From 2e88a9aad2d53dd3188d03575ca26a4345187585 Mon Sep 17 00:00:00 2001 From: Tom Kistner Date: Wed, 27 May 2009 17:26:54 +0000 Subject: [PATCH] Add some more glue code for the DKIM acl --- src/src/dkim.c | 25 ++++++++++++++++++++---- src/src/expand.c | 4 +++- src/src/globals.c | 10 ++++++++-- src/src/globals.h | 16 ++++++++++------ src/src/macros.h | 3 ++- src/src/pdkim/pdkim.c | 4 ++-- src/src/readconf.c | 5 ++++- src/src/receive.c | 44 ++++++++++++++++++++++++++++++++++++++++--- src/src/smtp_in.c | 3 ++- src/src/spool_in.c | 3 ++- 10 files changed, 95 insertions(+), 22 deletions(-) diff --git a/src/src/dkim.c b/src/src/dkim.c index 86ca50be8..765b70ede 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/dkim.c,v 1.1.2.12 2009/05/20 14:30:14 tom Exp $ */ +/* $Cambridge: exim/src/src/dkim.c,v 1.1.2.13 2009/05/27 17:26:54 tom Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -79,6 +79,9 @@ void dkim_exim_verify_feed(uschar *data, int len) { void dkim_exim_verify_finish(void) { + int dkim_signing_domains_size = 0; + int dkim_signing_domains_ptr = 0; + dkim_signing_domains = NULL; /* Delete eventual previous signature chain */ dkim_signatures = NULL; @@ -96,10 +99,11 @@ void dkim_exim_verify_finish(void) { /* Finish DKIM operation and fetch link to signatures chain */ if (pdkim_feed_finish(dkim_verify_ctx,&dkim_signatures) != PDKIM_OK) return; - /* Log a line for each signature */ + while (dkim_signatures != NULL) { int size = 0; int ptr = 0; + /* Log a line for each signature */ uschar *logmsg = string_append(NULL, &size, &ptr, 5, string_sprintf( "DKIM: d=%s s=%s c=%s/%s a=%s ", @@ -109,7 +113,6 @@ void dkim_exim_verify_finish(void) { (dkim_signatures->canon_body == PDKIM_CANON_SIMPLE)?"simple":"relaxed", (dkim_signatures->algo == PDKIM_ALGO_RSA_SHA256)?"rsa-sha256":"rsa-sha1" ), - ((dkim_signatures->identity != NULL)? string_sprintf("i=%s ", dkim_signatures->identity) : @@ -173,9 +176,23 @@ void dkim_exim_verify_finish(void) { logmsg[ptr] = '\0'; log_write(0, LOG_MAIN, (char *)logmsg); - /* Log next signature */ + /* Build a colon-separated list of signing domains in dkim_signing_domains */ + dkim_signing_domains = string_append(dkim_signing_domains, + &dkim_signing_domains_size, + &dkim_signing_domains_ptr, + 2, + dkim_signatures->domain, + ":") + ); + + /* Process next signature */ dkim_signatures = dkim_signatures->next; } + + /* Chop the last colon from the domain list */ + if ((dkim_signing_domains != NULL) && + (Ustrlen(dkim_signing_domains) > 0)) + dkim_signing_domains[strlen(dkim_signing_domains)-1] = '\0'; } diff --git a/src/src/expand.c b/src/src/expand.c index 3422f2e40..f94503c43 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/expand.c,v 1.97.2.1 2009/02/24 15:57:55 tom Exp $ */ +/* $Cambridge: exim/src/src/expand.c,v 1.97.2.2 2009/05/27 17:26:54 tom Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -404,6 +404,7 @@ static var_entry var_table[] = { #ifndef DISABLE_DKIM { "dkim_domain", vtype_stringptr, &dkim_signing_domain }, { "dkim_selector", vtype_stringptr, &dkim_signing_selector }, + { "dkim_signing_domains",vtype_stringptr, &dkim_signing_domains }, #endif { "dnslist_domain", vtype_stringptr, &dnslist_domain }, { "dnslist_matched", vtype_stringptr, &dnslist_matched }, @@ -1544,6 +1545,7 @@ while (last > first) sprintf(CS var_buffer, "%d", inodes); } return var_buffer; + } } diff --git a/src/src/globals.c b/src/src/globals.c index e596afb2b..32990a65b 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/globals.c,v 1.81.2.4 2009/05/20 14:30:14 tom Exp $ */ +/* $Cambridge: exim/src/src/globals.c,v 1.81.2.5 2009/05/27 17:26:54 tom Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -182,6 +182,9 @@ uschar *acl_not_smtp_start = NULL; uschar *acl_smtp_auth = NULL; uschar *acl_smtp_connect = NULL; uschar *acl_smtp_data = NULL; +#ifndef DISABLE_DKIM +uschar *acl_smtp_dkim = NULL; +#endif uschar *acl_smtp_etrn = NULL; uschar *acl_smtp_expn = NULL; uschar *acl_smtp_helo = NULL; @@ -210,6 +213,7 @@ uschar *acl_wherenames[] = { US"RCPT", US"MAIL", US"PREDATA", US"MIME", + US"DKIM", US"DATA", US"non-SMTP", US"AUTH", @@ -229,6 +233,7 @@ uschar *acl_wherecodes[] = { US"550", /* RCPT */ US"550", /* MAIL */ US"550", /* PREDATA */ US"550", /* MIME */ + US"550", /* DKIM */ US"550", /* DATA */ US"0", /* not SMTP; not relevant */ US"503", /* AUTH */ @@ -527,9 +532,10 @@ BOOL disable_ipv6 = FALSE; BOOL disable_logging = FALSE; #ifndef DISABLE_DKIM +uschar *dkim_signing_domains = NULL; uschar *dkim_signing_domain = NULL; uschar *dkim_signing_selector = NULL; -uschar *dkim_verify_domains = US"@dkim_signed"; +uschar *dkim_verify_domains = US"$dkim_signing_domains"; BOOL dkim_collect_input = FALSE; BOOL dkim_disable_verify = FALSE; #endif diff --git a/src/src/globals.h b/src/src/globals.h index 4c1e0b66e..6e32e093e 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/globals.h,v 1.62.2.3 2009/05/20 14:30:14 tom Exp $ */ +/* $Cambridge: exim/src/src/globals.h,v 1.62.2.4 2009/05/27 17:26:54 tom Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -118,6 +118,9 @@ extern uschar *acl_not_smtp_start; /* ACL run at the beginning of a non-SMTP extern uschar *acl_smtp_auth; /* ACL run for AUTH */ extern uschar *acl_smtp_connect; /* ACL run on SMTP connection */ extern uschar *acl_smtp_data; /* ACL run after DATA received */ +#ifndef DISABLE_DKIM +extern uschar *acl_smtp_dkim; /* ACL run for DKIM signatures / domains */ +#endif extern uschar *acl_smtp_etrn; /* ACL run for ETRN */ extern uschar *acl_smtp_expn; /* ACL run for EXPN */ extern uschar *acl_smtp_helo; /* ACL run for HELO/EHLO */ @@ -296,11 +299,12 @@ extern BOOL disable_ipv6; /* Don't do any IPv6 things */ extern BOOL disable_logging; /* Disables log writing when TRUE */ #ifndef DISABLE_DKIM -extern uschar *dkim_signing_domain; /* Domain used for signing a message. */ -extern uschar *dkim_signing_selector; /* Selector used for signing a message. */ -extern uschar *dkim_verify_domains; /* Colon-separated list of domains for each of which we call the DKIM ACL */ -extern BOOL dkim_collect_input; /* Runtime flag that tracks wether SMTP input is fed to DKIM validation */ -extern BOOL dkim_disable_verify; /* Set via ACL control statement. When set, DKIM verification is disabled for the current message */ +extern uschar *dkim_signing_domains; /* Expansion variable, holds colon-separated list of domains that have signed a message */ +extern uschar *dkim_signing_domain; /* Expansion variable, domain used for signing a message. */ +extern uschar *dkim_signing_selector; /* Expansion variable, selector used for signing a message. */ +extern uschar *dkim_verify_domains; /* Colon-separated list of domains for each of which we call the DKIM ACL */ +extern BOOL dkim_collect_input; /* Runtime flag that tracks wether SMTP input is fed to DKIM validation */ +extern BOOL dkim_disable_verify; /* Set via ACL control statement. When set, DKIM verification is disabled for the current message */ #endif extern uschar *dns_again_means_nonexist; /* Domains that are badly set up */ diff --git a/src/src/macros.h b/src/src/macros.h index aa4acd1c8..437156c1c 100644 --- a/src/src/macros.h +++ b/src/src/macros.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/macros.h,v 1.37 2008/09/29 11:41:07 nm4 Exp $ */ +/* $Cambridge: exim/src/src/macros.h,v 1.37.2.1 2009/05/27 17:26:54 tom Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -799,6 +799,7 @@ enum { ACL_WHERE_RCPT, /* Some controls are for RCPT only */ ACL_WHERE_MAIL, /* ) */ ACL_WHERE_PREDATA, /* ) There are several tests for "in message", */ ACL_WHERE_MIME, /* ) implemented by <= WHERE_NOTSMTP */ + ACL_WHERE_DKIM, /* ) */ ACL_WHERE_DATA, /* ) */ ACL_WHERE_NOTSMTP, /* ) */ diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c index 6c6cbf108..c915319e6 100644 --- a/src/src/pdkim/pdkim.c +++ b/src/src/pdkim/pdkim.c @@ -20,7 +20,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -/* $Cambridge: exim/src/src/pdkim/pdkim.c,v 1.1.2.16 2009/05/20 14:30:15 tom Exp $ */ +/* $Cambridge: exim/src/src/pdkim/pdkim.c,v 1.1.2.17 2009/05/27 17:26:55 tom Exp $ */ #include #include @@ -39,7 +39,7 @@ #define PDKIM_MAX_HEADER_LEN 65536 #define PDKIM_MAX_HEADERS 512 -#define PDKIM_MAX_BODY_LINE_LEN 1024 +#define PDKIM_MAX_BODY_LINE_LEN 16384 #define PDKIM_DNS_TXT_MAX_NAMELEN 1024 #define PDKIM_DEFAULT_SIGN_HEADERS "From:Sender:Reply-To:Subject:Date:"\ "Message-ID:To:Cc:MIME-Version:Content-Type:"\ diff --git a/src/src/readconf.c b/src/src/readconf.c index 672b19763..ab4faebc3 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/readconf.c,v 1.35.2.1 2009/05/20 14:30:14 tom Exp $ */ +/* $Cambridge: exim/src/src/readconf.c,v 1.35.2.2 2009/05/27 17:26:55 tom Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -142,6 +142,9 @@ static optionlist optionlist_config[] = { { "acl_smtp_auth", opt_stringptr, &acl_smtp_auth }, { "acl_smtp_connect", opt_stringptr, &acl_smtp_connect }, { "acl_smtp_data", opt_stringptr, &acl_smtp_data }, +#ifndef DISABLE_DKIM + { "acl_smtp_dkim", opt_stringptr, &acl_smtp_dkim }, +#endif { "acl_smtp_etrn", opt_stringptr, &acl_smtp_etrn }, { "acl_smtp_expn", opt_stringptr, &acl_smtp_expn }, { "acl_smtp_helo", opt_stringptr, &acl_smtp_helo }, diff --git a/src/src/receive.c b/src/src/receive.c index dba469cbc..3ee596ee7 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/receive.c,v 1.45.2.3 2009/05/20 14:30:14 tom Exp $ */ +/* $Cambridge: exim/src/src/receive.c,v 1.45.2.4 2009/05/27 17:26:55 tom Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -2969,8 +2969,46 @@ else { #ifndef DISABLE_DKIM - if (!dkim_disable_verify) dkim_exim_verify_finish(); -#endif + if (!dkim_disable_verify) + { + /* Finish verification, this will log individual signature results to + the mainlog */ + dkim_exim_verify_finish(); + + /* Check if we must run the DKIM ACL */ + if ((acl_smtp_dkim != NULL) && + (dkim_verify_domains != NULL) && + (dkim_verify_domains[0] != '\0')) + { + uschar *dkim_verify_domains_expanded = + expand_string(dkim_verify_domains); + if (dkim_verify_domains_expanded == NULL) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "expansion of dkim_verify_domains option failed: %s", + expand_string_message); + } + else + { + int sep = 0; + uschar *ptr = dkim_verify_domains_expanded; + uschar *item = NULL; + uschar itembuf[256]; + while ((item = string_nextinlist(&ptr, &sep, + itembuf, + sizeof(itembuf))) != NULL) + { + + + rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim, &user_msg, &log_msg); + if (rc != OK) break; + } + + add_acl_headers(US"DKIM"); + } + } + } +#endif /* DISABLE_DKIM */ #ifdef WITH_CONTENT_SCAN if (acl_smtp_mime != NULL && diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 0a5ae629a..e59bb8cf2 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/smtp_in.c,v 1.63.2.3 2009/05/20 14:30:14 tom Exp $ */ +/* $Cambridge: exim/src/src/smtp_in.c,v 1.63.2.4 2009/05/27 17:26:55 tom Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -1041,6 +1041,7 @@ bmi_run = 0; bmi_verdicts = NULL; #endif #ifndef DISABLE_DKIM +dkim_signing_domains = NULL; dkim_disable_verify = FALSE; dkim_collect_input = FALSE; #endif diff --git a/src/src/spool_in.c b/src/src/spool_in.c index 710119543..374ef69a9 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/spool_in.c,v 1.23.2.3 2009/05/20 14:30:14 tom Exp $ */ +/* $Cambridge: exim/src/src/spool_in.c,v 1.23.2.4 2009/05/27 17:26:55 tom Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -279,6 +279,7 @@ bmi_verdicts = NULL; #endif #ifndef DISABLE_DKIM +dkim_signing_domains = NULL; dkim_disable_verify = FALSE; dkim_collect_input = FALSE; #endif -- 2.30.2