From: Jeremy Harris Date: Mon, 25 Sep 2023 08:48:00 +0000 (+0100) Subject: DKIM: support list-version of $dkim_verify_status, and data ACL X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/e2b4dedbcd1c17398c98342f250f0c44fd1984f3 DKIM: support list-version of $dkim_verify_status, and data ACL --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 1f5e29511..70988384d 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -41791,8 +41791,9 @@ RFC 6376 lists these tags as RECOMMENDED. Verification of DKIM signatures in SMTP incoming email is done for all messages for which an ACL control &%dkim_disable_verify%& has not been set. + .cindex DKIM "selecting signature algorithms" -Individual classes of signature algorithm can be ignored by changing +Individual classes of DKIM signature algorithm can be ignored by changing the main options &%dkim_verify_hashes%& or &%dkim_verify_keytypes%&. The &%dkim_verify_minimal%& option can be set to cease verification processing for a message once the first passing signature is found. @@ -41805,7 +41806,7 @@ For most purposes the default option settings suffice and the remainder of this section can be ignored. The results of verification are made available to the -&%acl_smtp_dkim%& ACL, which can examine and modify them. +&%acl_smtp_dkim%& ACL, which (for complex needs) can examine and modify them. A missing ACL definition defaults to accept. By default, the ACL is called once for each syntactically(!) correct signature in the incoming message. @@ -41870,6 +41871,12 @@ an identity. This is one of the list items from the expanded main option &%dkim_verify_signers%& (see above). .vitem &%$dkim_verify_status%& +So long as a DKIM ACL is defined +(it need do no more than accept, which is the default), +after all the DKIM ACL runs have completed, the value becomes a +colon-separated list of the values after each run. +The value is maintained for the MIME, PRDR and DATA ACLs. + Within the DKIM ACL, a string describing the general status of the signature. One of .ilist @@ -41898,11 +41905,6 @@ hash-method or key-size: set dkim_verify_reason = hash too weak or key too short .endd -So long as a DKIM ACL is defined (it need do no more than accept), -after all the DKIM ACL runs have completed, the value becomes a -colon-separated list of the values after each run. -This is maintained for the mime, prdr and data ACLs. - .vitem &%$dkim_verify_reason%& A string giving a little bit more detail when &%$dkim_verify_status%& is either "fail" or "invalid". One of @@ -42027,13 +42029,15 @@ option. .endlist -In addition, two ACL conditions are provided, usable only in a DKIM ACL: +In addition, two ACL conditions are provided: .vlist .vitem &%dkim_signers%& ACL condition that checks a colon-separated list of domains or identities for a match against the domain or identity that the ACL is currently verifying -(reflected by &%$dkim_cur_signer%&). This is typically used to restrict an ACL +(reflected by &%$dkim_cur_signer%&). +This condition is only usable in a DKIM ACL. +This is typically used to restrict an ACL verb to a group of domains or identities. For example: .code @@ -42049,7 +42053,18 @@ for that check for empty &$h_DKIM-Signature:$& in the data ACL. .vitem &%dkim_status%& ACL condition that checks a colon-separated list of possible DKIM verification -results against the actual result of verification. This is typically used +results against the actual result of verification, +given by &$dkim_verify_status$& if that is non-empty or "none" if empty. +.new +This condition may be used in DKIM, MIME, PRDR and DATA ACLs. +.wen + +A basic verification might be: +.code +deny !dkim_status = pass:none:invalid +.endd + +A more complex use could be to restrict an ACL verb to a list of verification outcomes, for example: .code @@ -42062,6 +42077,12 @@ deny sender_domains = paypal.com:paypal.de The possible status keywords are: 'none','invalid','fail' and 'pass'. Please see the documentation of the &%$dkim_verify_status%& expansion variable above for more information of what they mean. + +The condition is true if the status +.new +(or any of the list of status values) +.wen +is any one of the supplied list. .endlist diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 5fcc8ab11..4c22f649f 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -193,6 +193,9 @@ JH/38 Taint-track intermediate values from the peer in multi-stage authentation JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings and ${tr...}. Found and diagnosed by Heiko Schlichting. +JH/40 Support list of dkim results in the dkim_status ACL condition, making + it more usable in the data ACL. + Exim version 4.96 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 89df66ba2..beca9748c 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -6,6 +6,10 @@ Before a formal release, there may be quite a lot of detail so that people can test from the snapshots or the Git before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. +Since 4.97 +------------ + 1. The dkim_status ACL condition may not be used in data ACLs + Version 4.97 ------------ diff --git a/src/src/acl.c b/src/src/acl.c index 118e4b35d..8431efc84 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -203,7 +203,14 @@ static condition_def conditions[] = { [ACLC_DELAY] = { US"delay", TRUE, TRUE, ACL_BIT_NOTQUIT }, #ifndef DISABLE_DKIM [ACLC_DKIM_SIGNER] = { US"dkim_signers", TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM }, - [ACLC_DKIM_STATUS] = { US"dkim_status", TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM }, + [ACLC_DKIM_STATUS] = { US"dkim_status", TRUE, FALSE, + (unsigned int) + ~(ACL_BIT_DKIM | ACL_BIT_DATA | ACL_BIT_MIME +# ifndef DISABLE_PRDR + | ACL_BIT_PRDR +# endif + ), + }, #endif #ifdef SUPPORT_DMARC [ACLC_DMARC_STATUS] = { US"dmarc_status", TRUE, FALSE, (unsigned int) ~ACL_BIT_DATA }, @@ -3763,8 +3770,14 @@ for (; cb; cb = cb->next) break; case ACLC_DKIM_STATUS: - rc = match_isinlist(dkim_verify_status, - &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL); + { /* return good for any match */ + const uschar * s = dkim_verify_status ? dkim_verify_status : US"none"; + int sep = 0; + for (uschar * ss; ss = string_nextinlist(&s, &sep, NULL, 0); ) + if ( (rc = match_isinlist(ss, &arg, + 0, NULL, NULL, MCL_STRING, TRUE, NULL)) + == OK) break; + } break; #endif diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c index 30cb0437c..22b850242 100644 --- a/src/src/pdkim/pdkim.c +++ b/src/src/pdkim/pdkim.c @@ -1868,9 +1868,9 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) if (*dkim_verify_min_keysizes) { unsigned minbits; - uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype], + const uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype], dkim_verify_min_keysizes); - if (ss && (minbits = atoi(CS ss)) > sig->keybits) + if (ss && (minbits = atoi(CCS ss)) > sig->keybits) { DEBUG(D_acl) debug_printf("Key too short: Actual: %s %u Minima '%s'\n", pdkim_keytypes[sig->keytype], sig->keybits, dkim_verify_min_keysizes); diff --git a/test/confs/4500 b/test/confs/4500 index 9f0829c1a..46cffa39a 100644 --- a/test/confs/4500 +++ b/test/confs/4500 @@ -42,6 +42,9 @@ check_dkim: .endif check_data: - accept logwrite = ${authresults {$primary_hostname}} + warn logwrite = ${authresults {$primary_hostname}} + accept dkim_status = pass + logwrite = dkim_status includes pass + accept logwrite = dkim_state DOES NOT include pass # End diff --git a/test/log/4500 b/test/log/4500 index 322c5a5be..be7ab89f0 100644 --- a/test/log/4500 +++ b/test/log/4500 @@ -4,27 +4,40 @@ 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded] 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1 +1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 512 1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification succeeded] 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=ses header.a=rsa-sha1 +1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 1024 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded] 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256 +1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 512 1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=ses_sha1 c=simple/simple a=rsa-sha1 b=512 [verification succeeded] 1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=ses_sha1 header.a=rsa-sha1 +1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmbB-000000005vi-0000 NOTE: forcing dkim verify fail (was pass) 1999-03-02 09:44:33 10HmbB-000000005vi-0000 signer: test.ex bits: 1024 1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [fail - hash too weak] 1999-03-02 09:44:33 10HmbB-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=policy (fail - hash too weak) header.d=test.ex header.s=sel header.a=rsa-sha1 +1999-03-02 09:44:33 10HmbB-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmbC-000000005vi-0000 signer: test.ex bits: 512 1999-03-02 09:44:33 10HmbC-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification failed - signature invalid (key too short)] 1999-03-02 09:44:33 10HmbC-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (public key too short: 512 bits)\n header.d=test.ex header.s=ses header.a=rsa-sha1 +1999-03-02 09:44:33 10HmbC-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmbC-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net +1999-03-02 09:44:33 10HmbD-000000005vi-0000 signer: test.ex bits: 1024 +1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded] +1999-03-02 09:44:33 10HmbD-000000005vi-0000 signer: test.ex bits: 512 +1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification failed - signature invalid (key too short)] +1999-03-02 09:44:33 10HmbD-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256;\n dkim=fail (public key too short: 512 bits)\n header.d=test.ex header.s=ses header.a=rsa-sha1 +1999-03-02 09:44:33 10HmbD-000000005vi-0000 dkim_status includes pass +1999-03-02 09:44:33 10HmbD-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net diff --git a/test/log/4501 b/test/log/4501 index 2a1934c05..ed8bb3d82 100644 --- a/test/log/4501 +++ b/test/log/4501 @@ -4,8 +4,10 @@ 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded] 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1 +1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= pass@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 0 1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)] 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (body hash mismatch; body probably modified in transit)\n header.d=test.ex header.s=sel header.a=rsa-sha1 +1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= fail@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net diff --git a/test/log/4502 b/test/log/4502 index de5fbd478..4a1e86588 100644 --- a/test/log/4502 +++ b/test/log/4502 @@ -4,17 +4,21 @@ 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha1 b=1024 [verification succeeded] 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1 +1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=564CFC9B.1040905@yahoo.com 1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 1024 1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded] 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1 +1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 1024 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded] 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1 +1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex 1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel_bad [failed key import] 1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 0 1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha1 b=1024 [invalid - syntax error in public key record] 1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=neutral (public key record import problem)\n header.d=test.ex header.s=sel_bad header.a=rsa-sha1 +1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=564CFC9B.1040905@yahoo.com diff --git a/test/log/4503 b/test/log/4503 index ea4791a91..2d5d8c42b 100644 --- a/test/log/4503 +++ b/test/log/4503 @@ -4,4 +4,5 @@ 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 [verification succeeded] 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha512 +1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@myhost.test.ex diff --git a/test/log/4504 b/test/log/4504 index ea4791a91..2d5d8c42b 100644 --- a/test/log/4504 +++ b/test/log/4504 @@ -4,4 +4,5 @@ 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 [verification succeeded] 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha512 +1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@myhost.test.ex diff --git a/test/log/4506 b/test/log/4506 index adace8e4a..00139412f 100644 --- a/test/log/4506 +++ b/test/log/4506 @@ -4,32 +4,39 @@ 1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 0 1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid] 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=neutral (signature tag missing or invalid)\n header.d=test.ex header.s=sel header.a=rsa-sha1 +1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 0 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)] 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (body hash mismatch; body probably modified in transit)\n header.d=test.ex header.s=sel header.a=rsa-sha1 +1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 0 1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)] 1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (body hash mismatch; body probably modified in transit)\n header.d=test.ex header.s=sel header.a=rsa-sha1 +1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: validation error: LONG_LINE 1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: Error during validation, disabling signature verification: LONG_LINE 1999-03-02 09:44:33 10HmbB-000000005vi-0000 Authentication-Results: myhost.test.ex +1999-03-02 09:44:33 10HmbB-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 10HmbC-000000005vi-0000 signer: test.ex bits: 512 1999-03-02 09:44:33 10HmbC-000000005vi-0000 DKIM: d=test.ex s=ses_sha256 c=simple/simple a=rsa-sha1 b=512 [verification failed - unspecified reason] 1999-03-02 09:44:33 10HmbC-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (unspecified reason)\n header.d=test.ex header.s=ses_sha256 header.a=rsa-sha1 +1999-03-02 09:44:33 10HmbC-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmbC-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 DKIM: validation error: EXCESS_SIGS 1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: Error during validation, disabling signature verification: EXCESS_SIGS 1999-03-02 09:44:33 10HmbD-000000005vi-0000 Authentication-Results: myhost.test.ex +1999-03-02 09:44:33 10HmbD-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmbD-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=20180418125440.Horde.vVKB6E7UvpLfJsPzv2ZPs6z@webmail.sego.es 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmbE-000000005vi-0000 unknown 1999-03-02 09:44:33 10HmbE-000000005vi-0000 signer: test.ex bits: 0 1999-03-02 09:44:33 10HmbE-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid] 1999-03-02 09:44:33 10HmbE-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=neutral (signature tag missing or invalid)\n header.d=test.ex header.s=sel header.a=rsa-sha1 +1999-03-02 09:44:33 10HmbE-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmbE-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 0 diff --git a/test/log/4540 b/test/log/4540 index 80aa4ca28..e283729ed 100644 --- a/test/log/4540 +++ b/test/log/4540 @@ -4,19 +4,23 @@ 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 253 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sed c=relaxed/relaxed a=ed25519-sha256 b=512 [verification succeeded] 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sed header.a=ed25519-sha256 +1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 253 1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sedw c=relaxed/relaxed a=ed25519-sha256 b=512 [verification succeeded] 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sedw header.a=ed25519-sha256 +1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: kitterman.org bits: 253 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=kitterman.org s=ed25519 c=relaxed/simple a=ed25519-sha256 b=512 i=@kitterman.org t=1517847601 [verification succeeded] 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: @kitterman.org bits: 253 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=kitterman.org s=ed25519 c=relaxed/simple a=ed25519-sha256 b=512 i=@kitterman.org t=1517847601 [verification succeeded] 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=kitterman.org header.i=@kitterman.org header.s=ed25519 header.a=ed25519-sha256 +1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=kitterman.org id=example@example.com 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 253 1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sed c=relaxed/relaxed a=ed25519-sha256 b=512 [verification failed - signature invalid (key too short)] 1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (public key too short: 253 bits)\n header.d=test.ex header.s=sed header.a=ed25519-sha256 +1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass 1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex diff --git a/test/scripts/4500-DKIM/4500 b/test/scripts/4500-DKIM/4500 index d1cc646f9..112fda506 100644 --- a/test/scripts/4500-DKIM/4500 +++ b/test/scripts/4500-DKIM/4500 @@ -3,6 +3,7 @@ exim -DSERVER=server -DMSIZE='rsa=512 ed25519=250' -bd -oX PORT_D **** # +# (A) # This should pass. # - sha1, 1024b # Mail original in aux-fixed/4500.msg1.txt @@ -37,6 +38,7 @@ QUIT ??? 221 **** # +# (B) # This should pass. # - sha1, 512b # Mail original in aux-fixed/4500.msg1.txt @@ -69,6 +71,7 @@ QUIT ??? 221 **** # +# (C) # This should pass. # - sha256, 1024b # Mail original in aux-fixed/4500.msg1.txt @@ -103,6 +106,7 @@ QUIT **** # # +# (D) # This should pass. The pubkey dns decord has a additional sha1-only h= field # # - sha1, 512b @@ -143,6 +147,7 @@ killdaemon exim -DSERVER=server -DOPTION -DMSIZE='rsa=512 ed25519c=32' -bd -oX PORT_D **** # +# (E) # This should fail despite being a passing submission above (with the unlimited verifier). # - sha1, 1024b # Mail original in aux-fixed/4500.msg1.txt @@ -181,6 +186,7 @@ killdaemon # # # +# (F) # With the default keysize minima, a 512b key should fail exim -DSERVER=server -bd -oX PORT_D **** @@ -208,6 +214,42 @@ Date: Thu, 19 Nov 2015 17:00:07 -0700 Message-ID: Subject: simple test +This is a simple test. +. +??? 250 +QUIT +??? 221 +**** +# +# +# (G) +# Two signature, one pass one fail. Checking for "at least one pass". +# Sigs from (F) and (C) above +client 127.0.0.1 PORT_D +??? 220 +HELO xxx +??? 250 +MAIL FROM: +??? 250 +RCPT TO: +??? 250 +DATA +??? 354 +DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=test.ex; h=from:to + :date:message-id:subject; s=ses; bh=OB9dZVu7+5/ufs3TH9leIcEpXSo=; b= + cIErF1eueIT9AU4qG54FyT3yrlVDDM7RZnuU6fWTevZpAuMqhYcRO8tU3U4vtKWB + +I2vd+F1gzqCzBcRtfLhZg== +DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to + :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1 + 6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP + Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh + +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY= +From: mrgus@text.ex +To: bakawolf@yahoo.com +Date: Thu, 19 Nov 2015 17:00:07 -0700 +Message-ID: +Subject: simple test + This is a simple test. . ??? 250 diff --git a/test/stderr/4507 b/test/stderr/4507 index 6fcd8bd8d..d82f5d95e 100644 --- a/test/stderr/4507 +++ b/test/stderr/4507 @@ -12,7 +12,7 @@ >>> list element: @ >>> list element: @[] >>> xxx in helo_lookup_domains? no (end of list) ->>> processing "accept" (TESTSUITE/test-config 47) +>>> processing "accept" (TESTSUITE/test-config 50) >>> accept: condition test succeeded in inline ACL >>> end of inline ACL: ACCEPT >>> host in ignore_fromline_hosts? no (option unset) @@ -27,11 +27,19 @@ LOG: 10HmaX-000000005vi-0000 signer: test.ex bits: 1024 >>> end of ACL "check_dkim": ACCEPT LOG: 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded] >>> using ACL "check_data" ->>> processing "accept" (TESTSUITE/test-config 45) +>>> processing "warn" (TESTSUITE/test-config 45) >>> check logwrite = ${authresults {$primary_hostname}} >>> = Authentication-Results: myhost.test.ex; >>> dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1 LOG: 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1 +>>> warn: condition test succeeded in ACL "check_data" +>>> processing "accept" (TESTSUITE/test-config 46) +>>> check dkim_status = pass +>>> pass in "pass"? +>>> list element: pass +>>> pass in "pass"? yes (matched "pass") +>>> check logwrite = dkim_status includes pass +LOG: 10HmaX-000000005vi-0000 dkim_status includes pass >>> accept: condition test succeeded in ACL "check_data" >>> end of ACL "check_data": ACCEPT LOG: 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net