From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 7C512C1647 for ; Tue, 16 Jan 2024 09:30:19 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 530B4334C2 for ; Tue, 16 Jan 2024 09:30:19 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 16 Jan 2024 09:30:17 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 7BBF2483A7 for ; Tue, 16 Jan 2024 09:30:17 +0100 (CET) Date: Tue, 16 Jan 2024 09:30:15 +0100 From: Stoiko Ivanov To: Maximiliano Sandoval Cc: pmg-devel@lists.proxmox.com Message-ID: <20240116093015.518395a3@rosa.proxmox.com> In-Reply-To: <20240115114622.303596-1-m.sandoval@proxmox.com> References: <20240115114622.303596-1-m.sandoval@proxmox.com> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.087 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [dkimsign.pm, config.pm, bcc.pm, accept.pm, jetmore.org, ietf.org] Subject: Re: [pmg-devel] [PATCH pmg-api v3] fix-2971: DKIM: Add setting to use From header when signing X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2024 08:30:19 -0000 Hi, On Mon, 15 Jan 2024 12:46:22 +0100 Maximiliano Sandoval wrote: > We add an option to use the address from the `From:` header instead of > the Envelope From address. Following RFC 5322 [2], we use the `Sender:` > header when there are multiple addresses in the `From:` header. >=20 > From RFC 7489 [1]: >=20 > To illustrate, in relaxed mode, if a validated DKIM signature > successfully verifies with a "d=3D" domain of "example.com", and the > RFC5322.From address is "alerts@news.example.com", the DKIM "d=3D" > domain and the RFC5322.From domain are considered to be "in > alignment". In strict mode, this test would fail, since the "d=3D" > domain does not exactly match the FQDN of the address. >=20 > Current Problems: >=20 > - `dkim_sign_rfc5322` is probably not a descriptive name for the setting > - The setting description might be improved upon >=20 > Tested with the following command: >=20 > swaks --from foo@bar1 --to EMAIL -s PMG_ADDR:26 --data "Date: %DATE%\= nTo: %TO_ADDRESS%\nFrom: foo@bar2\nSubject: test %DATE%\nMessage-Id: <%MESS= AGEID%>\nX-Mailer: swaks v%SWAKS_VERSION% jetmore.org/john/code/swaks/\n%NE= W_HEADERS%\n%BODY%\n" >=20 > [1] https://datatracker.ietf.org/doc/html/rfc7489#section-3.1.1 > [2] https://datatracker.ietf.org/doc/html/rfc5322#section-3.6.2 >=20 > Signed-off-by: Maximiliano Sandoval > --- > Differences from v2: > - Rename setting to dkim_prefer_rfc5322_domain > - Move parsing code inside of PMG::DKIMSign::signing_domain > - Use Email::Address::XS to handle header parsing more gracefully > - Improved commit message >=20 > I'll send a patch to pmg-docs once this is in =F0=9F=91=8C. >=20 > src/PMG/Config.pm | 7 +++++ > src/PMG/DKIMSign.pm | 64 +++++++++++++++++++++++++++++++++++----- > src/PMG/RuleDB/Accept.pm | 3 +- > src/PMG/RuleDB/BCC.pm | 3 +- > src/bin/pmg-smtp-filter | 1 + > 5 files changed, 67 insertions(+), 11 deletions(-) >=20 > diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm > index 7339e0d..840c0ad 100644 > --- a/src/PMG/Config.pm > +++ b/src/PMG/Config.pm > @@ -134,6 +134,11 @@ EODESC > description =3D> "Default DKIM selector", > type =3D> 'string', format =3D> 'dns-name', #see RFC6376 3.1 > }, > + dkim_prefer_rfc5322_domain =3D> { > + description =3D> "Whether to use the address from the From header w= hen DKIM signing outbound mails.", > + type =3D> 'boolean', > + default =3D> 0, > + }, you add the new option - but I can't see where it is actually used for something in the patch? from a quick glance it seems that this simply changes the code to always use the header information? > }; > } > =20 > @@ -152,6 +157,7 @@ sub options { > dkim_sign =3D> { optional =3D> 1 }, > dkim_sign_all_mail =3D> { optional =3D> 1 }, > dkim_selector =3D> { optional =3D> 1 }, > + dkim_prefer_rfc5322_domain =3D> { optional =3D> 1 }, > }; > } > =20 > @@ -1788,6 +1794,7 @@ my $pmg_service_params =3D { > dkim_selector =3D> 1, > dkim_sign =3D> 1, > dkim_sign_all_mail =3D> 1, > + dkim_prefer_rfc5322_domain =3D> 1, > }, > }; > =20 > diff --git a/src/PMG/DKIMSign.pm b/src/PMG/DKIMSign.pm > index 08197f8..efd5d16 100644 > --- a/src/PMG/DKIMSign.pm > +++ b/src/PMG/DKIMSign.pm > @@ -2,6 +2,7 @@ package PMG::DKIMSign; > =20 > use strict; > use warnings; > +use Email::Address::XS; > use Mail::DKIM::Signer; > use Mail::DKIM::TextWrap; > use Crypt::OpenSSL::RSA; > @@ -53,11 +54,9 @@ sub create_signature { > =20 > #determines which domain should be used for signing based on the e-maila= ddress > sub signing_domain { > - my ($self, $sender_email) =3D @_; > + my ($self, $entity) =3D @_; > =20 > - my @parts =3D split('@', $sender_email); > - die "no domain in sender e-mail\n" if scalar(@parts) < 2; > - my $input_domain =3D $parts[-1]; > + my $input_domain =3D parse_signing_domain($entity); > =20 > if ($self->{sign_all}) { > $self->domain($input_domain) if $self->{sign_all}; > @@ -78,14 +77,65 @@ sub signing_domain { > } > } > =20 > - syslog('info', "not DKIM signing mail from $sender_email"); > + syslog('info', "not DKIM signing mail from $input_domain"); > =20 > return 0; > } > =20 > =20 > +sub parse_signing_domain { > + # If there is exactly one single address in the 'From' header we use= that > + # address for signing, otherwise we use the 'Sender' header. > + my ($entity) =3D @_; > + > + my @sender_list; > + my @from_list; > + > + my @from_headers =3D $entity->head->get('from'); > + foreach my $from_header (@from_headers) { > + my @senders =3D Email::Address::XS->parse($from_header); > + foreach my $sender (@senders) { > + push(@from_list, @senders); > + } > + } > + my $from_count =3D scalar(@from_list); > + > + if ($from_count > 1) { > + my @send_headers =3D $entity->head->get('sender'); > + foreach my $send_header (@send_headers) { > + my @senders =3D Email::Address::XS->parse($send_header); > + foreach my $sender (@senders) { > + push(@sender_list, $sender); > + } > + } > + my $send_count =3D scalar(@sender_list); > + > + if ($send_count > 1) { > + syslog( > + 'warning', > + "Email has more than one address in its 'Sender' it won't be signed." > + ." See RFC 5322 Section 3.6.2" > + ); > + } elsif ($send_count =3D=3D 1) { > + return $sender_list[0]->host(); > + } else { > + syslog( > + 'warning', > + "Email has multiple addresses in its 'From' header and no 'Sender'" > + ." header, it won't be signed. See RFC 5322 Section 3.6.2" > + ); > + } > + } elsif ($from_count =3D=3D 1) { > + return $from_list[0]->host(); > + } > +} > + > + > sub sign_entity { > - my ($entity, $selector, $sender, $sign_all) =3D @_; > + my ($entity, $dkim) =3D @_; > + > + my $sign_all =3D $dkim->{sign_all}; > + my $selector =3D $dkim->{selector}; > =20 > die "no selector provided\n" if ! $selector; > =20 > @@ -110,7 +160,7 @@ sub sign_entity { > =20 > $signer->extended_headers($extended_headers); > =20 > - if ($signer->signing_domain($sender)) { > + if ($signer->signing_domain($entity)) { > $entity->print($signer); > my $signature =3D $signer->create_signature(); > $entity->head->add('DKIM-Signature', $signature, 0); > diff --git a/src/PMG/RuleDB/Accept.pm b/src/PMG/RuleDB/Accept.pm > index 4ebd6da..be305f6 100644 > --- a/src/PMG/RuleDB/Accept.pm > +++ b/src/PMG/RuleDB/Accept.pm > @@ -102,8 +102,7 @@ sub execute { > =20 > if ($dkim->{sign}) { > eval { > - $entity =3D PMG::DKIMSign::sign_entity($entity, > - $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all}); > + $entity =3D PMG::DKIMSign::sign_entity($entity, $dkim); > }; > syslog('warning', > "Could not create DKIM-Signature - disabling Signing: $@") if $@; > diff --git a/src/PMG/RuleDB/BCC.pm b/src/PMG/RuleDB/BCC.pm > index 0f016f8..219ba4e 100644 > --- a/src/PMG/RuleDB/BCC.pm > +++ b/src/PMG/RuleDB/BCC.pm > @@ -142,8 +142,7 @@ sub execute { > my $dkim =3D $msginfo->{dkim} // {}; > if ($dkim->{sign}) { > eval { > - $entity =3D PMG::DKIMSign::sign_entity($entity, > - $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all}); > + $entity =3D PMG::DKIMSign::sign_entity($entity, $dkim); > }; > syslog('warning', > "Could not create DKIM-Signature - disabling Signing: $@") if $@; > diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter > index 7da3de8..f7502f2 100755 > --- a/src/bin/pmg-smtp-filter > +++ b/src/bin/pmg-smtp-filter > @@ -627,6 +627,7 @@ sub handle_smtp { > my $dkim_sign =3D $msginfo->{trusted} && $pmg_cfg->get('admin', 'dkim_s= ign'); > if ($dkim_sign) { > $msginfo->{dkim}->{sign} =3D $dkim_sign; > + $msginfo->{dkim}->{prefer_rfc5322_domain} =3D $pmg_cfg->get('admin'= , 'dkim_prefer_rfc5322_domain'); > $msginfo->{dkim}->{sign_all} =3D $pmg_cfg->get('admin', 'dkim_sign_= all_mail'); > $msginfo->{dkim}->{selector} =3D $pmg_cfg->get('admin', 'dkim_selec= tor'); > }