updated DKIM error codes

indimail-mta-x/doc/ChangeLog

@@ -171,7 +171,9 @@ Release 3.0.6-1.1 Start 25/10/2023 End 01/01/2024
 93. qmail-spamfilter.c: bypass antispam filter when RELAYCLIENT and
     RELAYCLIENT_NOSPAMFILTER is set
 94. svctool: updated bogofilter.cf header_format, log_update_format
+- 09/01/2024
 95. spawn-filter.c: display filter used for mail rejected message
+96. qmail-dkim.c: added DKIM_BAD_IDENTITY with letter Y
 
 * Tue Oct 17 2023 18:34:04 +0000 Manvendra Bhangui <indimail-mta@indimail.org> 3.0.5-1.1%{?dist}
 Release 3.0.5-1.1 Start 11/09/2023 End 17/10/2023

indimail-mta-x/qmail-dkim.9

@@ -188,29 +188,31 @@ V - DKIM_SELECTOR_ALGORITHM_MISMATCH    - signature error: selector
 W - DKIM_STAT_INCOMPAT                  - signature error: incompatible v=
 X - DKIM_UNSIGNED_FROM                  - signature error: not found
                                           message From headers in signature
+Y - DKIM_BAD_IDENTITY                   - signature error: invalid identity
+                                          in signature
 .fi
 
 For example, if you want to permanently reject messages that have a
 signature that is expired, include the letter 'K' in the \fBDKIMVERIFY\fR
 environment variable. A conservative set of letters is
-\fBFGHIKLMNOQRTUVWjp\fR. Reject permanently 3PS, FAILURE, SYNTAX,
+\fBFGHIKLMNORTUVWjp\fR. Reject permanently 3PS, FAILURE, SYNTAX,
 SIGNATURE_BAD, SIGNATURE_EXPIRED, SELECTOR_INVALID, GRANULARITY_MISMATCH,
 SELECTOR_KEY_REVOKED, DOMAIN_NAME_TOO_LONG, SELECTOR_PUBLIC_KEY_INVALID,
-NO_VALID_SIGNATURES and BODY_HASH_MISMATCH errors, and temporarily
-SIGNATURE_BAD_BUT_TESTING and DNS_TEMP_FAILURE. Add in \fBS\fR if you want
-to reject messages that do not have a DKIM signature. You can use the
-control files \fBsignaturedomains\fR and \fBnosignaturedomains\fR (See
-Below) to further fine tune the action to be taken when a mail arrives with
-no DKIM signature. Note that \fBqmail-dkim\fR always inserts the
-\fBDKIM-Status\fR header, so that messages can be rejected later at
-delivery time, or in the mail reader. In that case you may set
-\fBDKIMVERIFY\fR to an empty string or "p" to issue temporary error for
-temporary DNS resolution failure. If you want to check all message's
-From header in signature set the \fBUNSIGNED_FROM\fR environment variable
-to an empty string. If you want to check messages without signed subject
-header, set \fBUNSIGNED_SUBJECT\fR environment variable. If you want to
-honor body lengh tag (l=), set \fBHONOR_BODYLENGTHTAG\fR environment
-variable.
+NO_VALID_SIGNATURES, BODY_HASH_MISMATCH, SELECTOR_ALGORITHM_MISMATCH,
+TAT_INCOMPAT errors, and temporarily SIGNATURE_BAD_BUT_TESTING and
+DNS_TEMP_FAILURE. Add in \fBS\fR if you want to reject messages that do not
+have a DKIM signature. You can use the control files \fBsignaturedomains\fR
+and \fBnosignaturedomains\fR (See Below) to further fine tune the action to
+be taken when a mail arrives with no DKIM signature. Note that
+\fBqmail-dkim\fR always inserts the \fBDKIM-Status\fR header, so that
+messages can be rejected later at delivery time, or in the mail reader. In
+that case you may set \fBDKIMVERIFY\fR to an empty string or "p" to issue
+temporary error for temporary DNS resolution failure. If you want to check
+all message's From header in signature set the \fBUNSIGNED_FROM\fR
+environment variable to an empty string. If you want to check messages
+without signed subject header, set \fBUNSIGNED_SUBJECT\fR environment
+variable. If you want to honor body lengh tag (l=), set
+\fBHONOR_BODYLENGTHTAG\fR environment variable.
 
 qmail-dkim supports signing practice which can be additonall checked when a
 signature verifcation fails -
@@ -348,7 +350,6 @@ envelopes(5),
 qmail-header(5),
 dknewkey(8),
 dkim(8),
-dk-filter(8),
 qmail-inject(8),
 qmail-qmqpc(8),
 qmail-queue(8),

indimail-mta-x/qmail-dkim.c

@@ -1,5 +1,5 @@
 /*
- * $Id: qmail-dkim.c,v 1.78 2024-01-06 21:33:37+05:30 Cprogrammer Exp mbhangui $
+ * $Id: qmail-dkim.c,v 1.79 2024-01-09 19:18:44+05:30 Cprogrammer Exp mbhangui $
  */
 #include "hasdkim.h"
 #ifdef HASDKIM
@@ -631,103 +631,107 @@ writeHeaderNexit(int ret, int origRet, int resDKIMSSP, int resDKIMADSP, int useS
 		dkimStatus = "good        ";
 		code = "X.7.0";
 		break;
-	case DKIM_FINISHED_BODY:	/*- 1 process result: no more message body is needed */
+	case DKIM_FINISHED_BODY:	/*- 1 */ /* B */
 		dkimStatus = "process result: no more message body is needed";
 		code = "X.7.0";
 		break;
-	case DKIM_PARTIAL_SUCCESS:	/*- 2 verify result: at least one but not all signatures verified */
+	case DKIM_PARTIAL_SUCCESS:	/*- 2 */ /*- C */
 		dkimStatus = "verify result: at least none but not all signatures verified";
 		code = "X.7.0";
 		break;
-	case DKIM_NEUTRAL:			/*- 3 verify result: no signatures verified but message is not suspicious */
+	case DKIM_NEUTRAL:			/*- 3 */ /*- D */
 		dkimStatus = "verify result: no signatures verified but message is not suspicious";
 		code = "X.7.0";
 		break;
-	case DKIM_SUCCESS_BUT_EXTRA:/*- 4 signature result: signature verified but it did not include all of the body */
+	case DKIM_SUCCESS_BUT_EXTRA:/*- 4 */ /*- E */
 		dkimStatus = "signature result: signature verified but it did not include all of the body";
 		code = "X.7.0";
 		break;
-	case DKIM_FAIL:				/*- -1 */ /*- F */
+	case DKIM_3PS_SIGNATURE: /*- 5 */ /*- F */
+		dkimStatus = "signature result: 3rd party signature";
+		code = "X.7.0";
+		break;
+	case DKIM_FAIL:				/*- -1 */ /*- G */
 		dkimStatus = "DKIM Signature verification failed";
 		code = "X.7.0";
 		break;
-	case DKIM_BAD_SYNTAX:		/*- -2 */ /*- G */
+	case DKIM_BAD_SYNTAX:		/*- -2 */ /*- H */
 		dkimStatus = "signature error: DKIM-Signature could not parse or has bad tags/values";
 		code = "X.7.5";
 		break;
-	case DKIM_SIGNATURE_BAD:	/*- -3 */
+	case DKIM_SIGNATURE_BAD:	/*- -3 */ /*- I */
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
 		dkimStatus = "signature error: RSA/ED25519 verify failed";
 #else
 		dkimStatus = "signature error: RSA verify failed";
 #endif
 		code = "X.7.5";
 		break;
-	case DKIM_SIGNATURE_BAD_BUT_TESTING:
+	case DKIM_SIGNATURE_BAD_BUT_TESTING: /* -4 */ /*- J */
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
 		dkimStatus = "signature error: RSA/ED25519 verify failed but testing";
 #else
 		dkimStatus = "signature error: RSA verify failed but testing";
 #endif
 		code = "X.7.5";
 		break;
-	case DKIM_SIGNATURE_EXPIRED:
+	case DKIM_SIGNATURE_EXPIRED: /*- -5 */ /*- K */
 		dkimStatus = "signature error: x= is old";
 		code = "X.7.5";
 		break;
-	case DKIM_SELECTOR_INVALID:
+	case DKIM_SELECTOR_INVALID: /*- -6 */ /*- L */
 		dkimStatus = "signature error: selector doesn't parse or contains invalid values";
 		code = "X.7.5";
 		break;
-	case DKIM_SELECTOR_GRANULARITY_MISMATCH:
+	case DKIM_SELECTOR_GRANULARITY_MISMATCH: /*- -7 */ /*- M */
 		dkimStatus = "signature error: selector g= doesn't match i=";
 		code = "X.7.5";
 		break;
-	case DKIM_SELECTOR_KEY_REVOKED:
+	case DKIM_SELECTOR_KEY_REVOKED: /*- -8 */ /*- N */
 		dkimStatus = "signature error: selector p= empty";
 		code = "X.7.5";
 		break;
-	case DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG:
+	case DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG: /*- -9 */ /*- O */
 		dkimStatus = "signature error: selector domain name too long to request";
 		code = "X.7.0";
 		break;
-	case DKIM_SELECTOR_DNS_TEMP_FAILURE:
+	case DKIM_SELECTOR_DNS_TEMP_FAILURE: /*- -10 */ /*- P */
 		dkimStatus = "signature error: temporary dns failure requesting selector";
 		code = "X.7.0";
 		break;
-	case DKIM_SELECTOR_DNS_PERM_FAILURE:
+	case DKIM_SELECTOR_DNS_PERM_FAILURE: /*- -11 */ /*- Q */
 		dkimStatus = "signature error: permanent dns failure requesting selector";
 		code = "X.7.0";
 		break;
-	case DKIM_SELECTOR_PUBLIC_KEY_INVALID:
+	case DKIM_SELECTOR_PUBLIC_KEY_INVALID: /*- -12 */ /* R */
 		dkimStatus = "signature error: selector p= value invalid or wrong format";
 		code = "X.7.5";
 		break;
-	case DKIM_NO_SIGNATURES:
+	case DKIM_NO_SIGNATURES: /*- -13 */ /*- S */
 		dkimStatus = "no signatures";
 		code = "X.7.5";
 		break;
-	case DKIM_NO_VALID_SIGNATURES:
+	case DKIM_NO_VALID_SIGNATURES: /*- -14 */ /*- T */
 		dkimStatus = "no valid signatures";
 		code = "X.7.5";
 		break;
-	case DKIM_BODY_HASH_MISMATCH:
+	case DKIM_BODY_HASH_MISMATCH: /*- -15 */ /*- U */
 		dkimStatus = "signature verify error: message body does not hash to bh value";
 		code = "X.7.7";
 		break;
-	case DKIM_SELECTOR_ALGORITHM_MISMATCH:
+	case DKIM_SELECTOR_ALGORITHM_MISMATCH: /*- -16 */ /*- V */
 		dkimStatus = "signature error: selector h= doesn't match signature a=";
 		code = "X.7.7";
 		break;
-	case DKIM_STAT_INCOMPAT:
+	case DKIM_STAT_INCOMPAT: /*- -17 */ /*- W */
 		dkimStatus = "signature error: incompatible v=";
 		code = "X.7.6";
 		break;
-	case DKIM_UNSIGNED_FROM:
+	case DKIM_UNSIGNED_FROM: /*- -18 */ /*- X */
 		dkimStatus = "signature error: not all message's From headers in signature";
 		code = "X.7.7";
 		break;
-	case DKIM_BAD_IDENTITY:
+	case DKIM_BAD_IDENTITY: /*- -19 */ /*- Y */
 		dkimStatus = "signature error: invalid identify in signature";
 		code = "X.7.7";
 		break;
@@ -789,72 +793,78 @@ writeHeaderNexit(int ret, int origRet, int resDKIMSSP, int resDKIMADSP, int useS
 		case DKIM_SUCCESS:			/*- 0 */ /*- A */
 			orig = "SUCCESS";
 			break;
-		case DKIM_FINISHED_BODY:	/*- 1 process result: no more message body is needed */
+		case DKIM_FINISHED_BODY:	/*- 1 */ /*- B */
 			orig = "FINISHED BODY";
 			break;
-		case DKIM_PARTIAL_SUCCESS:	/*- 2 verify result: at least one but not all signatures verified */
+		case DKIM_PARTIAL_SUCCESS:	/*- 2 */ /* C */
 			orig = "PARTIAL SUCCESS";
 			break;
-		case DKIM_NEUTRAL:			/*- 3 verify result: no signatures verified but message is not suspicious */
+		case DKIM_NEUTRAL:			/*- 3 */ /* D */
 			orig = "NEUTRAL";
 			break;
-		case DKIM_SUCCESS_BUT_EXTRA:/*- 4 signature result: signature verified but it did not include all of the body */
+		case DKIM_SUCCESS_BUT_EXTRA:/*- 4 */ /* E */
 			orig = "SUCCESS(BUT EXTRA)";
 			break;
-		case DKIM_FAIL:				/*- -1 */ /*- F */
+		case DKIM_3PS_SIGNATURE: /*- 5 */ /*- F */
+			orig = "3rd PARTY SIGNATURE";
+			break;
+		case DKIM_FAIL:				/*- -1 */ /*- G */
 			orig = "FAIL";
 			break;
-		case DKIM_BAD_SYNTAX:		/*- -2 */ /*- G */
+		case DKIM_BAD_SYNTAX:		/*- -2 */ /*- H */
 			orig = "BAD SYNTAX";
 			break;
-		case DKIM_SIGNATURE_BAD:	/*- -3 */
+		case DKIM_SIGNATURE_BAD:	/*- -3 */ /*- I */
 			orig = "SIGNATURE BAD";
 			break;
-		case DKIM_SIGNATURE_BAD_BUT_TESTING:
+		case DKIM_SIGNATURE_BAD_BUT_TESTING: /*- -4 */ /*- J */
 			orig = "SIGNATURE BAD (TESTING)";
 			break;
-		case DKIM_SIGNATURE_EXPIRED:
+		case DKIM_SIGNATURE_EXPIRED: /*- -5 */ /*- K */
 			orig = "SIGNATURE EXPIRED";
 			break;
-		case DKIM_SELECTOR_INVALID:
+		case DKIM_SELECTOR_INVALID: /*- -6 */ /*- L */
 			orig = "SELECTOR INVALID";
 			break;
-		case DKIM_SELECTOR_GRANULARITY_MISMATCH:
+		case DKIM_SELECTOR_GRANULARITY_MISMATCH: /* -7 */ /*- M */
 			orig = "SELECTOR GRANULARITY MISMATCH";
 			break;
-		case DKIM_SELECTOR_KEY_REVOKED:
+		case DKIM_SELECTOR_KEY_REVOKED: /* -8 */ /*- N */
 			orig = "SELECTOR KEY REVOKED";
 			break;
-		case DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG:
+		case DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG: /*- 9 */ /*- O */
 			orig = "DOMAIN NAME TOO LONG";
 			break;
-		case DKIM_SELECTOR_DNS_TEMP_FAILURE:
+		case DKIM_SELECTOR_DNS_TEMP_FAILURE: /*- -10 */ /*- P */
 			orig = "DNS TEMP FAILURE";
 			break;
-		case DKIM_SELECTOR_DNS_PERM_FAILURE:
+		case DKIM_SELECTOR_DNS_PERM_FAILURE: /*- -11 */ /*- Q */
 			orig = "DNS PERM FAILURE";
 			break;
-		case DKIM_SELECTOR_PUBLIC_KEY_INVALID:
+		case DKIM_SELECTOR_PUBLIC_KEY_INVALID: /* -12 */ /*- R */
 			orig = "PUBLIC KEY INVALID";
 			break;
-		case DKIM_NO_SIGNATURES:
+		case DKIM_NO_SIGNATURES: /* -13 */ /*- S */
 			orig = "NO SIGNATURES";
 			break;
-		case DKIM_NO_VALID_SIGNATURES:
+		case DKIM_NO_VALID_SIGNATURES: /*- -14 */ /*- T */
 			orig = "NO VALID SIGNATURES";
 			break;
-		case DKIM_BODY_HASH_MISMATCH:
+		case DKIM_BODY_HASH_MISMATCH:  /*- -15 *//*- U */
 			orig = "BODY HASH MISMATCH";
 			break;
-		case DKIM_SELECTOR_ALGORITHM_MISMATCH:
+		case DKIM_SELECTOR_ALGORITHM_MISMATCH: /*- -16 */ /*- V */
 			orig = "ALGORITHM MISMATCH";
 			break;
-		case DKIM_STAT_INCOMPAT:
+		case DKIM_STAT_INCOMPAT: /*- -17 */ /*- W */
 			orig = "STAT INCOMPAT";
 			break;
-		case DKIM_UNSIGNED_FROM:
+		case DKIM_UNSIGNED_FROM: /*- -18 */ /*- X */
 			orig = "UNSIGNED FROM";
 			break;
+		case DKIM_BAD_IDENTITY: /*- -19 */ /*- Y */
+			orig = "BAD IDENTITY";
+			break;
 		default:
 			orig = "Unkown error";
 			break;
@@ -1273,7 +1283,7 @@ main(int argc, char **argv)
 void
 getversion_qmail_dkim_c()
 {
-	static char    *x = "$Id: qmail-dkim.c,v 1.78 2024-01-06 21:33:37+05:30 Cprogrammer Exp mbhangui $";
+	static char    *x = "$Id: qmail-dkim.c,v 1.79 2024-01-09 19:18:44+05:30 Cprogrammer Exp mbhangui $";
 
 #ifdef HASDKIM
 	x = sccsidmakeargsh;
@@ -1287,6 +1297,9 @@ getversion_qmail_dkim_c()
 
 /*
  * $Log: qmail-dkim.c,v $
+ * Revision 1.79  2024-01-09 19:18:44+05:30  Cprogrammer
+ * added DKIM_BAD_IDENTITY with letter Y
+ *
  * Revision 1.78  2024-01-06 21:33:37+05:30  Cprogrammer
  * use new error code DKIM_BAD_IDENTITY for invalid identity domain (i= tag)
  *

libdkim2-x/dkim.h

@@ -81,14 +81,14 @@ extern          "C" {
 #define DKIM_SELECTOR_ALGORITHM_MISMATCH    -16 /* signature error: selector h= doesn't match signature a= */
 #define DKIM_STAT_INCOMPAT                  -17 /* signature error: incompatible v= */
 #define DKIM_UNSIGNED_FROM                  -18 /* signature error: not all message's From headers in signature */
-#define DKIM_OUT_OF_MEMORY                  -19 /* memory allocation failed */
-#define DKIM_INVALID_CONTEXT                -20 /* DKIMContext structure invalid for this operation */
-#define DKIM_NO_SENDER                      -21 /* signing error: Could not find From: or Sender: header in message */
-#define DKIM_BAD_PRIVATE_KEY                -22 /* signing error: Could not parse private key */
-#define DKIM_BUFFER_TOO_SMALL               -23 /* signing error: Buffer passed in is not large enough */
-#define DKIM_EVP_SIGN_FAILURE               -24 /* signing error: evp signing failure */
-#define DKIM_EVP_DIGEST_FAILURE             -25 /* signing error: evp digest failure */
-#define DKIM_BAD_IDENTITY                   -26 /*- bad/invalid i= tag */
+#define DKIM_BAD_IDENTITY                   -19 /*- bad/invalid i= tag */
+#define DKIM_OUT_OF_MEMORY                  -20 /* memory allocation failed */
+#define DKIM_INVALID_CONTEXT                -21 /* DKIMContext structure invalid for this operation */
+#define DKIM_NO_SENDER                      -22 /* signing error: Could not find From: or Sender: header in message */
+#define DKIM_BAD_PRIVATE_KEY                -23 /* signing error: Could not parse private key */
+#define DKIM_BUFFER_TOO_SMALL               -24 /* signing error: Buffer passed in is not large enough */
+#define DKIM_EVP_SIGN_FAILURE               -25 /* signing error: evp signing failure */
+#define DKIM_EVP_DIGEST_FAILURE             -26 /* signing error: evp digest failure */
 #define DKIM_MAX_ERROR                      -27 /* set this to 1 greater than the highest error code (but negative) */
 
 #define DKIM_SSP_UNKNOWN                      1 /*- some messages may be signed */
@@ -179,6 +179,9 @@ int  DKIM_CALL  DKIMSignReplaceHash(DKIMContext *pSignContext, DKIMSignOptions *
 
 /*
  * $Log: dkim.h,v $
+ * Revision 1.15  2024-01-09 19:14:43+05:30  Cprogrammer
+ * re-arranged DKIM error codes
+ *
  * Revision 1.14  2024-01-06 21:26:47+05:30  Cprogrammer
  * added new error code DKIM_BAD_IDENTITY for invalid identity domain (i= tag)
  *

libdkim2-x/doc/ChangeLog

@@ -9,7 +9,7 @@ Implementations as permitted, you agree to the terms and conditions of the
 Yahoo! DomainKeys Patent License Agreement or other agreement contained herein.
 
 * Sun Apr 23 2023 17:02:10 +0000 Manvendra Bhangui <libdkim@indimail.org> 1.7-1.1%{?dist}
-Release 1.7-1.1 Start 01/02/2023 End 14/11/2023
+Release 1.7-1.1 Start 01/02/2023 End 09/01/2024
 ======= Release Highlights ================================================
 - ability to alter Hash Method after DKIMSignInit
 - ability to add headers for exclusion from DKIM signing
@@ -56,6 +56,8 @@ Release 1.7-1.1 Start 01/02/2023 End 14/11/2023
 19. dkimverify.cpp, dkim.cpp: use new error code DKIM_BAD_IDENTITY for
     invalid identity domain (i= tag)
 20. dkimsign.cpp: Use strrchr instead of strchr for extracting domain
+- 09/01/2024
+21. dkim.h: re-arranged DKIM error codes.
 
 * Mon Jan 30 2023 13:14:56 +0000 Manvendra Bhangui <libdkim@indimail.org> 1.6-1.1%{?dist}
 Release 1.6 Start 27/11/2022 End 30/11/2023