DKIM: ensure that dkim_domain elements are lowercased before use. Bug 2371

(cherry picked from commit f3c73adaa541ae54092467a29668ac32894ef1dc)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 08a0a974ae652545f4888fc1618f0f65b14c0495..415c727127913e4b3e6846794535534397a266ce 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -39534,7 +39534,7 @@ senders).
 .cindex "DKIM" "signing"
 
 For signing to be usable you must have published a DKIM record in DNS.
 .cindex "DKIM" "signing"
 
 For signing to be usable you must have published a DKIM record in DNS.

-Note that RFC 8301 says:
+Note that RFC 8301 (which does not cover EC keys) says:

 .code
 rsa-sha1 MUST NOT be used for signing or verifying.
 
 .code
 rsa-sha1 MUST NOT be used for signing or verifying.
 


@@ -39554,7 +39554,11 @@ These options take (expandable) strings as arguments.
 .option dkim_domain smtp string list&!! unset
 The domain(s) you want to sign with.
 After expansion, this can be a list.
 .option dkim_domain smtp string list&!! unset
 The domain(s) you want to sign with.
 After expansion, this can be a list.

-Each element in turn is put into the &%$dkim_domain%& expansion variable
+Each element in turn,
+.new
+lowercased,
+.wen
+is put into the &%$dkim_domain%& expansion variable

 while expanding the remaining signing options.
 If it is empty after expansion, DKIM signing is not done,
 and no error will result even if &%dkim_strict%& is set.
 while expanding the remaining signing options.
 If it is empty after expansion, DKIM signing is not done,
 and no error will result even if &%dkim_strict%& is set.


@@ -39755,6 +39759,14 @@ dkim_verify_signers = $sender_address_domain:$dkim_signers
 If a domain or identity is listed several times in the (expanded) value of
 &%dkim_verify_signers%&, the ACL is only called once for that domain or identity.
 
 If a domain or identity is listed several times in the (expanded) value of
 &%dkim_verify_signers%&, the ACL is only called once for that domain or identity.
 

+.new
+Note that if the option is set using untrustworthy data
+(such as the From: header)
+care should be taken to force lowercase for domains
+and for the domain part if identities.
+The default setting can be regarded as trustworthy in this respect.
+.wen
+

 If multiple signatures match a domain (or identity), the ACL is called once
 for each matching signature.
 
 If multiple signatures match a domain (or identity), the ACL is called once
 for each matching signature.
 

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index bc739ae2c82d41dda59780a65f173fe4315f3575..9313c7b28f13f71671c63a7e4deff4243d95bfac 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -20,6 +20,8 @@ JH/03 Debug output for ACL now gives the config file name and line number for
 
 JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
 
 
 JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
 

+JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
+

 
 Exim version 4.92
 -----------------
 
 Exim version 4.92
 -----------------

diff --git a/src/src/dkim.c b/src/src/dkim.c
index a0becd45be9d64ab1a6b51c81e919a27c75d0229..96d7eba81468ce89b3fee2c2413ff4c780cb5fb4 100644 (file)
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -620,6 +620,7 @@ if (dkim_domain)
   /* Only sign once for each domain, no matter how often it
   appears in the expanded list. */
 
   /* Only sign once for each domain, no matter how often it
   appears in the expanded list. */
 

+  dkim_signing_domain = string_copylc(dkim_signing_domain);

   if (match_isinlist(dkim_signing_domain, CUSS &seen_doms,
       0, NULL, NULL, MCL_STRING, TRUE, NULL) == OK)
     continue;
   if (match_isinlist(dkim_signing_domain, CUSS &seen_doms,
       0, NULL, NULL, MCL_STRING, TRUE, NULL) == OK)
     continue;