From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 169C194D2A for ; Fri, 23 Feb 2024 12:31:54 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id EA52D17937 for ; Fri, 23 Feb 2024 12:31:53 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 23 Feb 2024 12:31:48 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D5C7D44F11 for ; Fri, 23 Feb 2024 12:31:47 +0100 (CET) Date: Fri, 23 Feb 2024 12:31:46 +0100 From: Stoiko Ivanov To: Maximiliano Sandoval Cc: pmg-devel@lists.proxmox.com Message-ID: <20240223123146.73e9d45a@rosa.proxmox.com> In-Reply-To: <20240216124135.237846-1-m.sandoval@proxmox.com> References: <20240216124135.237846-1-m.sandoval@proxmox.com> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.082 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [config.pm, bcc.pm, dkimsign.pm, ietf.org, jetmore.org, accept.pm] Subject: Re: [pmg-devel] [PATCH pmg-api v5] fix-2971: DKIM: Add setting to use From header when signing X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Feb 2024 11:31:54 -0000 Thanks for the update - the enum indeed feels nicer! as said off-list - please also add this to the GUI a few comments inline: On Fri, 16 Feb 2024 13:41:35 +0100 Maximiliano Sandoval wrote: > Following RFC 5322 [2], we add an option to use the address from the > `From:` header instead of the Envelope From address. > > From RFC 7489 [1]: > > To illustrate, in relaxed mode, if a validated DKIM signature > successfully verifies with a "d=" domain of "example.com", and the > RFC5322.From address is "alerts@news.example.com", the DKIM "d=" > domain and the RFC5322.From domain are considered to be "in > alignment". In strict mode, this test would fail, since the "d=" > domain does not exactly match the FQDN of the address. > > Tested with the following command: > > swaks --from foo@envelope.domain --to EMAIL -s PMG_ADDR:26 --data "Date: %DATE%\nTo: %TO_ADDRESS%\nFrom: bar@header.domain\nSubject: test %DATE%\nMessage-Id: <%MESSAGEID%>\nX-Mailer: swaks v%SWAKS_VERSION% jetmore.org/john/code/swaks/\n%NEW_HEADERS%\n%BODY%\n" > > Where EMAIL and PMG_ADDR are given adequate values, and envelope.domain > and header.domain are in the 'Sign Domains' list. > > [1] https://datatracker.ietf.org/doc/html/rfc7489#section-3.1.1 > [2] https://datatracker.ietf.org/doc/html/rfc5322#section-3.6.2 > > Signed-off-by: Maximiliano Sandoval > --- > Do note that for testing one has to restart pmg-smtp-filter after changing the setting value. > > Differences from v4: > - Rename setting to dkim_use_domain and make it an enum > - Improved commit message > - Do not use 'Sender' field as a fallback > > Differences from v3: > - Take into account setting > - rename parsing function to parse_headers_for_signing > > src/PMG/Config.pm | 8 +++++++ > src/PMG/DKIMSign.pm | 48 ++++++++++++++++++++++++++++++++++------ > src/PMG/RuleDB/Accept.pm | 3 +-- > src/PMG/RuleDB/BCC.pm | 3 +-- > src/bin/pmg-smtp-filter | 1 + > 5 files changed, 52 insertions(+), 11 deletions(-) > > diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm > index 7339e0d..e9e740d 100644 > --- a/src/PMG/Config.pm > +++ b/src/PMG/Config.pm > @@ -134,6 +134,12 @@ EODESC > description => "Default DKIM selector", > type => 'string', format => 'dns-name', #see RFC6376 3.1 > }, > + dkim_use_domain => { please use 'kebab-case' for new configs instead of 'snake_case' > + description => "Whether to sign using the address from the header or the envelope.", > + type => 'string', > + enum => [qw(header envelope)], > + default => 'envelope', > + }, > }; > } > > @@ -152,6 +158,7 @@ sub options { > dkim_sign => { optional => 1 }, > dkim_sign_all_mail => { optional => 1 }, > dkim_selector => { optional => 1 }, > + dkim_use_domain => { optional => 1 }, > }; > } > > @@ -1788,6 +1795,7 @@ my $pmg_service_params = { > dkim_selector => 1, > dkim_sign => 1, > dkim_sign_all_mail => 1, > + dkim_use_domain => 1, > }, > }; > > diff --git a/src/PMG/DKIMSign.pm b/src/PMG/DKIMSign.pm > index 08197f8..5df9aa8 100644 > --- a/src/PMG/DKIMSign.pm > +++ b/src/PMG/DKIMSign.pm > @@ -2,6 +2,7 @@ package PMG::DKIMSign; > > use strict; > use warnings; > +use Email::Address::XS; > use Mail::DKIM::Signer; > use Mail::DKIM::TextWrap; > use Crypt::OpenSSL::RSA; > @@ -53,11 +54,16 @@ sub create_signature { > > #determines which domain should be used for signing based on the e-mailaddress > sub signing_domain { > - my ($self, $sender_email) = @_; > - > - my @parts = split('@', $sender_email); > - die "no domain in sender e-mail\n" if scalar(@parts) < 2; > - my $input_domain = $parts[-1]; > + my ($self, $sender_email, $entity, $use_domain) = @_; > + > + my $input_domain; > + if ($use_domain eq 'header') { > + $input_domain = parse_headers_for_signing($entity); > + } else { > + my @parts = split('@', $sender_email); > + die "no domain in sender e-mail\n" if scalar(@parts) < 2; > + $input_domain = $parts[-1]; > + } > > if ($self->{sign_all}) { > $self->domain($input_domain) if $self->{sign_all}; > @@ -84,8 +90,36 @@ sub signing_domain { > } > > > +sub parse_headers_for_signing { > + # Following RFC 7489 [1], we only sign emails with exactly one sender in the > + # From header. > + # > + # [1] https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.1 > + my ($entity) = @_; > + > + my @from_list; > + > + my @from_headers = $entity->head->get('from'); > + foreach my $from_header (@from_headers) { > + my @senders = Email::Address::XS->parse($from_header); > + foreach my $sender (@senders) { > + push(@from_list, @senders); why do you push the list of senders X times to the from_list (X being the number in that particular from-header line)? I think the for-loop is simply not needed In general - if you want to see how some data-structure looks like during testing - I can recommend adding Data::Dumper statements - with our services in PMG you can usually log them with syslog e.g.: ``` use Data::Dumper; $Data::Dumper::Sortkeys = 1; syslog('err', "DEBUG: ". Dumper($data_for_debug)); ``` it's very crude (and the syslog is not the right place for this) but gives a good overview > + } > + } > + my $from_count = scalar(@from_list); if you only use the list for counting - why not use an integer and increment it or return early above if you have more than one element? > + > + if ($from_count == 1) { > + return $from_list[0]->host(); I'd consider a `die` here in case the count !=1 - that way it should be logged by the actions (but please verify the call-sites) - we do log this for the current code in sign_entity as well (was confused why I did not get a warning for a mail without any from-header) > + } > +} > + > + > sub sign_entity { > - my ($entity, $selector, $sender, $sign_all) = @_; > + my ($entity, $dkim, $sender) = @_; > + > + my $sign_all = $dkim->{sign_all}; > + my $use_domain = $dkim->{use_domain}; > + my $selector = $dkim->{selector}; > > die "no selector provided\n" if ! $selector; > > @@ -110,7 +144,7 @@ sub sign_entity { > > $signer->extended_headers($extended_headers); > > - if ($signer->signing_domain($sender)) { > + if ($signer->signing_domain($sender, $entity, $use_domain)) { > $entity->print($signer); > my $signature = $signer->create_signature(); > $entity->head->add('DKIM-Signature', $signature, 0); > diff --git a/src/PMG/RuleDB/Accept.pm b/src/PMG/RuleDB/Accept.pm > index 4ebd6da..d14c2fb 100644 > --- a/src/PMG/RuleDB/Accept.pm > +++ b/src/PMG/RuleDB/Accept.pm > @@ -102,8 +102,7 @@ sub execute { > > if ($dkim->{sign}) { > eval { > - $entity = PMG::DKIMSign::sign_entity($entity, > - $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all}); > + $entity = PMG::DKIMSign::sign_entity($entity, $dkim, $msginfo->{sender}); > }; > syslog('warning', > "Could not create DKIM-Signature - disabling Signing: $@") if $@; > diff --git a/src/PMG/RuleDB/BCC.pm b/src/PMG/RuleDB/BCC.pm > index 0f016f8..65b6fb5 100644 > --- a/src/PMG/RuleDB/BCC.pm > +++ b/src/PMG/RuleDB/BCC.pm > @@ -142,8 +142,7 @@ sub execute { > my $dkim = $msginfo->{dkim} // {}; > if ($dkim->{sign}) { > eval { > - $entity = PMG::DKIMSign::sign_entity($entity, > - $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all}); > + $entity = PMG::DKIMSign::sign_entity($entity, $dkim, $msginfo->{sender}); > }; > syslog('warning', > "Could not create DKIM-Signature - disabling Signing: $@") if $@; > diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter > index 7da3de8..aedae0c 100755 > --- a/src/bin/pmg-smtp-filter > +++ b/src/bin/pmg-smtp-filter > @@ -627,6 +627,7 @@ sub handle_smtp { > my $dkim_sign = $msginfo->{trusted} && $pmg_cfg->get('admin', 'dkim_sign'); > if ($dkim_sign) { > $msginfo->{dkim}->{sign} = $dkim_sign; > + $msginfo->{dkim}->{use_domain} = $pmg_cfg->get('admin', 'dkim_use_domain'); > $msginfo->{dkim}->{sign_all} = $pmg_cfg->get('admin', 'dkim_sign_all_mail'); > $msginfo->{dkim}->{selector} = $pmg_cfg->get('admin', 'dkim_selector'); > }