]> git.proxmox.com Git - pmg-api.git/commitdiff
projects / pmg-api.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9bb0ac5)
fix #2971: DKIM: add setting to use From header when signing
authorMaximiliano Sandoval <m.sandoval@proxmox.com>
Mon, 26 Feb 2024 14:03:02 +0000 (15:03 +0100)
committerStoiko Ivanov <s.ivanov@proxmox.com>
Mon, 26 Feb 2024 14:31:00 +0000 (15:31 +0100)
Following RFC 5322 [2], we add an option to use the address from the
`From:` header instead of the Envelope From address.

From RFC 7489 [1]:

   To illustrate, in relaxed mode, if a validated DKIM signature
   successfully verifies with a "d=" domain of "example.com", and the
   RFC5322.From address is "alerts@news.example.com", the DKIM "d="
   domain and the RFC5322.From domain are considered to be "in
   alignment".  In strict mode, this test would fail, since the "d="
   domain does not exactly match the FQDN of the address.

Tested with the following command:

    swaks --from foo@envelope.domain --to EMAIL -s PMG_ADDR:26 --data "Date: %DATE%\nTo: %TO_ADDRESS%\nFrom: bar@header.domain\nSubject: test %DATE%\nMessage-Id: <%MESSAGEID%>\nX-Mailer: swaks v%SWAKS_VERSION% jetmore.org/john/code/swaks/\n%NEW_HEADERS%\n%BODY%\n"

Where EMAIL and PMG_ADDR are given adequate values, and envelope.domain
and header.domain are in the 'Sign Domains' list.

[1] https://datatracker.ietf.org/doc/html/rfc7489#section-3.1.1
[2] https://datatracker.ietf.org/doc/html/rfc5322#section-3.6.2

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
src/PMG/Config.pm patch | blob | blame | history
src/PMG/DKIMSign.pm patch | blob | blame | history
src/PMG/RuleDB/Accept.pm patch | blob | blame | history
src/PMG/RuleDB/BCC.pm patch | blob | blame | history
src/bin/pmg-smtp-filter patch | blob | blame | history

diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index 71d4c0b8e04b38586481d8cc9661254fe4c9f41c..0c5419e6ac84050713b0460a841b81222af35a7c 100644 (file)
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -134,6 +134,12 @@ EODESC
            description => "Default DKIM selector",
            type => 'string', format => 'dns-name', #see RFC6376 3.1
        },
+       'dkim-use-domain' => {
+           description => "Whether to sign using the address from the header or the envelope.",
+           type => 'string',
+           enum => [qw(header envelope)],
+           default => 'envelope',
+       },
     };
 }
 
@@ -152,6 +158,7 @@ sub options {
        dkim_sign => { optional => 1 },
        dkim_sign_all_mail => { optional => 1 },
        dkim_selector => { optional => 1 },
+       'dkim-use-domain' => { optional => 1 },
     };
 }
 
@@ -1808,6 +1815,7 @@ my $pmg_service_params = {
        dkim_selector => 1,
        dkim_sign => 1,
        dkim_sign_all_mail => 1,
+       'dkim-use-domain' => 1,
     },
 };
 
diff --git a/src/PMG/DKIMSign.pm b/src/PMG/DKIMSign.pm
index 08197f8f1412477781dd8345da67dad0d02412d6..093ff34449ec3d0e8dbf62db5fdb251105d8b6b6 100644 (file)
--- a/src/PMG/DKIMSign.pm
+++ b/src/PMG/DKIMSign.pm
@@ -2,6 +2,8 @@ package PMG::DKIMSign;
 
 use strict;
 use warnings;
+use Email::Address::XS qw(parse_email_addresses);
+use Email::Address::XS;
 use Mail::DKIM::Signer;
 use Mail::DKIM::TextWrap;
 use Crypt::OpenSSL::RSA;
@@ -53,11 +55,16 @@ sub create_signature {
 
 #determines which domain should be used for signing based on the e-mailaddress
 sub signing_domain {
-    my ($self, $sender_email) = @_;
-
-    my @parts = split('@', $sender_email);
-    die "no domain in sender e-mail\n" if scalar(@parts) < 2;
-    my $input_domain = $parts[-1];
+    my ($self, $sender_email, $entity, $use_domain) = @_;
+
+    my $input_domain;
+    if ($use_domain eq 'header') {
+       $input_domain = parse_headers_for_signing($entity);
+    } else {
+       my @parts = split('@', $sender_email);
+       die "no domain in sender e-mail\n" if scalar(@parts) < 2;
+       $input_domain = $parts[-1];
+    }
 
     if ($self->{sign_all}) {
            $self->domain($input_domain) if $self->{sign_all};
@@ -84,8 +91,35 @@ sub signing_domain {
 }
 
 
+sub parse_headers_for_signing {
+    # Following RFC 7489 [1], we only sign emails with exactly one sender in the
+    # From header.
+    #
+    # [1] https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.1
+    my ($entity) = @_;
+
+    my $from_count = 0;
+    my $domain;
+
+    my @from_headers = $entity->head->get('from');
+    foreach my $from_header (@from_headers) {
+       my @addresses = parse_email_addresses($from_header);
+       $from_count += scalar(@addresses);
+       $domain = $addresses[0]->host() if scalar(@addresses) > 0;
+    }
+
+    die "there is more than one sender in the header" if $from_count > 1;
+    die "there is no sender in the header" if $from_count == 0;
+    return $domain;
+}
+
+
 sub sign_entity {
-    my ($entity, $selector, $sender, $sign_all) = @_;
+    my ($entity, $dkim, $sender) = @_;
+
+    my $sign_all = $dkim->{sign_all};
+    my $use_domain = $dkim->{use_domain};
+    my $selector = $dkim->{selector};
 
     die "no selector provided\n" if ! $selector;
 
@@ -110,7 +144,7 @@ sub sign_entity {
 
     $signer->extended_headers($extended_headers);
 
-    if ($signer->signing_domain($sender)) {
+    if ($signer->signing_domain($sender, $entity, $use_domain)) {
        $entity->print($signer);
        my $signature = $signer->create_signature();
        $entity->head->add('DKIM-Signature', $signature, 0);
diff --git a/src/PMG/RuleDB/Accept.pm b/src/PMG/RuleDB/Accept.pm
index 4ebd6da2473684e8a8123030c474c8735f7a95e3..d14c2fbd512442e53d1a03b99fbd464a6fe9b911 100644 (file)
--- a/src/PMG/RuleDB/Accept.pm
+++ b/src/PMG/RuleDB/Accept.pm
@@ -102,8 +102,7 @@ sub execute {
 
        if ($dkim->{sign}) {
            eval {
-               $entity = PMG::DKIMSign::sign_entity($entity,
-                   $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
+               $entity = PMG::DKIMSign::sign_entity($entity, $dkim, $msginfo->{sender});
            };
            syslog('warning',
                "Could not create DKIM-Signature - disabling Signing: $@") if $@;
diff --git a/src/PMG/RuleDB/BCC.pm b/src/PMG/RuleDB/BCC.pm
index 0f016f82cfcffbe4031fe19b0d018cfdaedb74f6..65b6fb55a95b3ec8dc09a41fd27ee41dfacba603 100644 (file)
--- a/src/PMG/RuleDB/BCC.pm
+++ b/src/PMG/RuleDB/BCC.pm
@@ -142,8 +142,7 @@ sub execute {
        my $dkim = $msginfo->{dkim} // {};
        if ($dkim->{sign}) {
            eval {
-               $entity = PMG::DKIMSign::sign_entity($entity,
-                   $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
+               $entity = PMG::DKIMSign::sign_entity($entity, $dkim, $msginfo->{sender});
            };
            syslog('warning',
                "Could not create DKIM-Signature - disabling Signing: $@") if $@;
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index dc7128c5b42534dde424b8370a7b2dcf3a5ce1fd..60614595e1067cacd9e2f443ed4757b1df5144a5 100755 (executable)
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -636,6 +636,7 @@ sub handle_smtp {
        my $dkim_sign = $msginfo->{trusted} && $pmg_cfg->get('admin', 'dkim_sign');
        if ($dkim_sign) {
            $msginfo->{dkim}->{sign} = $dkim_sign;
+           $msginfo->{dkim}->{use_domain} = $pmg_cfg->get('admin', 'dkim-use-domain');
            $msginfo->{dkim}->{sign_all} = $pmg_cfg->get('admin', 'dkim_sign_all_mail');
            $msginfo->{dkim}->{selector} = $pmg_cfg->get('admin', 'dkim_selector');
        }
PMG API