public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pmg-devel] [PATCH pmg-api v3] fix-2971: DKIM: Add setting to use From header when signing
@ 2024-01-15 11:46 Maximiliano Sandoval
  2024-01-16  8:30 ` Stoiko Ivanov
  0 siblings, 1 reply; 2+ messages in thread
From: Maximiliano Sandoval @ 2024-01-15 11:46 UTC (permalink / raw)
  To: pmg-devel

We add an option to use the address from the `From:` header instead of
the Envelope From address. Following RFC 5322 [2], we use the `Sender:`
header when there are multiple addresses in the `From:` header.

From RFC 7489 [1]:

   To illustrate, in relaxed mode, if a validated DKIM signature
   successfully verifies with a "d=" domain of "example.com", and the
   RFC5322.From address is "alerts@news.example.com", the DKIM "d="
   domain and the RFC5322.From domain are considered to be "in
   alignment".  In strict mode, this test would fail, since the "d="
   domain does not exactly match the FQDN of the address.

Current Problems:

 - `dkim_sign_rfc5322` is probably not a descriptive name for the setting
 - The setting description might be improved upon

Tested with the following command:

    swaks --from foo@bar1 --to EMAIL -s PMG_ADDR:26 --data "Date: %DATE%\nTo: %TO_ADDRESS%\nFrom: foo@bar2\nSubject: test %DATE%\nMessage-Id: <%MESSAGEID%>\nX-Mailer: swaks v%SWAKS_VERSION% jetmore.org/john/code/swaks/\n%NEW_HEADERS%\n%BODY%\n"

[1] https://datatracker.ietf.org/doc/html/rfc7489#section-3.1.1
[2] https://datatracker.ietf.org/doc/html/rfc5322#section-3.6.2

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
Differences from v2:
  - Rename setting to dkim_prefer_rfc5322_domain
  - Move parsing code inside of PMG::DKIMSign::signing_domain
  - Use Email::Address::XS to handle header parsing more gracefully
  - Improved commit message

I'll send a patch to pmg-docs once this is in 👌.

 src/PMG/Config.pm        |  7 +++++
 src/PMG/DKIMSign.pm      | 64 +++++++++++++++++++++++++++++++++++-----
 src/PMG/RuleDB/Accept.pm |  3 +-
 src/PMG/RuleDB/BCC.pm    |  3 +-
 src/bin/pmg-smtp-filter  |  1 +
 5 files changed, 67 insertions(+), 11 deletions(-)

diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index 7339e0d..840c0ad 100644
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -134,6 +134,11 @@ EODESC
 	    description => "Default DKIM selector",
 	    type => 'string', format => 'dns-name', #see RFC6376 3.1
 	},
+	dkim_prefer_rfc5322_domain => {
+	    description => "Whether to use the address from the From header when DKIM signing outbound mails.",
+	    type => 'boolean',
+	    default => 0,
+	},
     };
 }
 
@@ -152,6 +157,7 @@ sub options {
 	dkim_sign => { optional => 1 },
 	dkim_sign_all_mail => { optional => 1 },
 	dkim_selector => { optional => 1 },
+	dkim_prefer_rfc5322_domain => { optional => 1 },
     };
 }
 
@@ -1788,6 +1794,7 @@ my $pmg_service_params = {
 	dkim_selector => 1,
 	dkim_sign => 1,
 	dkim_sign_all_mail => 1,
+	dkim_prefer_rfc5322_domain => 1,
     },
 };
 
diff --git a/src/PMG/DKIMSign.pm b/src/PMG/DKIMSign.pm
index 08197f8..efd5d16 100644
--- a/src/PMG/DKIMSign.pm
+++ b/src/PMG/DKIMSign.pm
@@ -2,6 +2,7 @@ package PMG::DKIMSign;
 
 use strict;
 use warnings;
+use Email::Address::XS;
 use Mail::DKIM::Signer;
 use Mail::DKIM::TextWrap;
 use Crypt::OpenSSL::RSA;
@@ -53,11 +54,9 @@ sub create_signature {
 
 #determines which domain should be used for signing based on the e-mailaddress
 sub signing_domain {
-    my ($self, $sender_email) = @_;
+    my ($self, $entity) = @_;
 
-    my @parts = split('@', $sender_email);
-    die "no domain in sender e-mail\n" if scalar(@parts) < 2;
-    my $input_domain = $parts[-1];
+    my $input_domain = parse_signing_domain($entity);
 
     if ($self->{sign_all}) {
 	    $self->domain($input_domain) if $self->{sign_all};
@@ -78,14 +77,65 @@ sub signing_domain {
 	}
     }
 
-    syslog('info', "not DKIM signing mail from $sender_email");
+    syslog('info', "not DKIM signing mail from $input_domain");
 
     return 0;
 }
 
 
+sub parse_signing_domain {
+    # If there is exactly one single address in the 'From' header we use that
+    # address for signing, otherwise we use the 'Sender' header.
+    my ($entity) = @_;
+
+    my @sender_list;
+    my @from_list;
+
+    my @from_headers = $entity->head->get('from');
+    foreach my $from_header (@from_headers) {
+	my @senders = Email::Address::XS->parse($from_header);
+	foreach my $sender (@senders) {
+	    push(@from_list, @senders);
+	}
+    }
+    my $from_count = scalar(@from_list);
+
+    if ($from_count > 1) {
+	my @send_headers = $entity->head->get('sender');
+	foreach my $send_header (@send_headers) {
+	    my @senders = Email::Address::XS->parse($send_header);
+	    foreach my $sender (@senders) {
+		push(@sender_list, $sender);
+	    }
+	}
+	my $send_count = scalar(@sender_list);
+
+	if ($send_count > 1) {
+	    syslog(
+		'warning',
+		"Email has more than one address in its 'Sender' it won't be signed."
+		." See RFC 5322 Section 3.6.2"
+	    );
+	} elsif ($send_count == 1) {
+	    return $sender_list[0]->host();
+	} else {
+	    syslog(
+		'warning',
+		"Email has multiple addresses in its 'From' header and no 'Sender'"
+		." header, it won't be signed. See RFC 5322 Section 3.6.2"
+	    );
+	}
+    } elsif ($from_count == 1) {
+	return $from_list[0]->host();
+    }
+}
+
+
 sub sign_entity {
-    my ($entity, $selector, $sender, $sign_all) = @_;
+    my ($entity, $dkim) = @_;
+
+    my $sign_all = $dkim->{sign_all};
+    my $selector = $dkim->{selector};
 
     die "no selector provided\n" if ! $selector;
 
@@ -110,7 +160,7 @@ sub sign_entity {
 
     $signer->extended_headers($extended_headers);
 
-    if ($signer->signing_domain($sender)) {
+    if ($signer->signing_domain($entity)) {
 	$entity->print($signer);
 	my $signature = $signer->create_signature();
 	$entity->head->add('DKIM-Signature', $signature, 0);
diff --git a/src/PMG/RuleDB/Accept.pm b/src/PMG/RuleDB/Accept.pm
index 4ebd6da..be305f6 100644
--- a/src/PMG/RuleDB/Accept.pm
+++ b/src/PMG/RuleDB/Accept.pm
@@ -102,8 +102,7 @@ sub execute {
 
 	if ($dkim->{sign}) {
 	    eval {
-		$entity = PMG::DKIMSign::sign_entity($entity,
-		    $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
+		$entity = PMG::DKIMSign::sign_entity($entity, $dkim);
 	    };
 	    syslog('warning',
 		"Could not create DKIM-Signature - disabling Signing: $@") if $@;
diff --git a/src/PMG/RuleDB/BCC.pm b/src/PMG/RuleDB/BCC.pm
index 0f016f8..219ba4e 100644
--- a/src/PMG/RuleDB/BCC.pm
+++ b/src/PMG/RuleDB/BCC.pm
@@ -142,8 +142,7 @@ sub execute {
 	my $dkim = $msginfo->{dkim} // {};
 	if ($dkim->{sign}) {
 	    eval {
-		$entity = PMG::DKIMSign::sign_entity($entity,
-		    $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
+		$entity = PMG::DKIMSign::sign_entity($entity, $dkim);
 	    };
 	    syslog('warning',
 		"Could not create DKIM-Signature - disabling Signing: $@") if $@;
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index 7da3de8..f7502f2 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -627,6 +627,7 @@ sub handle_smtp {
 	my $dkim_sign = $msginfo->{trusted} && $pmg_cfg->get('admin', 'dkim_sign');
 	if ($dkim_sign) {
 	    $msginfo->{dkim}->{sign} = $dkim_sign;
+	    $msginfo->{dkim}->{prefer_rfc5322_domain} = $pmg_cfg->get('admin', 'dkim_prefer_rfc5322_domain');
 	    $msginfo->{dkim}->{sign_all} = $pmg_cfg->get('admin', 'dkim_sign_all_mail');
 	    $msginfo->{dkim}->{selector} = $pmg_cfg->get('admin', 'dkim_selector');
 	}
-- 
2.39.2





^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api v3] fix-2971: DKIM: Add setting to use From header when signing
  2024-01-15 11:46 [pmg-devel] [PATCH pmg-api v3] fix-2971: DKIM: Add setting to use From header when signing Maximiliano Sandoval
@ 2024-01-16  8:30 ` Stoiko Ivanov
  0 siblings, 0 replies; 2+ messages in thread
From: Stoiko Ivanov @ 2024-01-16  8:30 UTC (permalink / raw)
  To: Maximiliano Sandoval; +Cc: pmg-devel

Hi,

On Mon, 15 Jan 2024 12:46:22 +0100
Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:

> We add an option to use the address from the `From:` header instead of
> the Envelope From address. Following RFC 5322 [2], we use the `Sender:`
> header when there are multiple addresses in the `From:` header.
> 
> From RFC 7489 [1]:
> 
>    To illustrate, in relaxed mode, if a validated DKIM signature
>    successfully verifies with a "d=" domain of "example.com", and the
>    RFC5322.From address is "alerts@news.example.com", the DKIM "d="
>    domain and the RFC5322.From domain are considered to be "in
>    alignment".  In strict mode, this test would fail, since the "d="
>    domain does not exactly match the FQDN of the address.
> 
> Current Problems:
> 
>  - `dkim_sign_rfc5322` is probably not a descriptive name for the setting
>  - The setting description might be improved upon
> 
> Tested with the following command:
> 
>     swaks --from foo@bar1 --to EMAIL -s PMG_ADDR:26 --data "Date: %DATE%\nTo: %TO_ADDRESS%\nFrom: foo@bar2\nSubject: test %DATE%\nMessage-Id: <%MESSAGEID%>\nX-Mailer: swaks v%SWAKS_VERSION% jetmore.org/john/code/swaks/\n%NEW_HEADERS%\n%BODY%\n"
> 
> [1] https://datatracker.ietf.org/doc/html/rfc7489#section-3.1.1
> [2] https://datatracker.ietf.org/doc/html/rfc5322#section-3.6.2
> 
> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> ---
> Differences from v2:
>   - Rename setting to dkim_prefer_rfc5322_domain
>   - Move parsing code inside of PMG::DKIMSign::signing_domain
>   - Use Email::Address::XS to handle header parsing more gracefully
>   - Improved commit message
> 
> I'll send a patch to pmg-docs once this is in 👌.
> 
>  src/PMG/Config.pm        |  7 +++++
>  src/PMG/DKIMSign.pm      | 64 +++++++++++++++++++++++++++++++++++-----
>  src/PMG/RuleDB/Accept.pm |  3 +-
>  src/PMG/RuleDB/BCC.pm    |  3 +-
>  src/bin/pmg-smtp-filter  |  1 +
>  5 files changed, 67 insertions(+), 11 deletions(-)
> 
> diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
> index 7339e0d..840c0ad 100644
> --- a/src/PMG/Config.pm
> +++ b/src/PMG/Config.pm
> @@ -134,6 +134,11 @@ EODESC
>  	    description => "Default DKIM selector",
>  	    type => 'string', format => 'dns-name', #see RFC6376 3.1
>  	},
> +	dkim_prefer_rfc5322_domain => {
> +	    description => "Whether to use the address from the From header when DKIM signing outbound mails.",
> +	    type => 'boolean',
> +	    default => 0,
> +	},
you add the new option - but I can't see where it is actually used for
something in the patch?

from a quick glance it seems that this simply changes the code to always
use the header information?

>      };
>  }
>  
> @@ -152,6 +157,7 @@ sub options {
>  	dkim_sign => { optional => 1 },
>  	dkim_sign_all_mail => { optional => 1 },
>  	dkim_selector => { optional => 1 },
> +	dkim_prefer_rfc5322_domain => { optional => 1 },
>      };
>  }
>  
> @@ -1788,6 +1794,7 @@ my $pmg_service_params = {
>  	dkim_selector => 1,
>  	dkim_sign => 1,
>  	dkim_sign_all_mail => 1,
> +	dkim_prefer_rfc5322_domain => 1,
>      },
>  };
>  
> diff --git a/src/PMG/DKIMSign.pm b/src/PMG/DKIMSign.pm
> index 08197f8..efd5d16 100644
> --- a/src/PMG/DKIMSign.pm
> +++ b/src/PMG/DKIMSign.pm
> @@ -2,6 +2,7 @@ package PMG::DKIMSign;
>  
>  use strict;
>  use warnings;
> +use Email::Address::XS;
>  use Mail::DKIM::Signer;
>  use Mail::DKIM::TextWrap;
>  use Crypt::OpenSSL::RSA;
> @@ -53,11 +54,9 @@ sub create_signature {
>  
>  #determines which domain should be used for signing based on the e-mailaddress
>  sub signing_domain {
> -    my ($self, $sender_email) = @_;
> +    my ($self, $entity) = @_;
>  
> -    my @parts = split('@', $sender_email);
> -    die "no domain in sender e-mail\n" if scalar(@parts) < 2;
> -    my $input_domain = $parts[-1];
> +    my $input_domain = parse_signing_domain($entity);
>  
>      if ($self->{sign_all}) {
>  	    $self->domain($input_domain) if $self->{sign_all};
> @@ -78,14 +77,65 @@ sub signing_domain {
>  	}
>      }
>  
> -    syslog('info', "not DKIM signing mail from $sender_email");
> +    syslog('info', "not DKIM signing mail from $input_domain");
>  
>      return 0;
>  }
>  
>  
> +sub parse_signing_domain {
> +    # If there is exactly one single address in the 'From' header we use that
> +    # address for signing, otherwise we use the 'Sender' header.
> +    my ($entity) = @_;
> +
> +    my @sender_list;
> +    my @from_list;
> +
> +    my @from_headers = $entity->head->get('from');
> +    foreach my $from_header (@from_headers) {
> +	my @senders = Email::Address::XS->parse($from_header);
> +	foreach my $sender (@senders) {
> +	    push(@from_list, @senders);
> +	}
> +    }
> +    my $from_count = scalar(@from_list);
> +
> +    if ($from_count > 1) {
> +	my @send_headers = $entity->head->get('sender');
> +	foreach my $send_header (@send_headers) {
> +	    my @senders = Email::Address::XS->parse($send_header);
> +	    foreach my $sender (@senders) {
> +		push(@sender_list, $sender);
> +	    }
> +	}
> +	my $send_count = scalar(@sender_list);
> +
> +	if ($send_count > 1) {
> +	    syslog(
> +		'warning',
> +		"Email has more than one address in its 'Sender' it won't be signed."
> +		." See RFC 5322 Section 3.6.2"
> +	    );
> +	} elsif ($send_count == 1) {
> +	    return $sender_list[0]->host();
> +	} else {
> +	    syslog(
> +		'warning',
> +		"Email has multiple addresses in its 'From' header and no 'Sender'"
> +		." header, it won't be signed. See RFC 5322 Section 3.6.2"
> +	    );
> +	}
> +    } elsif ($from_count == 1) {
> +	return $from_list[0]->host();
> +    }
> +}
> +
> +
>  sub sign_entity {
> -    my ($entity, $selector, $sender, $sign_all) = @_;
> +    my ($entity, $dkim) = @_;
> +
> +    my $sign_all = $dkim->{sign_all};
> +    my $selector = $dkim->{selector};
>  
>      die "no selector provided\n" if ! $selector;
>  
> @@ -110,7 +160,7 @@ sub sign_entity {
>  
>      $signer->extended_headers($extended_headers);
>  
> -    if ($signer->signing_domain($sender)) {
> +    if ($signer->signing_domain($entity)) {
>  	$entity->print($signer);
>  	my $signature = $signer->create_signature();
>  	$entity->head->add('DKIM-Signature', $signature, 0);
> diff --git a/src/PMG/RuleDB/Accept.pm b/src/PMG/RuleDB/Accept.pm
> index 4ebd6da..be305f6 100644
> --- a/src/PMG/RuleDB/Accept.pm
> +++ b/src/PMG/RuleDB/Accept.pm
> @@ -102,8 +102,7 @@ sub execute {
>  
>  	if ($dkim->{sign}) {
>  	    eval {
> -		$entity = PMG::DKIMSign::sign_entity($entity,
> -		    $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
> +		$entity = PMG::DKIMSign::sign_entity($entity, $dkim);
>  	    };
>  	    syslog('warning',
>  		"Could not create DKIM-Signature - disabling Signing: $@") if $@;
> diff --git a/src/PMG/RuleDB/BCC.pm b/src/PMG/RuleDB/BCC.pm
> index 0f016f8..219ba4e 100644
> --- a/src/PMG/RuleDB/BCC.pm
> +++ b/src/PMG/RuleDB/BCC.pm
> @@ -142,8 +142,7 @@ sub execute {
>  	my $dkim = $msginfo->{dkim} // {};
>  	if ($dkim->{sign}) {
>  	    eval {
> -		$entity = PMG::DKIMSign::sign_entity($entity,
> -		    $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
> +		$entity = PMG::DKIMSign::sign_entity($entity, $dkim);
>  	    };
>  	    syslog('warning',
>  		"Could not create DKIM-Signature - disabling Signing: $@") if $@;
> diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
> index 7da3de8..f7502f2 100755
> --- a/src/bin/pmg-smtp-filter
> +++ b/src/bin/pmg-smtp-filter
> @@ -627,6 +627,7 @@ sub handle_smtp {
>  	my $dkim_sign = $msginfo->{trusted} && $pmg_cfg->get('admin', 'dkim_sign');
>  	if ($dkim_sign) {
>  	    $msginfo->{dkim}->{sign} = $dkim_sign;
> +	    $msginfo->{dkim}->{prefer_rfc5322_domain} = $pmg_cfg->get('admin', 'dkim_prefer_rfc5322_domain');
>  	    $msginfo->{dkim}->{sign_all} = $pmg_cfg->get('admin', 'dkim_sign_all_mail');
>  	    $msginfo->{dkim}->{selector} = $pmg_cfg->get('admin', 'dkim_selector');
>  	}





^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-01-16  8:30 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-15 11:46 [pmg-devel] [PATCH pmg-api v3] fix-2971: DKIM: Add setting to use From header when signing Maximiliano Sandoval
2024-01-16  8:30 ` Stoiko Ivanov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal