From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <daniel@firewall-services.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id BD12D625C6
 for <pmg-devel@lists.proxmox.com>; Mon, 26 Oct 2020 11:59:59 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id AECDCF151
 for <pmg-devel@lists.proxmox.com>; Mon, 26 Oct 2020 11:59:29 +0100 (CET)
Received: from pmg.fws.fr (pmg.fws.fr [51.91.175.36])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 5D278F13B
 for <pmg-devel@lists.proxmox.com>; Mon, 26 Oct 2020 11:59:28 +0100 (CET)
Received: from pmg.fws.fr (localhost [127.0.0.1])
 by pmg.fws.fr (Proxmox) with ESMTP id A50C9C08A7
 for <pmg-devel@lists.proxmox.com>; Mon, 26 Oct 2020 11:50:54 +0100 (CET)
Received: from zmproxy.fws.fr (zmproxy.fws.fr [10.29.1.17])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by pmg.fws.fr (Proxmox) with ESMTPS id BEDA2C105B
 for <pmg-devel@lists.proxmox.com>; Mon, 26 Oct 2020 11:50:53 +0100 (CET)
Received: from zmproxy.fws.fr (localhost [127.0.0.1])
 by zmproxy.fws.fr (Postfix) with ESMTPS id B8DC18B79C1;
 Mon, 26 Oct 2020 11:50:53 +0100 (CET)
Received: from zmproxy.fws.fr (localhost [127.0.0.1])
 by zmproxy.fws.fr (Postfix) with ESMTPS id A07728B79C0;
 Mon, 26 Oct 2020 11:50:53 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.10.3 zmproxy.fws.fr A07728B79C0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=firewall-services.com; s=7DAD15A2-D84A-11E9-8F77-BEC4FAA34EBC;
 t=1603709453; bh=14sxs7Hl+7SVnsXWHaeF5T8UzjKRYmXaId+cw3EEkbg=;
 h=From:To:Date:Message-Id:MIME-Version;
 b=joMJr7/eOENJ42rzcklMS+efUZkXrrMwv+BwSsnd+/cqGCAaBqDEdF2OR+04eNfcV
 jAILBz6Z9FNNXgsCrHRyJ5SstG15hXbpwElV+j3S6cutl9OEjbj3lMQEJ5TuIsEQ7r
 /u5eVRyU7UvfqBojKNgyJ7uXU8GsqafOImlZHo8M1Gnv1cndut1Zm1+iI+M8gx2xMH
 LreTSO32v2IH1OFTQ0rOy7RtV6813+TPqlYT9Srm/PJddkuEBXu4i26PET88yGrZGc
 f542nps6wYeSdzSQX5uzDxKY3xEPh2kG2JE7vBDCbMG7kEu9ZSgitoIqPWQe5so6rx
 OSdHF8GPmlEKw==
Received: from germaine.lapiole.org (unknown [192.168.7.101])
 by zmproxy.fws.fr (Postfix) with ESMTPSA id 815CA8B79C1;
 Mon, 26 Oct 2020 11:50:53 +0100 (CET)
From: Daniel Berteaud <daniel@firewall-services.com>
To: pmg-devel@lists.proxmox.com
Date: Mon, 26 Oct 2020 11:50:46 +0100
Message-Id: <20201026105046.424454-2-daniel@firewall-services.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20201026105046.424454-1-daniel@firewall-services.com>
References: <20201026105046.424454-1-daniel@firewall-services.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.012 Adjusted score from AWL reputation of From: address
 DKIM_SIGNED               0.1 Message has a DKIM or DK signature,
 not necessarily valid
 DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
 DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's
 domain
 DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from
 domain
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pmg-devel] [PATCH pmg-api 1/1] [pmg-api]: fix #3098 : first check
 for exact domain match
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 10:59:59 -0000

When selecting the sending domain for the DKIM signature, we should first check for an exact match. If none is found, look for parent domains. This fixes the case where wrong signing domain can be added if sign_all is disabled and we sign both a parent and a child domain.

Signed-off-by: Daniel Berteaud <daniel@firewall-services.com>
---
 src/PMG/DKIMSign.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/PMG/DKIMSign.pm b/src/PMG/DKIMSign.pm
index 7cb06a6..8fd9eed 100644
--- a/src/PMG/DKIMSign.pm
+++ b/src/PMG/DKIMSign.pm
@@ -69,6 +69,14 @@ sub signing_domain {
     my $dkimdomains = PVE::INotify::read_file('dkimdomains');
     $dkimdomains = PVE::INotify::read_file('domains') if !scalar(%$dkimdomains);
 
+    # First check for an exact match in the domain list
+    foreach my $domain (sort keys %$dkimdomains) {
+	if ( $input_domain eq $domain ) {
+	    $self->domain($domain);
+	    return 1;
+	}
+    }
+    # If no exact match is found, check for parent/child domains
     foreach my $domain (sort keys %$dkimdomains) {
 	if ( $input_domain =~ /\Q$domain\E$/i ) {
 	    $self->domain($domain);
-- 
2.26.2