From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 28591 invoked from network); 24 Apr 2023 20:39:48 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 24 Apr 2023 20:39:48 -0000 Received: from mail2.ecloud.global ([135.181.6.248]) by 9front; Mon Apr 24 16:38:05 -0400 2023 Received: from authenticated-user (mail2.ecloud.global [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ecloud.global (Postfix) with ESMTPSA id D5348720174 for <9front@9front.org>; Mon, 24 Apr 2023 20:29:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=e.email; s=mail2; t=1682368166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=oH4Rx8yPa5GEVzV3LQVtirIN13m9KVTlsH6bs/gtTu8=; b=XtlU4bd2X5U0oeIIisVrKpw3CSbRF5Pw6kiO7aP8goG5Uzr3Oa4kXPtDmPM3FH7tS8waij mnYGC57wdJcAVDlFocJvtvft94TFGtgD+0Z0jHm2899LwvY+djdIZR0XIxme4cQUdyK0BV 4eKJBMUNP3FyTef4IrK9pDs/9aUhswY= Date: Mon, 24 Apr 2023 20:29:24 +0000 (UTC) From: ooga@e.email To: 9front@9front.org Message-ID: <2c9b768e-0b61-4d42-9caf-5a3cba64ecef@e.email> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_12_112797064.1682368164315" X-Correlation-ID: <2c9b768e-0b61-4d42-9caf-5a3cba64ecef@e.email> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=e.email; s=mail2; t=1682368166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=oH4Rx8yPa5GEVzV3LQVtirIN13m9KVTlsH6bs/gtTu8=; b=r8zHh58ubZMW00mikWPUGsf9PW/Ov3ZDACSlN0y0uZ6sO67CsV7TtJnMxFhBe1ARzlKVc7 jgRdZK6P6H4tTaaWcGXBbmKIIC+OYVKMDvBv1JPH+OQdGnszxybR+kJgXIo9hxmHgDFnqp IMOtPthwk4EkNoiDtoE8dnT7ow0gKWE= ARC-Seal: i=1; s=mail2; d=e.email; t=1682368166; a=rsa-sha256; cv=none; b=XTGmZA2eDcYd0u8QMXRaH9Ga2QB8nu+hfd82BFfWiVil0BOh8KxalhQPFSAEvW1Zt459QJ 63Mv/QWVRxAxXKOx0mZM6t6K9yLbIYW6/mHH6ESIWf06Yw1f1JAbpqVswHErktRXzAkIqU b4ACnwGH8/xRF8232konQpXvXsh2Apw= ARC-Authentication-Results: i=1; mail2.ecloud.global; auth=pass smtp.mailfrom=ooga@e.email List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: social structured HTML over SQL just-in-time plugin browser component Subject: [9front] dkim patches Reply-To: 9front@9front.org Precedence: bulk ------=_Part_12_112797064.1682368164315 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit I'm not sure how to send these patches, but here they are, attached: one to use custom headers, one to prevent headers from being inserted and one to silence upas/qer. The first one is fresh, but dkim didn't crashed :) with a couple of message I've test it. I'm not sure I use the right function to parse the command line argument. I used to have a hardcoded list in dkim.c, but it wasn't enough. The messages pass the validation from Google and FairMail (android app), with or without the trailing ":". ------=_Part_12_112797064.1682368164315 Content-Type: text/plain; charset=us-ascii; name=dkim-custom-headers.diff Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=dkim-custom-headers.diff upas/dkim: allow custom headers to be signed The list of headers someone wants to sign is larger that the default list used by upas/dkim. For example, many servers add 'cc', 'reply-to', 'sender' and 'mime-version', the top of the recommended list[1]. In addition to this, there are times when you want to sign specific headers on some messages. For example, Google signs tls-report-submitter and tls-report-domain with smpt-tls-reporting messages. [1]: https://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields --- diff 2c6484d1804bd719ae89b9ee36e90b61dd9f6fbb 742fd9b6fa574793f709fa69b791196438ad1ee8 --- a/sys/man/1/filter +++ b/sys/man/1/filter @@ -204,6 +204,11 @@ flag specifies the selector. If the selector is not specified, it defaults to .IR dkim . +.I -h +flag specifies a list of headers to sign. If this flag is not +specified, it defaults to +.IR from:,to:,subject:,date:,message-id: +. The keyspec searched for the signing key is: .IP .EX --- a/sys/src/cmd/upas/dkim/dkim.c +++ b/sys/src/cmd/upas/dkim/dkim.c @@ -6,7 +6,7 @@ #include #include -char *signhdr[] = { +char *defsignhdr[] = { "from:", "to:", "subject:", @@ -14,6 +14,8 @@ "message-id:", nil }; +char **signhdr = defsignhdr; +char *usersignhdr[20]; char *keyspec; char *domain; @@ -93,7 +95,7 @@ void usage(void) { - fprint(2, "usage: %s [-s sel] -d dom\n", argv0); + fprint(2, "usage: %s [-s sel] [-h headers] -d dom\n", argv0); exits("usage"); } @@ -109,6 +111,10 @@ ARGBEGIN{ case 'd': domain = EARGF(usage()); + break; + case 'h': + usersignhdr[getfields(EARGF(usage()), usersignhdr, nelem(usersignhdr)-1, 1, ",")] = nil; + signhdr = usersignhdr; break; case 's': selector = EARGF(usage()); ------=_Part_12_112797064.1682368164315 Content-Type: text/plain; charset=us-ascii; name=dkim-seal.diff Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=dkim-seal.diff upas/dkim: seal the signed header fields "Signers MAY claim to have signed header fields that do not exist ... A header field name need only be listed once more than the actual number of that header field in a message at the time of signing in order to prevent any further additions." https://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields --- diff 742fd9b6fa574793f709fa69b791196438ad1ee8 c24531318db27a706d0af70f69ae7f524ba1754a --- a/sys/src/cmd/upas/dkim/dkim.c +++ b/sys/src/cmd/upas/dkim/dkim.c @@ -33,6 +33,18 @@ return e - p; } +void +addallhdrs(char **hs) +{ + char **p; + + for(p = signhdr; *p; p++){ + if((*hs = realloc(*hs, strlen(*hs) + strlen(*p) + 1)) == nil) + sysfatal("realloc: %r"); + strcat(*hs, *p); + } +} + int usehdr(char *ln, char **hs) { @@ -165,6 +177,7 @@ } append(&hdr, &nhdr, &hdrsz, ln, n); } + addallhdrs(&hdrset); /* https://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields */ sb = nil; ntail = 0; ------=_Part_12_112797064.1682368164315 Content-Type: text/plain; charset=us-ascii; name=qer.diff Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=qer.diff upas/qer: don't log if mail starts with DKIM-Signature: Without this, when we use upas/dkim in /mail/lib/qmail: upas/dkim ... | upas/qer ... we'll have a warning in our logs for every message we send. --- diff f9aa809cbf2d1c17d989bd777c97d4bd4944a8e3 2c6484d1804bd719ae89b9ee36e90b61dd9f6fbb --- a/sys/src/cmd/upas/q/qer.c +++ b/sys/src/cmd/upas/q/qer.c @@ -129,7 +129,7 @@ */ i = 0; while((n = read(0, buf, sizeof(buf)-1)) > 0){ - if(i++ == 0 && strncmp(buf, "From", 4) != 0){ + if(i++ == 0 && strncmp(buf, "From", 4) != 0 && strncmp(buf, "DKIM-Signature:", 15) != 0){ buf[n] = 0; syslog(0, "smtp", "qer usys data starts with %-40.40s", buf); } ------=_Part_12_112797064.1682368164315--