diff --git a/CHANGES b/CHANGES index 6273fd0..086d18d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,5 @@ 1.2.0 UNRELEASED + - Add support for SignHeaders feature, thanks to Ralph Seichter for the patch - Add new expand option to setup.py so various file system locations can be specified at build/install time rather than being hard coded - Install openrc init file for Gentoo and other openrc users diff --git a/TODO b/TODO index 8e2993b..6db6981 100644 --- a/TODO +++ b/TODO @@ -49,6 +49,9 @@ Port to Python 3 implemented verified Subdomain support implemented verified Test suite implemented verified +1.2.0 +SignHeaders implemented + Planned dataset type support (if needed): mdb: diff --git a/dkimpy_milter/__init__.py b/dkimpy_milter/__init__.py index 857f293..68ece2e 100644 --- a/dkimpy_milter/__init__.py +++ b/dkimpy_milter/__init__.py @@ -217,13 +217,18 @@ class dkimMilter(Milter.Base): if (milterconfig.get('Syslog') and milterconfig.get('debugLevel') >= 1): syslog.syslog('canonicalize: {0}'.format(canonicalize)) + sign_headers = milterconfig.get('SignHeaders') + if not sign_headers: + # None or empty. DKIM explicitly tests for None. + sign_headers = None try: if privateRSA: d = dkim.DKIM(txt) h = d.sign(codecs.encode(milterconfig.get('Selector'), 'ascii'), codecs.encode(self.fdomain, 'ascii'), codecs.encode(privateRSA, 'ascii'), canonicalize=(canonicalize[0], - canonicalize[1])) + canonicalize[1]), + include_headers=sign_headers) name, val = h.split(b': ', 1) self.addheader(codecs.decode(name, 'ascii'), codecs.decode(val, 'ascii').strip().replace('\r\n', '\n'), 0) if (milterconfig.get('Syslog') and @@ -239,6 +244,7 @@ class dkimMilter(Milter.Base): h = d.sign(codecs.encode(milterconfig.get('SelectorEd25519'), 'ascii'), codecs.encode(self.fdomain, 'ascii'), privateEd25519, canonicalize=(canonicalize[0], canonicalize[1]), + include_headers=sign_headers, signature_algorithm=b'ed25519-sha256') name, val = h.split(b': ', 1) self.addheader(codecs.decode(name, 'ascii'), codecs.decode(val, 'ascii').strip().replace('\r\n', '\n'), 0) diff --git a/dkimpy_milter/config.py b/dkimpy_milter/config.py index efa1aa1..0f5891d 100644 --- a/dkimpy_milter/config.py +++ b/dkimpy_milter/config.py @@ -340,7 +340,8 @@ def _readConfigFile(path, configData=None, configGlobal={}): 'MacroList': 'dataset', 'MacroListVerify': 'dataset', 'DNSOverride': 'str', - 'debugLevel': 'int' + 'debugLevel': 'int', + 'SignHeaders': 'dataset' } # check to see if it's a file diff --git a/man/dkimpy-milter.conf.5.in b/man/dkimpy-milter.conf.5.in index 1bdf341..37a3e50 100644 --- a/man/dkimpy-milter.conf.5.in +++ b/man/dkimpy-milter.conf.5.in @@ -325,6 +325,23 @@ be set: (a) Domain, KeyFile, Selector, no KeyTable, no SigningTable; (b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector; +.TP +.I OmitHeaders (dataset) +Specifies a set of header fields that should be omitted when generating +signatures. If an entry in the list names any header field that is mandated +by the DKIM specification, the entry is ignored. A set of header fields is +listed in the DKIM specification (RFC6376, Section 5.4) as "SHOULD NOT" be +signed; the default list for this parameter contains those fields +(Return-Path, Received, Comments, Keywords, Bcc, Resent-Bcc and +DKIM-Signature). To omit no headers, simply use the string "." (or any +string that will match no header field names). +Specifying a list with this parameter replaces the default entirely, unless +one entry is "*" in which case the list is interpreted as a delta to the +default; for example, "*,+foobar" will use the entire default list plus +the name "foobar", while "*,-Bcc" would use the entire default list except +for the "Bcc" entry. [OmitHeaders NOT IMPLEMENTED - included for reference +only] + .TP .I DNSOverride (string) Provide a text string that a verifying milter should use instead of @@ -382,6 +399,17 @@ This parameter is ignored if a .I KeyTableEd25519 is defined. +.TP +.I SignHeaders (dataset) +Specifies the set of header fields that should be included when generating +signatures. If the list omits any header field that is mandated by the DKIM +specification, those fields are implicitly added. By default, those fields +listed in the DKIM specification as "SHOULD" be signed (RFC6376, Section 5.4) +will be signed by the filter. See the +.I OmitHeaders +configuration option for more information about the format and interpretation +of this field. + .TP .I SigningTable (dataset) @@ -489,7 +517,7 @@ is specified. \ddkimpy-milter\fR was written by Scott Kitterman . It is based on dkim-milter.py Copyright (c) 2001-2013 Business Management Systems, Inc. Copyright (c) 2013-2015 Stuart D. Gathman -Copyright (c) 2018 Scott Kitterman . +Copyright (c) 2018,2019 Scott Kitterman . .PP This man-page was created by Scott Kitterman . @@ -503,4 +531,4 @@ See LICENSE. Updated for dkimpy-milter. Updates licensed under the same terms as the rest of the package. -Copyright (c) 2018, Scott Kitterman +Copyright (c) 2018,2019 Scott Kitterman