diff --git a/indimail-mta-x/doc/ChangeLog b/indimail-mta-x/doc/ChangeLog index 31396838d..731bd68a1 100644 --- a/indimail-mta-x/doc/ChangeLog +++ b/indimail-mta-x/doc/ChangeLog @@ -171,7 +171,9 @@ Release 3.0.6-1.1 Start 25/10/2023 End 01/01/2024 93. qmail-spamfilter.c: bypass antispam filter when RELAYCLIENT and RELAYCLIENT_NOSPAMFILTER is set 94. svctool: updated bogofilter.cf header_format, log_update_format +- 09/01/2024 95. spawn-filter.c: display filter used for mail rejected message +96. qmail-dkim.c: added DKIM_BAD_IDENTITY with letter Y * Tue Oct 17 2023 18:34:04 +0000 Manvendra Bhangui 3.0.5-1.1%{?dist} Release 3.0.5-1.1 Start 11/09/2023 End 17/10/2023 diff --git a/indimail-mta-x/qmail-dkim.9 b/indimail-mta-x/qmail-dkim.9 index f7412cf16..8f8e03d30 100644 --- a/indimail-mta-x/qmail-dkim.9 +++ b/indimail-mta-x/qmail-dkim.9 @@ -188,29 +188,31 @@ V - DKIM_SELECTOR_ALGORITHM_MISMATCH - signature error: selector W - DKIM_STAT_INCOMPAT - signature error: incompatible v= X - DKIM_UNSIGNED_FROM - signature error: not found message From headers in signature +Y - DKIM_BAD_IDENTITY - signature error: invalid identity + in signature .fi For example, if you want to permanently reject messages that have a signature that is expired, include the letter 'K' in the \fBDKIMVERIFY\fR environment variable. A conservative set of letters is -\fBFGHIKLMNOQRTUVWjp\fR. Reject permanently 3PS, FAILURE, SYNTAX, +\fBFGHIKLMNORTUVWjp\fR. Reject permanently 3PS, FAILURE, SYNTAX, SIGNATURE_BAD, SIGNATURE_EXPIRED, SELECTOR_INVALID, GRANULARITY_MISMATCH, SELECTOR_KEY_REVOKED, DOMAIN_NAME_TOO_LONG, SELECTOR_PUBLIC_KEY_INVALID, -NO_VALID_SIGNATURES and BODY_HASH_MISMATCH errors, and temporarily -SIGNATURE_BAD_BUT_TESTING and DNS_TEMP_FAILURE. Add in \fBS\fR if you want -to reject messages that do not have a DKIM signature. You can use the -control files \fBsignaturedomains\fR and \fBnosignaturedomains\fR (See -Below) to further fine tune the action to be taken when a mail arrives with -no DKIM signature. Note that \fBqmail-dkim\fR always inserts the -\fBDKIM-Status\fR header, so that messages can be rejected later at -delivery time, or in the mail reader. In that case you may set -\fBDKIMVERIFY\fR to an empty string or "p" to issue temporary error for -temporary DNS resolution failure. If you want to check all message's -From header in signature set the \fBUNSIGNED_FROM\fR environment variable -to an empty string. If you want to check messages without signed subject -header, set \fBUNSIGNED_SUBJECT\fR environment variable. If you want to -honor body lengh tag (l=), set \fBHONOR_BODYLENGTHTAG\fR environment -variable. +NO_VALID_SIGNATURES, BODY_HASH_MISMATCH, SELECTOR_ALGORITHM_MISMATCH, +TAT_INCOMPAT errors, and temporarily SIGNATURE_BAD_BUT_TESTING and +DNS_TEMP_FAILURE. Add in \fBS\fR if you want to reject messages that do not +have a DKIM signature. You can use the control files \fBsignaturedomains\fR +and \fBnosignaturedomains\fR (See Below) to further fine tune the action to +be taken when a mail arrives with no DKIM signature. Note that +\fBqmail-dkim\fR always inserts the \fBDKIM-Status\fR header, so that +messages can be rejected later at delivery time, or in the mail reader. In +that case you may set \fBDKIMVERIFY\fR to an empty string or "p" to issue +temporary error for temporary DNS resolution failure. If you want to check +all message's From header in signature set the \fBUNSIGNED_FROM\fR +environment variable to an empty string. If you want to check messages +without signed subject header, set \fBUNSIGNED_SUBJECT\fR environment +variable. If you want to honor body lengh tag (l=), set +\fBHONOR_BODYLENGTHTAG\fR environment variable. qmail-dkim supports signing practice which can be additonall checked when a signature verifcation fails - @@ -348,7 +350,6 @@ envelopes(5), qmail-header(5), dknewkey(8), dkim(8), -dk-filter(8), qmail-inject(8), qmail-qmqpc(8), qmail-queue(8), diff --git a/indimail-mta-x/qmail-dkim.c b/indimail-mta-x/qmail-dkim.c index f21ad9951..51bd17dc5 100644 --- a/indimail-mta-x/qmail-dkim.c +++ b/indimail-mta-x/qmail-dkim.c @@ -1,5 +1,5 @@ /* - * $Id: qmail-dkim.c,v 1.78 2024-01-06 21:33:37+05:30 Cprogrammer Exp mbhangui $ + * $Id: qmail-dkim.c,v 1.79 2024-01-09 19:18:44+05:30 Cprogrammer Exp mbhangui $ */ #include "hasdkim.h" #ifdef HASDKIM @@ -631,31 +631,35 @@ writeHeaderNexit(int ret, int origRet, int resDKIMSSP, int resDKIMADSP, int useS dkimStatus = "good "; code = "X.7.0"; break; - case DKIM_FINISHED_BODY: /*- 1 process result: no more message body is needed */ + case DKIM_FINISHED_BODY: /*- 1 */ /* B */ dkimStatus = "process result: no more message body is needed"; code = "X.7.0"; break; - case DKIM_PARTIAL_SUCCESS: /*- 2 verify result: at least one but not all signatures verified */ + case DKIM_PARTIAL_SUCCESS: /*- 2 */ /*- C */ dkimStatus = "verify result: at least none but not all signatures verified"; code = "X.7.0"; break; - case DKIM_NEUTRAL: /*- 3 verify result: no signatures verified but message is not suspicious */ + case DKIM_NEUTRAL: /*- 3 */ /*- D */ dkimStatus = "verify result: no signatures verified but message is not suspicious"; code = "X.7.0"; break; - case DKIM_SUCCESS_BUT_EXTRA:/*- 4 signature result: signature verified but it did not include all of the body */ + case DKIM_SUCCESS_BUT_EXTRA:/*- 4 */ /*- E */ dkimStatus = "signature result: signature verified but it did not include all of the body"; code = "X.7.0"; break; - case DKIM_FAIL: /*- -1 */ /*- F */ + case DKIM_3PS_SIGNATURE: /*- 5 */ /*- F */ + dkimStatus = "signature result: 3rd party signature"; + code = "X.7.0"; + break; + case DKIM_FAIL: /*- -1 */ /*- G */ dkimStatus = "DKIM Signature verification failed"; code = "X.7.0"; break; - case DKIM_BAD_SYNTAX: /*- -2 */ /*- G */ + case DKIM_BAD_SYNTAX: /*- -2 */ /*- H */ dkimStatus = "signature error: DKIM-Signature could not parse or has bad tags/values"; code = "X.7.5"; break; - case DKIM_SIGNATURE_BAD: /*- -3 */ + case DKIM_SIGNATURE_BAD: /*- -3 */ /*- I */ #if OPENSSL_VERSION_NUMBER >= 0x10101000L dkimStatus = "signature error: RSA/ED25519 verify failed"; #else @@ -663,7 +667,7 @@ writeHeaderNexit(int ret, int origRet, int resDKIMSSP, int resDKIMADSP, int useS #endif code = "X.7.5"; break; - case DKIM_SIGNATURE_BAD_BUT_TESTING: + case DKIM_SIGNATURE_BAD_BUT_TESTING: /* -4 */ /*- J */ #if OPENSSL_VERSION_NUMBER >= 0x10101000L dkimStatus = "signature error: RSA/ED25519 verify failed but testing"; #else @@ -671,63 +675,63 @@ writeHeaderNexit(int ret, int origRet, int resDKIMSSP, int resDKIMADSP, int useS #endif code = "X.7.5"; break; - case DKIM_SIGNATURE_EXPIRED: + case DKIM_SIGNATURE_EXPIRED: /*- -5 */ /*- K */ dkimStatus = "signature error: x= is old"; code = "X.7.5"; break; - case DKIM_SELECTOR_INVALID: + case DKIM_SELECTOR_INVALID: /*- -6 */ /*- L */ dkimStatus = "signature error: selector doesn't parse or contains invalid values"; code = "X.7.5"; break; - case DKIM_SELECTOR_GRANULARITY_MISMATCH: + case DKIM_SELECTOR_GRANULARITY_MISMATCH: /*- -7 */ /*- M */ dkimStatus = "signature error: selector g= doesn't match i="; code = "X.7.5"; break; - case DKIM_SELECTOR_KEY_REVOKED: + case DKIM_SELECTOR_KEY_REVOKED: /*- -8 */ /*- N */ dkimStatus = "signature error: selector p= empty"; code = "X.7.5"; break; - case DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG: + case DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG: /*- -9 */ /*- O */ dkimStatus = "signature error: selector domain name too long to request"; code = "X.7.0"; break; - case DKIM_SELECTOR_DNS_TEMP_FAILURE: + case DKIM_SELECTOR_DNS_TEMP_FAILURE: /*- -10 */ /*- P */ dkimStatus = "signature error: temporary dns failure requesting selector"; code = "X.7.0"; break; - case DKIM_SELECTOR_DNS_PERM_FAILURE: + case DKIM_SELECTOR_DNS_PERM_FAILURE: /*- -11 */ /*- Q */ dkimStatus = "signature error: permanent dns failure requesting selector"; code = "X.7.0"; break; - case DKIM_SELECTOR_PUBLIC_KEY_INVALID: + case DKIM_SELECTOR_PUBLIC_KEY_INVALID: /*- -12 */ /* R */ dkimStatus = "signature error: selector p= value invalid or wrong format"; code = "X.7.5"; break; - case DKIM_NO_SIGNATURES: + case DKIM_NO_SIGNATURES: /*- -13 */ /*- S */ dkimStatus = "no signatures"; code = "X.7.5"; break; - case DKIM_NO_VALID_SIGNATURES: + case DKIM_NO_VALID_SIGNATURES: /*- -14 */ /*- T */ dkimStatus = "no valid signatures"; code = "X.7.5"; break; - case DKIM_BODY_HASH_MISMATCH: + case DKIM_BODY_HASH_MISMATCH: /*- -15 */ /*- U */ dkimStatus = "signature verify error: message body does not hash to bh value"; code = "X.7.7"; break; - case DKIM_SELECTOR_ALGORITHM_MISMATCH: + case DKIM_SELECTOR_ALGORITHM_MISMATCH: /*- -16 */ /*- V */ dkimStatus = "signature error: selector h= doesn't match signature a="; code = "X.7.7"; break; - case DKIM_STAT_INCOMPAT: + case DKIM_STAT_INCOMPAT: /*- -17 */ /*- W */ dkimStatus = "signature error: incompatible v="; code = "X.7.6"; break; - case DKIM_UNSIGNED_FROM: + case DKIM_UNSIGNED_FROM: /*- -18 */ /*- X */ dkimStatus = "signature error: not all message's From headers in signature"; code = "X.7.7"; break; - case DKIM_BAD_IDENTITY: + case DKIM_BAD_IDENTITY: /*- -19 */ /*- Y */ dkimStatus = "signature error: invalid identify in signature"; code = "X.7.7"; break; @@ -789,72 +793,78 @@ writeHeaderNexit(int ret, int origRet, int resDKIMSSP, int resDKIMADSP, int useS case DKIM_SUCCESS: /*- 0 */ /*- A */ orig = "SUCCESS"; break; - case DKIM_FINISHED_BODY: /*- 1 process result: no more message body is needed */ + case DKIM_FINISHED_BODY: /*- 1 */ /*- B */ orig = "FINISHED BODY"; break; - case DKIM_PARTIAL_SUCCESS: /*- 2 verify result: at least one but not all signatures verified */ + case DKIM_PARTIAL_SUCCESS: /*- 2 */ /* C */ orig = "PARTIAL SUCCESS"; break; - case DKIM_NEUTRAL: /*- 3 verify result: no signatures verified but message is not suspicious */ + case DKIM_NEUTRAL: /*- 3 */ /* D */ orig = "NEUTRAL"; break; - case DKIM_SUCCESS_BUT_EXTRA:/*- 4 signature result: signature verified but it did not include all of the body */ + case DKIM_SUCCESS_BUT_EXTRA:/*- 4 */ /* E */ orig = "SUCCESS(BUT EXTRA)"; break; - case DKIM_FAIL: /*- -1 */ /*- F */ + case DKIM_3PS_SIGNATURE: /*- 5 */ /*- F */ + orig = "3rd PARTY SIGNATURE"; + break; + case DKIM_FAIL: /*- -1 */ /*- G */ orig = "FAIL"; break; - case DKIM_BAD_SYNTAX: /*- -2 */ /*- G */ + case DKIM_BAD_SYNTAX: /*- -2 */ /*- H */ orig = "BAD SYNTAX"; break; - case DKIM_SIGNATURE_BAD: /*- -3 */ + case DKIM_SIGNATURE_BAD: /*- -3 */ /*- I */ orig = "SIGNATURE BAD"; break; - case DKIM_SIGNATURE_BAD_BUT_TESTING: + case DKIM_SIGNATURE_BAD_BUT_TESTING: /*- -4 */ /*- J */ orig = "SIGNATURE BAD (TESTING)"; break; - case DKIM_SIGNATURE_EXPIRED: + case DKIM_SIGNATURE_EXPIRED: /*- -5 */ /*- K */ orig = "SIGNATURE EXPIRED"; break; - case DKIM_SELECTOR_INVALID: + case DKIM_SELECTOR_INVALID: /*- -6 */ /*- L */ orig = "SELECTOR INVALID"; break; - case DKIM_SELECTOR_GRANULARITY_MISMATCH: + case DKIM_SELECTOR_GRANULARITY_MISMATCH: /* -7 */ /*- M */ orig = "SELECTOR GRANULARITY MISMATCH"; break; - case DKIM_SELECTOR_KEY_REVOKED: + case DKIM_SELECTOR_KEY_REVOKED: /* -8 */ /*- N */ orig = "SELECTOR KEY REVOKED"; break; - case DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG: + case DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG: /*- 9 */ /*- O */ orig = "DOMAIN NAME TOO LONG"; break; - case DKIM_SELECTOR_DNS_TEMP_FAILURE: + case DKIM_SELECTOR_DNS_TEMP_FAILURE: /*- -10 */ /*- P */ orig = "DNS TEMP FAILURE"; break; - case DKIM_SELECTOR_DNS_PERM_FAILURE: + case DKIM_SELECTOR_DNS_PERM_FAILURE: /*- -11 */ /*- Q */ orig = "DNS PERM FAILURE"; break; - case DKIM_SELECTOR_PUBLIC_KEY_INVALID: + case DKIM_SELECTOR_PUBLIC_KEY_INVALID: /* -12 */ /*- R */ orig = "PUBLIC KEY INVALID"; break; - case DKIM_NO_SIGNATURES: + case DKIM_NO_SIGNATURES: /* -13 */ /*- S */ orig = "NO SIGNATURES"; break; - case DKIM_NO_VALID_SIGNATURES: + case DKIM_NO_VALID_SIGNATURES: /*- -14 */ /*- T */ orig = "NO VALID SIGNATURES"; break; - case DKIM_BODY_HASH_MISMATCH: + case DKIM_BODY_HASH_MISMATCH: /*- -15 *//*- U */ orig = "BODY HASH MISMATCH"; break; - case DKIM_SELECTOR_ALGORITHM_MISMATCH: + case DKIM_SELECTOR_ALGORITHM_MISMATCH: /*- -16 */ /*- V */ orig = "ALGORITHM MISMATCH"; break; - case DKIM_STAT_INCOMPAT: + case DKIM_STAT_INCOMPAT: /*- -17 */ /*- W */ orig = "STAT INCOMPAT"; break; - case DKIM_UNSIGNED_FROM: + case DKIM_UNSIGNED_FROM: /*- -18 */ /*- X */ orig = "UNSIGNED FROM"; break; + case DKIM_BAD_IDENTITY: /*- -19 */ /*- Y */ + orig = "BAD IDENTITY"; + break; default: orig = "Unkown error"; break; @@ -1273,7 +1283,7 @@ main(int argc, char **argv) void getversion_qmail_dkim_c() { - static char *x = "$Id: qmail-dkim.c,v 1.78 2024-01-06 21:33:37+05:30 Cprogrammer Exp mbhangui $"; + static char *x = "$Id: qmail-dkim.c,v 1.79 2024-01-09 19:18:44+05:30 Cprogrammer Exp mbhangui $"; #ifdef HASDKIM x = sccsidmakeargsh; @@ -1287,6 +1297,9 @@ getversion_qmail_dkim_c() /* * $Log: qmail-dkim.c,v $ + * Revision 1.79 2024-01-09 19:18:44+05:30 Cprogrammer + * added DKIM_BAD_IDENTITY with letter Y + * * Revision 1.78 2024-01-06 21:33:37+05:30 Cprogrammer * use new error code DKIM_BAD_IDENTITY for invalid identity domain (i= tag) * diff --git a/libdkim2-x/dkim.h b/libdkim2-x/dkim.h index 3aef52a83..ee36e45c1 100644 --- a/libdkim2-x/dkim.h +++ b/libdkim2-x/dkim.h @@ -81,14 +81,14 @@ extern "C" { #define DKIM_SELECTOR_ALGORITHM_MISMATCH -16 /* signature error: selector h= doesn't match signature a= */ #define DKIM_STAT_INCOMPAT -17 /* signature error: incompatible v= */ #define DKIM_UNSIGNED_FROM -18 /* signature error: not all message's From headers in signature */ -#define DKIM_OUT_OF_MEMORY -19 /* memory allocation failed */ -#define DKIM_INVALID_CONTEXT -20 /* DKIMContext structure invalid for this operation */ -#define DKIM_NO_SENDER -21 /* signing error: Could not find From: or Sender: header in message */ -#define DKIM_BAD_PRIVATE_KEY -22 /* signing error: Could not parse private key */ -#define DKIM_BUFFER_TOO_SMALL -23 /* signing error: Buffer passed in is not large enough */ -#define DKIM_EVP_SIGN_FAILURE -24 /* signing error: evp signing failure */ -#define DKIM_EVP_DIGEST_FAILURE -25 /* signing error: evp digest failure */ -#define DKIM_BAD_IDENTITY -26 /*- bad/invalid i= tag */ +#define DKIM_BAD_IDENTITY -19 /*- bad/invalid i= tag */ +#define DKIM_OUT_OF_MEMORY -20 /* memory allocation failed */ +#define DKIM_INVALID_CONTEXT -21 /* DKIMContext structure invalid for this operation */ +#define DKIM_NO_SENDER -22 /* signing error: Could not find From: or Sender: header in message */ +#define DKIM_BAD_PRIVATE_KEY -23 /* signing error: Could not parse private key */ +#define DKIM_BUFFER_TOO_SMALL -24 /* signing error: Buffer passed in is not large enough */ +#define DKIM_EVP_SIGN_FAILURE -25 /* signing error: evp signing failure */ +#define DKIM_EVP_DIGEST_FAILURE -26 /* signing error: evp digest failure */ #define DKIM_MAX_ERROR -27 /* set this to 1 greater than the highest error code (but negative) */ #define DKIM_SSP_UNKNOWN 1 /*- some messages may be signed */ @@ -179,6 +179,9 @@ int DKIM_CALL DKIMSignReplaceHash(DKIMContext *pSignContext, DKIMSignOptions * /* * $Log: dkim.h,v $ + * Revision 1.15 2024-01-09 19:14:43+05:30 Cprogrammer + * re-arranged DKIM error codes + * * Revision 1.14 2024-01-06 21:26:47+05:30 Cprogrammer * added new error code DKIM_BAD_IDENTITY for invalid identity domain (i= tag) * diff --git a/libdkim2-x/doc/ChangeLog b/libdkim2-x/doc/ChangeLog index eafba49ed..1dd318963 100644 --- a/libdkim2-x/doc/ChangeLog +++ b/libdkim2-x/doc/ChangeLog @@ -9,7 +9,7 @@ Implementations as permitted, you agree to the terms and conditions of the Yahoo! DomainKeys Patent License Agreement or other agreement contained herein. * Sun Apr 23 2023 17:02:10 +0000 Manvendra Bhangui 1.7-1.1%{?dist} -Release 1.7-1.1 Start 01/02/2023 End 14/11/2023 +Release 1.7-1.1 Start 01/02/2023 End 09/01/2024 ======= Release Highlights ================================================ - ability to alter Hash Method after DKIMSignInit - ability to add headers for exclusion from DKIM signing @@ -56,6 +56,8 @@ Release 1.7-1.1 Start 01/02/2023 End 14/11/2023 19. dkimverify.cpp, dkim.cpp: use new error code DKIM_BAD_IDENTITY for invalid identity domain (i= tag) 20. dkimsign.cpp: Use strrchr instead of strchr for extracting domain +- 09/01/2024 +21. dkim.h: re-arranged DKIM error codes. * Mon Jan 30 2023 13:14:56 +0000 Manvendra Bhangui 1.6-1.1%{?dist} Release 1.6 Start 27/11/2022 End 30/11/2023