13 +907,17 @@ main(int argc, char **argv)
void
getversion_dkim_c()
{
static char *x = (char *) "$Id: dkim.cpp,v 1.34 2023-02-19 08:48:17+05:30 Cprogrammer Exp mbhangui $";
static char *x = (char *) "$Id: dkim.cpp,v 1.35 2023-11-20 10:07:40+05:30 Cprogrammer Exp mbhangui $";

x++;
}

/*
* $Log: dkim.cpp,v $
* Revision 1.35 2023-11-20 10:07:40+05:30 Cprogrammer
* Added -X option to have colon separated list of headers to be excluded from DKIM signing
* use EXCLUDE_DKIMSIGN to specify colon separated list of headers to be excluded from DKIM signing
*
* Revision 1.34 2023-02-19 08:48:17+05:30 Cprogrammer
* fixed usage strings
*
Expand Down
6 changes: 5 additions & 1 deletion libdkim2-x/dkimsign.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,7 @@ bool CDKIMSign::SignThisHeader(const string &sTag)

if (_strnicmp(sTag.c_str(), "X-", 2) == 0
|| _stricmp(sTag.c_str(), "Authentication-Results:") == 0
|| _stricmp(sTag.c_str(), "Arc-Authentication-Results:") == 0
|| _stricmp(sTag.c_str(), "DKIM-Signature:") == 0
|| _stricmp(sTag.c_str(), "Domainkey-Signature:") == 0
|| _stricmp(sTag.c_str(), "Received:") == 0
Expand Down Expand Up @@ -989,13 +990,16 @@ CDKIMSign::AssembleReturnedSig(char *szPrivKey)
void
getversion_dkimsign_cpp()
{
static char *x = (char *) "$Id: dkimsign.cpp,v 1.26 2023-04-06 21:41:30+05:30 Cprogrammer Exp mbhangui $";
static char *x = (char *) "$Id: dkimsign.cpp,v 1.27 2023-11-20 10:09:06+05:30 Cprogrammer Exp mbhangui $";

x++;
}

/*
* $Log: dkimsign.cpp,v $
* Revision 1.27 2023-11-20 10:09:06+05:30 Cprogrammer
* exclude Arc-Authentication-Results header from signing
*
* Revision 1.26 2023-04-06 21:41:30+05:30 Cprogrammer
* fixed compiler warning of use of uninitialized variable
*
Expand Down
7 changes: 7 additions & 0 deletions libdkim2-x/doc/ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,13 @@ o ability to alter Hash Method after DKIMSignInit
- 20/09/2023
14. use Replaces, Conflicts in spec,control
- 17/10/2023 - indimail-mta-3.0.5
- 14/11/2023
15. dkim.cpp: Added -X option to have colon seperated list of headers to be
excluded from DKIM signing.
16. dkim.cpp: Added env variable EXCLUDE_DKIMSIGN to exclude headers from
DKIM signing
17. dkim.cpp, dkimsigin.cpp: Exclude Arc-Authentication-Results from DKIM
signing

* Mon Jan 30 2023 13:14:56 +0000 Manvendra Bhangui <libdkim@indimail.org> 1.6-1.1%{?dist}
Release 1.6 Start 27/11/2022 End 30/11/2023
Expand Down

0 comments on commit 57470ae

Please sign in to comment.