DandelionNStuff/dkimpy-milter-smtputf8
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: DandelionNStuff/dkimpy-milter-smtputf8:0.9.4
Branches Tags
DandelionNStuff/dkimpy-milter-smtputf8:master DandelionNStuff/dkimpy-milter-smtputf8:smtputf8 DandelionNStuff/dkimpy-milter-smtputf8:stable1.2 DandelionNStuff/dkimpy-milter-smtputf8:utffix DandelionNStuff/dkimpy-milter-smtputf8:stable1.0 DandelionNStuff/dkimpy-milter-smtputf8:stable1.1 DandelionNStuff/dkimpy-milter-smtputf8:1_0 DandelionNStuff/dkimpy-milter-smtputf8:dkg/python3 DandelionNStuff/dkimpy-milter-smtputf8:dkg/socket-activation DandelionNStuff/dkimpy-milter-smtputf8:dkg/test-suite
DandelionNStuff/dkimpy-milter-smtputf8:1.2.3 DandelionNStuff/dkimpy-milter-smtputf8:1.2.2 DandelionNStuff/dkimpy-milter-smtputf8:1.2.1 DandelionNStuff/dkimpy-milter-smtputf8:1.2.0 DandelionNStuff/dkimpy-milter-smtputf8:1.0.3 DandelionNStuff/dkimpy-milter-smtputf8:1.1.4 DandelionNStuff/dkimpy-milter-smtputf8:1.1.3 DandelionNStuff/dkimpy-milter-smtputf8:1.0.2 DandelionNStuff/dkimpy-milter-smtputf8:1.1.1 DandelionNStuff/dkimpy-milter-smtputf8:1.1.2 DandelionNStuff/dkimpy-milter-smtputf8:1.1.0 DandelionNStuff/dkimpy-milter-smtputf8:1.0.1 DandelionNStuff/dkimpy-milter-smtputf8:1.0.0 DandelionNStuff/dkimpy-milter-smtputf8:0.9.6 DandelionNStuff/dkimpy-milter-smtputf8:0.9.5.1 DandelionNStuff/dkimpy-milter-smtputf8:0.9.5 DandelionNStuff/dkimpy-milter-smtputf8:0.9.4 DandelionNStuff/dkimpy-milter-smtputf8:0.9.3 DandelionNStuff/dkimpy-milter-smtputf8:0.9.2 DandelionNStuff/dkimpy-milter-smtputf8:0.9.1
...
compare: DandelionNStuff/dkimpy-milter-smtputf8:1.1.4
Branches Tags
DandelionNStuff/dkimpy-milter-smtputf8:smtputf8 DandelionNStuff/dkimpy-milter-smtputf8:master DandelionNStuff/dkimpy-milter-smtputf8:stable1.2 DandelionNStuff/dkimpy-milter-smtputf8:utffix DandelionNStuff/dkimpy-milter-smtputf8:stable1.0 DandelionNStuff/dkimpy-milter-smtputf8:stable1.1 DandelionNStuff/dkimpy-milter-smtputf8:1_0 DandelionNStuff/dkimpy-milter-smtputf8:dkg/python3 DandelionNStuff/dkimpy-milter-smtputf8:dkg/socket-activation DandelionNStuff/dkimpy-milter-smtputf8:dkg/test-suite
DandelionNStuff/dkimpy-milter-smtputf8:1.2.3 DandelionNStuff/dkimpy-milter-smtputf8:1.2.2 DandelionNStuff/dkimpy-milter-smtputf8:1.2.1 DandelionNStuff/dkimpy-milter-smtputf8:1.2.0 DandelionNStuff/dkimpy-milter-smtputf8:1.0.3 DandelionNStuff/dkimpy-milter-smtputf8:1.1.4 DandelionNStuff/dkimpy-milter-smtputf8:1.1.3 DandelionNStuff/dkimpy-milter-smtputf8:1.0.2 DandelionNStuff/dkimpy-milter-smtputf8:1.1.1 DandelionNStuff/dkimpy-milter-smtputf8:1.1.2 DandelionNStuff/dkimpy-milter-smtputf8:1.1.0 DandelionNStuff/dkimpy-milter-smtputf8:1.0.1 DandelionNStuff/dkimpy-milter-smtputf8:1.0.0 DandelionNStuff/dkimpy-milter-smtputf8:0.9.6 DandelionNStuff/dkimpy-milter-smtputf8:0.9.5.1 DandelionNStuff/dkimpy-milter-smtputf8:0.9.5 DandelionNStuff/dkimpy-milter-smtputf8:0.9.4 DandelionNStuff/dkimpy-milter-smtputf8:0.9.3 DandelionNStuff/dkimpy-milter-smtputf8:0.9.2 DandelionNStuff/dkimpy-milter-smtputf8:0.9.1

107 Commits
0.9.4 ... 1.1.4

Author SHA1 Message Date
Scott Kitterman abba014c5c Add release date for 1.1.4 2019-11-22 20:35:38 -05:00
Scott Kitterman 807b1391b2 - Delete own_socketfile to resolve race condition where the permissions 
change fails on a Unix socket because it hasn't been created yet (libmilter
   will do this correctly on its own based on umask, the milter doesn't need
   to do it) (LP: #1849712)
 2019-10-29 07:15:51 -04:00
Scott Kitterman dcb781c365 Make error logging more explicit to aid debugging 2019-10-18 23:31:34 -04:00
Scott Kitterman 577a971f1a Fix typo in README 2019-10-07 00:41:43 -04:00
Scott Kitterman 59296be0cf Bump version to 1.1.3 2019-10-06 00:14:54 -04:00
Scott Kitterman 4e1fa3c8ff Update README now that sysv init is tested 2019-10-06 00:14:27 -04:00
Scott Kitterman 99899062bb Fix sysv init so it works (LP: #1839487) 2019-10-05 21:48:44 -04:00
Scott Kitterman 6a1705926f Update version/release date for 1.1.2 2019-09-23 13:36:56 -04:00
Scott Kitterman e6f8db9f94 More reslience fixes 2019-09-23 11:36:10 -04:00
Scott Kitterman e63867d517 Merge branch 'stable1.1' of git+ssh://git.launchpad.net/dkimpy-milter into stable1.1 2019-09-23 11:27:33 -04:00
Scott Kitterman 209ad11661 Catch more ascii encoding errors to improve resilience against bad data 
(LP: #1844189)
 2019-09-23 11:26:10 -04:00
Scott Kitterman 795a914845 Catch more ascii encoding errors to improve resilience against bad data 
(LP: #1844189)
 2019-09-23 11:04:02 -04:00
Scott Kitterman be92e5c5b1 Catch more ascii encoding errors to improve resilience against bad data 
(LP: #1844189)
 2019-09-23 10:48:04 -04:00
Scott Kitterman 6910ff1f9a Fix variable initialization so mailformed mails missing body From do not 
cause a traceback (LP: #1844161)
 2019-09-16 20:08:34 -04:00
Scott Kitterman 7953e54ffb CHANGES and setup.py updates for 1.1.1 release prep 2019-09-06 00:52:18 -04:00
Scott Kitterman bc98f9180f Fix startup logging so it provides information at a useful time 2019-09-06 00:41:42 -04:00
Scott Kitterman a144791f2a Minor README corrections 2019-09-06 00:37:46 -04:00
Scott Kitterman 55e1a6b54e Fixup missing i= processing 2019-09-06 00:27:52 -04:00
Scott Kitterman 7c3ff1905a - Fix verify processing so missing (optional) i= tag doesn't cause the milter 
to fail
 2019-09-06 00:22:00 -04:00
Scott Kitterman 7ec97a6001 - Fix message extraction so that signing in the same pass through the milter 
as verifying works correctly
 2019-09-05 23:55:34 -04:00
Scott Kitterman aba9c0aa0c Update TODO 2019-04-12 22:43:18 -04:00
Scott Kitterman 19b6ce7a68 Update CHANGES and man/dkimpy-milter.conf.5 for SubDomains option. 2019-04-12 22:34:59 -04:00
Scott Kitterman 8dc3ac6474 Add option to sign for subdomains - Thanks to Sagi for the patch 2019-04-12 22:31:24 -04:00
Scott Kitterman 290a37b99c Update CHANGES to current 2019-04-12 22:27:23 -04:00
Scott Kitterman 564799402a Catch and log config items missing values 2019-04-12 22:01:56 -04:00
Scott Kitterman 357905bb68 Fix debugLevel for config._readConfigFile 2019-04-12 21:45:31 -04:00
Scott Kitterman 6b851f18df Changes in dkimpy_milter/__init__.py to harmonize logging messages and log text instead of bytestring. 2019-04-12 21:29:09 -04:00
Scott Kitterman 7ab58edb1b Consisently use /run vice /var/run for documentation and init system integration 2019-04-12 20:57:08 -04:00
Scott Kitterman 23b0e8a386 README updates for python3 switch 2019-04-12 20:51:33 -04:00
Scott Kitterman 2e105bd18c Py3DNS vice PyDNS because we're python3 now 2019-04-12 20:34:42 -04:00
Scott Kitterman fb72b9f6e7 Merge 1_0 into master 2019-03-12 22:06:42 -04:00
Scott Kitterman 7eed8995a2 Merge branch 'dkg/socket-activation' into 1_0 2019-03-12 22:01:00 -04:00
Scott Kitterman a16d887ac6 Fix merge conflicts 2019-02-24 07:22:58 -05:00
Scott Kitterman 23d91b2b50 Update CHANGES for merge of dkg/test-suite 2019-02-24 07:19:18 -05:00
Scott Kitterman 481fbdae29 Merge branch 'dkg/test-suite' into 1_0 2019-02-24 07:13:30 -05:00
Scott Kitterman 4b0c39b0c7 Start changes for python3 update 2019-02-24 06:57:47 -05:00
Daniel Kahn Gillmor 7092874729 Enable sd_listen_fds(3)-style socket-activation support 
I've added straightforward systemd unit files in
system/socket-activation/ that make use of this approach, and a
README.md in the same location that describes the tradeoffs.
 2019-02-21 19:22:11 -05:00
Daniel Kahn Gillmor ea09bab1a8 Convert __init__.py to python3 
The main work here is about bytes vs. strings.  This work was
confusing for several reasons:

 * pymilter thinks that headers are all strings, but body is bytes

 * dkimpy wants to deal with bytes objects generally (though it
   accepts a string object as an ed25519 secret key for some reason,
   despite requiring bytes as an RSA secret key)

 * authres.AuthenticationResultsHeader object converts easily to a
   string, but has no direct bytes conversion.  meanwhile, it wants
   its arguments as strings, but will accept them if they are bytes
   and convert them with something like str(), which leaves weird
   cruft like "header.a=b'ed25519-sha256'"

 * dkimpy_milter/utils.py contains fold() which expects bytes

 * self.fp needs to accumulate the on-the-wire version of the message
   as a whole (so it needs to be bytes).  That means converting the
   headers.  Header names and values are US-ASCII, per §2.2 of RFC
   5322, so they should be convertible cleanly, but we still have to
   convert them explicitly so that python knows the right thing to do.

At any rate, tests/runtests all passes with these changes, and the
output for both Authentication-Results: and DKIM-Signature headers
looks the same.
 2019-02-21 19:22:11 -05:00
Daniel Kahn Gillmor 25fdd3b81c Do not create PidFile by default 
By default, avoid creating a PIDFile.

PIDFiles are racy and potentially dangerous.  Modern system
supervision systems don't need them, because they manage the process
groups directly.

If the configuration file doesn't specify a PidFile, dkimpy-milter
shouldn't try to create one.
 2019-02-21 19:22:11 -05:00
Daniel Kahn Gillmor 9d5316ca0e Handle defaults for Socket differently 
We want to be able to select the default for Socket differently in the
future.

This change augments the API for dkimpy_milter.util.own_socketfile()
by adding an optional sockname argument.  This is a
backward-compatible change.  If we aren't committed to API stability
for this function, we could make a more invasive change that would
probably be a more reasonable API going forward, but this is probably
good enough.
 2019-02-21 19:22:11 -05:00
Daniel Kahn Gillmor 391b5352f3 Convert mostly to python3 (still need strings/bytes conversions) 
This covers conversion of the whole project to python3, *except* for
the strings/bytes distinction in __init__.py, which i'm leaving for a
second commit.

The changes in this commit are intended to be relatively
uncontroversial, so that the following commit contains the tricky
bits.
 2019-02-21 19:22:09 -05:00
Daniel Kahn Gillmor ad8f396db0 Expand test suite to cover RSA as well as ed25519 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor 479820a07d tests: test DKIM signing and verification 
This test makes use of DNSOverride and the new verifying milter to
ensure that signatures can be verified properly.

It doesn't test the actual interaction with the public DNS, but
getting that kind of test to work on arbitrary platforms might be more
trouble than it's worth.

I note that the DNSOverride only works as long as testkey.dns is a
single line, which is fine for ed25519, but maybe not for RSA.
 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor 7bfb87fab7 Set up __main__.py, use it in tests 
This allows us to invoke dkimpy-milter as "python -m dkimpy_milter
dkimpy-milter.conf", which makes running the test suite easier.
 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor 5c1d5d6e52 tests: Run a verifying milter as well as a signing milter 
Having a verifying milter will come in handy when we want to test both
sides of the DKIM process.
 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor ae31730593 check for actions claimed by the filter 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor 72ed000ccf simple testing framework 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor b3db013754 config: Reassemble strings sensibly 
If a string-based configuation entry had whitespace in it, it would be
reassembled via a round-trip through the python interpreter, resulting
in a line like this:

    PidFile /home/dkimpy-milter/pid file

produces a string like "['/home/dkimpy-milter/pid', 'file']", which is
clearly wrong.

I don't want to encourage people to use paths or other strings with
whitespace in them, but if we're going to fail on them we should be
failing explicitly, not doing a weird transformation that will just
break.

This is concretely useful for the DNSOverride mechanism, which is
where i ran into the problem when trying to set up testing that could
work without setting up an emulated DNS system.
 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor bd1d25d83e Set up correct AuthservID defaults 
Without this fix, a verifying dkimpy-milter that has no explicit
AuthservID produces the following crashing behavior as it tries to
create the authres header:

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/Milter/__init__.py", line 772, in <lambda>
    milter.set_eom_callback(lambda ctx: ctx.getpriv().eom())
  File "…/dkimpy_milter/__init__.py", line 199, in eom
    h = fold(str(h))
  File "/usr/lib/python2.7/dist-packages/authres/core.py", line 476, in __str__
    return ''.join((self.HEADER_FIELD_NAME, ': ', self.header_value()))
  File "/usr/lib/python2.7/dist-packages/authres/core.py", line 496, in header_value
    return ''.join(strs)
 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor 1c6030024d add DNSOverride configuration for testing 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor 71c0c3f20a Avoid failing to chown non-existent Unix-domain sockets 
Changing ownership of sockets that doesn't exist isn't a great
practice.

A better approach would be to apply os.chown() to the file descriptor
of the open socket, but at the very least dkimpy-milter shouldn't
crash the way it currently does if the socket isn't already present.
 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor a9a6893c89 Handle unix: socket prefix the same as local: 
sendmail's milter.c treats these two declarations the same way, so
what we do for one should also be done for the other.
 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor bb44f36519 When Socket is absolute path, do not strip leading / 
This appears to just be an untested codepath.
 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor 9e11b75ec3 Avoid AttributeError on simple connection and disconnection 
Without this patch, this simple script for miltertest:

----
conn = mt.connect("unix:milter.sock")
if conn == nil then
  error "mt.connect() failed"
end
if mt.conninfo(conn, nil, "unspec") ~= nil then
  error "mt.conninfo() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
     error "mt.conninfo() unexpected reply"
end
mt.disconnect(conn)
----

Produces the following error:

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/Milter/__init__.py", line 702, in connect_callback
    return m.connect(hostname,family,hostaddr)
  File "/usr/lib/python2.7/dist-packages/Milter/__init__.py", line 173, in wrapper
    rc = func(self,*args)
  File "/home/dkg/src/dkimpy-milter/dkimpy-milter/dkimpy_milter/__init__.py", line 64, in connect
    self.receiver = self.getsymval('j').strip()
AttributeError: 'NoneType' object has no attribute 'strip'
 2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor f60ea12e86 Prefer dnspython over PyDNS in setup.py 
README and dkimpy_milter/dnsplug.py both prefer dnspython if
available, over PyDNS.  setup.py should order the preferences in the
same way.
 2019-02-21 19:21:36 -05:00
Daniel Kahn Gillmor e872bd44b0 ignore emacs turds 2019-02-19 18:03:54 -05:00
Scott Kitterman 51c8fdcb6c Bump version to 1.0.1, update TODO, set release date 2019-02-11 15:14:11 -05:00
Scott Kitterman aa4dadc22f * Reorder milter start and dropping privileges so permissions on Unix socket 
are correct (LP: 1797720)
 2019-02-11 15:09:34 -05:00
Scott Kitterman b1abbf9d61 - Make domain checks case insensitive for determining if signing should be 
done (LP: #1815311)
 2019-02-11 14:55:35 -05:00
Scott Kitterman ea2b612e8d - Add information on Ed25519 key creation to README (LP: #1815313) 2019-02-11 14:23:55 -05:00
Scott Kitterman 5945e818ca - Add additional Sendmail configuration information to README from OpenDKIM 
update based on input from Дилян Палаузов (LP: #1801619)
 2019-02-11 13:32:37 -05:00
Scott Kitterman f38fed3bee Rip out unused whichbd module in preparation for python3 port 2019-02-11 03:16:53 -05:00
Scott Kitterman 06948b3dbc Update references in man/dkimpy-milter.8 2019-02-09 22:20:01 -05:00
Scott Kitterman e951ab6c5e Remove obsolete .IX macro from man pages 
Conflicts:
	man/dkimpy-milter.conf.5
 2019-02-09 22:19:41 -05:00
Scott Kitterman 03c86a2b08 Fix grammar error in README 2019-02-09 22:18:11 -05:00
Scott Kitterman 2cda1758c1 Fix spelling error in README 2019-02-09 22:17:53 -05:00
Scott Kitterman 851f8ff9c9 Update references in man/dkimpy-milter.8 2019-02-08 04:02:34 -05:00
Scott Kitterman cbb6098dd8 Remove obsolete .IX macro from man pages 2019-02-08 01:12:21 -05:00
Scott Kitterman c90d694fff Fix grammar error in README 2019-02-01 15:15:50 -05:00
Scott Kitterman 8d8cd15cba Fix spelling error in README 2019-02-01 15:11:00 -05:00
Scott Kitterman 4f21623f92 Add read_keytable function to util.py 2018-12-24 16:08:50 -05:00
Scott Kitterman bf2548f891 Documentation updates for 1.1.0 2018-10-11 21:45:17 -04:00
Scott Kitterman a188bd3960 Deleted reference to obsolete syslog target in unit file 2018-05-11 14:31:15 -04:00
Scott Kitterman c91a12f0d1 Documentation updates for 1.0.0 release 2018-05-11 14:29:15 -04:00
Scott Kitterman 286ffbb6c9 Add release date for 0.9.7 to CHANGES 2018-03-19 01:07:52 -04:00
Scott Kitterman ec3252c367 - Minor sysv init improvments 2018-03-15 23:59:03 -04:00
Scott Kitterman a2ff03727d - Put version directly in setup.py and do not import dkimpy_milter to ease 
install via pip
 2018-03-15 23:44:31 -04:00
Scott Kitterman af4b05e242 - Add missing documentation key to system/dkimpy-milter.service 2018-03-15 20:49:35 -04:00
Scott Kitterman 6509eaad35 - Made sysv init executable 2018-03-15 20:44:16 -04:00
Scott Kitterman f9483fea8c - Added protection for malformed From addresses. If the From does not at 
least have an '@' in the address, then the signing domain is not extracted
   and the message will not be signed
 2018-03-15 20:42:49 -04:00
Scott Kitterman 7a3a7bfb43 Bump version to 0.9.6 2018-03-12 22:08:07 -04:00
Scott Kitterman 8a0e1bdd97 - Fixed typo in path for fallback location of the config file if one is not 
provided
 2018-03-12 22:03:45 -04:00
Scott Kitterman e3005aa723 Move OversignHeaders up earlier on TODO. 2018-03-12 22:03:36 -04:00
Scott Kitterman 45d3ba13ca Added more to README about first run with systemd 2018-03-11 00:42:22 -05:00
Scott Kitterman f05309437f Fix merge conflict 2018-03-11 00:28:08 -05:00
Scott Kitterman d4499f6990 Fixed typo in package installation section of README 2018-03-11 00:27:19 -05:00
Scott Kitterman 7d87309f4b Fixed typo in package installation section of README 2018-03-11 00:24:39 -05:00
Scott Kitterman 1d8c309da9 Fix setup.py install locations so they are installed correctly and drop unneeded README changes. 2018-03-10 20:06:21 -05:00
Scott Kitterman 4d5961e4d5 Bump version 2018-03-10 19:52:29 -05:00
Scott Kitterman 59448e8e57 - Add information to README about manually putting init scripts in the right 
locations
 2018-03-10 19:51:29 -05:00
Scott Kitterman 695de0db14 - Add conf file location to systemd unit file 2018-03-10 19:43:37 -05:00
Scott Kitterman dfd6fa68c3 Changelog: release 0.9.5 (Beta 1) 2018-03-10 19:06:55 -05:00
Scott Kitterman 86eb152f93 Enhanced signature verification logging to provide more useful information, added signing success logging, and more PEP 8 2018-03-10 19:02:37 -05:00
Scott Kitterman 126966e110 - Update Authentication Results result comment not to mention key size for 
ed25519 signatures, since it's irrelevant
 2018-03-10 18:18:01 -05:00
Scott Kitterman 5d8d47cd52 - Fixed install_requires so either dnspython (preferred if neither is 
installed) or PyDNS satisfies the install requirements
 2018-03-10 17:49:22 -05:00
Scott Kitterman 1843ca6244 - Added support for SyslogSuccess option 
- Rationalized logging to be much less verbose unless SyslogSuccess or
   debugLevel are set - default is generally start/stop/errors only
 2018-03-10 16:06:22 -05:00
Scott Kitterman f9358d594c Delete unused import 2018-03-10 15:36:40 -05:00
Scott Kitterman a8aa422b03 Post pep-8 cleanup 2018-03-10 15:34:56 -05:00
Scott Kitterman 9836f2c9c2 Update TODO 2018-03-10 03:00:59 -05:00
Scott Kitterman 70606ac58c pep8 and a few other cleanups 2018-03-10 02:45:35 -05:00
Scott Kitterman 6348bdcdc7 Cleanup, indentation, pyflakes 2018-03-10 00:52:45 -05:00
Scott Kitterman fd39384e78 Fix for DiagnosticDirectory 2018-03-09 23:49:57 -05:00
Scott Kitterman 924c96d555 - Added example in README to show use of MacroList* to separate inbound and 
outbound mail streams
 2018-03-09 22:50:07 -05:00
Scott Kitterman efeabd19d3 Added support for MacroListVerify option 2018-03-09 22:39:55 -05:00
Scott Kitterman a9b8a44bfc Add support for MacroList option 2018-03-09 21:53:58 -05:00
Scott Kitterman daaa6aada7 Fix option name typo in man/dkimpy-milter.conf.5 2018-03-09 20:45:57 -05:00
Scott Kitterman e795db7c69 Start 0.9.5: Beta 1 (updated Alpha -> Beta warning in README and trove classifiers) 2018-03-09 18:08:42 -05:00
23 changed files with 1222 additions and 451 deletions
Expand all files Collapse all files
.gitignore
+1
View File
@@ -1,3 +1,4 @@
dist
dkimpy_milter.egg-info
*.pyc
*~
CHANGES
+81
View File
@@ -1,3 +1,84 @@
1.1.4 2019-11-22
- Make error logging more explicit to aid debugging
- Delete own_socketfile to resolve race condition where the permissions
change fails on a Unix socket because it hasn't been created yet (libmilter
will do this correctly on its own based on umask, the milter doesn't need
to do it) (LP: #1849712)
1.1.3 2019-10-06
- Fix sysv init so it works (LP: #1839487)
1.1.2 2019-09-23
- Fix variable initialization so mailformed mails missing body From do not
cause a traceback (LP: #1844161)
- Catch more ascii encoding errors to improve resilience against bad data
(LP: #1844189)
1.1.1 2019-09-06
- Fix startup logging so it provides information at a useful time
- Fix verify processing so missing (optional) i= tag doesn't cause the milter
to fail (LP: #1842250)
- Fix message extraction so that signing in the same pass through the milter
as verifying works correctly
1.1.0 2019-04-12
- Add SubDomains option to enable signing for sub-domains (LP: #1811535)
- Port to python3 (LP: #1815502)
- Add test suite using opendkim miltertest
- When Socket is absolute path, do not strip leading /
- Handle unix: socket prefix the same as local:
- Set up correct AuthservID defaults
- config: Reassemble strings sensibly
- Consistently prefer dnspython to Py3DNS (LP: #1815558)
1.0.1 2019-02-11
- Reorder milter start and dropping privileges so permissions on Unix socket
are correct (LP: 1797720)
- Make domain checks case insensitive for determining if signing should be
done (LP: #1815311)
- Add additional Sendmail configuration information to README from OpenDKIM
update based on input from Дилян Палаузов (LP: #1801619)
- Add information on Ed25519 key creation to README (LP: #1815313)
1.0.0 2018-05-11
- Minor documentation updates
- Deleted reference to obsolete syslog target in unit file
0.9.7 2018-03-19
- Made sysv init executable
- Add missing documentation key to system/dkimpy-milter.service
- Put version directly in setup.py and do not import dkimpy_milter to ease
install via pip
- Minor sysv init improvments
0.9.6 2018-03-13
- Fixed typo in package installation section of README
- Added more to README about first run with systemd
- Fixed typo in path for fallback location of the config file if one is not
provided
- Added protection for malformed From addresses. If the From does not at
least have an '@' in the address, then the signing domain is not extracted
and the message will not be signed
0.9.5.1 2018-03-10
- Add conf file location to systemd unit file
- Fix setup.py install locations so they are installed correctly
0.9.5 2018-03-10
- Beta 1 (updated Alpha -> Beta warning in README and trove classifiers)
- Added support for MacroList option
- Added support for MacroListVerify option
- Added example in README to show use of MacroList* to separate inbound and
outbound mail streams
- Added support for SyslogSuccess option (both signing and verifying)
- Rationalized logging to be much less verbose unless SyslogSuccess or
debugLevel are set - default is generally start/stop/errors only
- Fixed install_requires so either dnspython (preferred if neither is
installed) or PyDNS satisfies the install requirements
- Updated Authentication Results result comment not to mention key size for
ed25519 signatures, since it's irrelevant
- Enhanced signature verification logging to provide more useful information
0.9.4 2018-03-09
- Create PID directory if it is missing
- Fix crash when verifying if domain for signing was not set
README
+173 -26
View File
@@ -1,23 +1,29 @@
This is a DKIM signing and verification milter. In theory it works with both
Postfix and Sendmail, but the author has zero experience with Sendmail, so
reports of success/failure with Sendmail and patches are welcom.
OVERVIEW
========
This is a DKIM signing and verification milter. It has been tested with both
Postfix and Sendmail.
The configuration file is designed to be compatible with OpenDKIM, but only
a subset of OpenDKIM options are supported. If an unsupported option is
specified, an error will be raised.
INSTALLATION
===========
This package includes a default configuration file and man pages. For those
to be installed when installing using setup.py, the following incantation is
required because setuptools developers decided not being able to do this by
default is a feature:
python setup.py install --single-version-externally-managed --record=/dev/null
python3 setup.py install --single-version-externally-managed --record=/dev/null
For users of Debian Stable (Debian 9, Codename Squueze), all dependencies are
For users of Debian Stable (Debian 9, Codename Squeeze), all dependencies are
available in either the main or backports repositories:
[sudo] apt install python-milter python-nacl pthon-ipaddress python-dnspython
[sudo] apt install -t squeeze-backports python-authres python-dkim
[sudo] apt install python3-milter python3-nacl python3-dnspython
[sudo] apt install -t stretch-backports python3-authres python3-dkim
The preferred method of installation is from PyPi using pip (if distribution
packages are not available):
@@ -25,17 +31,61 @@ packages are not available):
[sudo] pip install dkimpy_milter
Using pip will cause required packages to be installed via easy_install if they
have not been previously installed.
have not been previously installed. Because pymilter and PyNaCl are compiled
Python extensions, the system will need appropriate development packages and
an C compiler. Alternately, install these dependencies from distribution/OS
packages and then pip install dkimpy_milter.
The milter will work with either pydns (DNS) or dnspython (dns), preferring
dnspython is both are available. The dkimpy DKIM module also works with
The milter will work with either py3dns (DNS) or dnspython (dns), preferring
dnspython if both are available. The dkimpy DKIM module also works with
either.
SETUP
====
SIGNING KEYS
============
In order to create DKIM signatures, a private key must be available. Signing
keys should be protected (owned by root:root with permissions 600 in a
directory that is not world readable). Different keys are required for RSA
and (if used) Ed25519.
RSA
===
Both public and private keys for RSA have standard formats and there are many
tools available to create them. Keys must (RFC 8302) have a minimum size of
1024 bits and should have a size of at least 2048 bits. The dknewkey script
that is provided with dkimpy is one such tool:
dknewkey exampleprivkey
will produce both the private key file (.key suffix) and a file with the DKIM
public key record to be published DNS (.dns suffix). RSA is the default key
type. 2048 bits is the default key size.
ED25519
=======
There is no standardized non-binary representation for Ed25519 private keys,
so in order to generate Ed25519 keys for dkimpy-milter, dkimpy specific tools
must be used to be compatible. The same dknewkey script support Ed25519:
dknewkey --ktype ed25519 anothernewkey
will provide both the private key file (.key suffix) and a file with the DKIM
public key record to be published DNS (.dns suffix). Ed25519 keys do not have
variable bit lengths.
MTA INTEGRATION
==============
Both a systemd unit file and a sysv init file are provided. Both make
assumptions about defaults being used, e.g. if a non-standard pidfile name is
used, they will need to be updated. The sysv init file is Debian specific and
untested, since the developers are not using sysv init. Feedback/patches
welcome.
used, they will need to be updated. The sysv init file uses start-stop-deamon
from Debian. It is not portable to systems without that available.
The dkimpy-milter drops priviledges after setup to the user/group specified in
UserID. During initial setup, this system user needs to be manually created.
@@ -43,21 +93,30 @@ As an example, using the default dkimpy-user on Debian, the command would be:
[sudo] adduser --system --no-create-home --quiet --disabled-password \
--disabled-login --shell /bin/false --group \
--home /var/run/dkimpy-milter dkimpy-milter
--home /run/dkimpy-milter dkimpy-milter
Since /var/run or /run is sometimes on a tempfs, if the PID file directory is
missing, the milter will create it on startup.
To start dkimpy-milter with systemd for the first time, you will need to take
the following steps:
[sudo] systemctl daemon-reload
[sudo] systemctl enable dkimpy-milter
[sudo] systemctl start dkimpy-milter
[sudo] systemctl status dkimpy-milter (to verify it started correctly)
As with all milters, dkimpy-milter needs to be integrated with your MTA of
choice (Sendmail or Postfix).
For Sendmail:
SENDMAIL
========
Configuration is very similar to opendkim, but needs some adjustment for
dkimpy-milter. Here's an example configuration line to include in your
sendmail.mc:
INPUT_MAIL_FILTER(`dkimpy-milter', `S=local:/var/run/dkimpy-milter/dkimpy-milter.sock')dnl
INPUT_MAIL_FILTER(`dkimpy-milter', `S=local:/run/dkimpy-milter/dkimpy-milter.sock')dnl
Changing the sendmail.mc file requires a Make (to compile it into sendmail.cf)
and a restart of sendmail. Note that S= needs to match the value of Socket in
@@ -67,12 +126,64 @@ Milter support should be present by default in most versions of sendmail
these days, but if not included in your Sendmail build, see:
http://www.elandsys.com/resources/sendmail/milter.html
For Postfix:
ISSUES USING SENDMAIL TO SIGN AND VERIFY
========================================
When using the sendmail MTA in both signing and verifying mode, there are
a few issues of which to be aware that might cause operational problems
and deserve consideration.
(a) When the MTA will be used for relaying emails, e.g. delivering to other
hosts using the aliases mechanism, it is important not to break
signatures inserted by the original sender. This is particularly sensitive
particular when the sending domain has published a "reject" DMARC policy.
By default, sendmail quotes to address header fields when there are no
quotes and the display part of the address contains a period or an
apostrophe. However, opendkim only sees the raw, unmodified form of
the header field, and so the content that gets verified and what gets
signed will not be the same, guaranteeing the attached signature is not
valid.
To direct sendmail not to modify the headers, add this to your sendmail.mc:
conf(`confMUST_QUOTE_CHARS', `')
(b) As stated in sendmail's KNOWNBUGS file, sendmail truncates header field
values longer than 256 characters, which could mean truncating the domain
of a long From: header field value and invalidating the signature.
You may wish to consider increasing MAXNAME in sendmail/conf.h to mitigate
changing the messages and invalidating their signatures. This change
requires recompiling sendmail.
(c) Similar to (a) above, sendmail may wrap very long single-line recipient
fields for presentation purposes; for example:
To: very long name <a@example.org>,anotherloo...ong name b <b@example.org>
...might be rewritten as:
To: very long name <a@example.org>,
anotherloo...ong name b <b@example.org>
This rewrite is also done after opendkim has seen the message, meaning
the signature opendkim attaches to the message does not match the
content it signed. There is not a known configuration change to
mitigate this mutation.
The only known mechanism for dealing with this is to have distinct
instances of opendkim do the verifying (inbound) and signing (outbound)
so that the version that arrives at the signing instance is already
in the rewritten form, guaranteeing the input and output are the same
and thus the signature matches the payload.
POSTFIX
=======
Integration of dkimpy-milter into Postfix is like any milter (See Postfix's
README_FILES/MILTER_README). Here's an example master.cf excerpt the talks to
two dkimpy-milter instances, one configured for signing and one configured for
verification:
README_FILES/MILTER_README). Here's an example master.cf excerpt that talks
to two dkimpy-milter instances, one configured for signing and one configured
for verification:
smtp inet n - - - - smtpd
...
@@ -86,10 +197,46 @@ submission inet n - - - - smtpd
These need to match the Socket value for each dkimpy-milter instance.
The python DKIM library, dkimpy, requires the entire message being signed or
verified to be in memory, so dkimpy-milter does not write messages out to a temp
file. This may impact performance on low-memory systems.
Care is required to segregate outbound mail to be signed and inbound mail to
be verified. The above example uses two instances of dkimpy-milter to do
this. There are many possible ways. Here is another example using milter
macros to keep the mail streams segregated:
WARNING: This is an alpha grade release to support interoperability testing with
Ed25519 signatures and basic functionality. It is known to be incomplete and
not suitable for general use.
Postfix master.cf:
smtp inet n - - - - smtpd
...
-o smtpd_milters=inet:localhost:8891
-o milter_macro_daemon_name=VERIFYING
...
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
...
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_milters=inet:localhost:8891
...
Dkimpy-milter.conf:
...
Mode sv
MacroList dameon_name|ORIGINATING
MacroListVerify daemon_name|VERIFYING
...
NOTES
=====
The python DKIM library, dkimpy, requires the entire message being signed or
verified to be in memory, so dkimpy-milter does not write messages out to a
temp file. This may impact performance on low-memory systems.
DKIM with Ed25519 signatures are described in RFC 8463. Version 1.0.0 and
later support Ed25519 signing and verification. RFC 8301 removed rsa-sha1
from DKIM. dkimpy-milter does not sign with rsa-sha1, but still considers
rsa-sha1 signatures as valid for verification because they are still in
common use and are not known to be cryptographically broken.
TODO
+19 -13
View File
@@ -34,27 +34,37 @@ DiagnosticDirectory implemented verified
InternalHosts implemented verified
0.9.5 (Beta)
SyslogSuccess
MacroList implemented verified
MacroListVerify implemented verified
SyslogSuccess implemented verified
1.0.0
Convert dkim-milter-python config
No additional features planned
No additional features
Plannedataset type support:
db:/.db
1.0.1
Bug fix only, improved documentation
1.1.0
Port to Python 3 implemented verified
Subdomain support implemented verified
Test suite implemented verified
Planned dataset type support (if needed):
mdb:
Considered for near-term feature release
KeyTable
KeytableEd25519
SigningTable
SigningTableEd25519
AlwaysAddARHeader
ChangeRootDirectory
ClockDrift (requires dkimpy change)
DNSTimeout (requires dkmpy change)
MacroList
DNSTimeout (requires dkimpy change)
MilterDebug
MinimumKeyBits
OversignHeaders (may require dkimpy changes)
PeerList
SignatureAlgorithm
@@ -68,8 +78,6 @@ ExternalIgnoreList
FixCRLF
KeepAuthResults
KeepTemporaryFiles
KeyTable
KeytableEd25519
LogResults
LogWhy
MaximumHeaders
@@ -85,7 +93,6 @@ On-InternalError
On-KeyNotFound
On-NoSignature
On-SignatureError
OversignHeaders
RemoveARAll
RemoveARFrom
RemoveOldSignatures
@@ -94,7 +101,6 @@ RequireSafeKeys
SignatureAlgorithm
SignatureTTL
SignHeaders
SigningTable
SoftwareHeader
StrictHeaders
SubDomains
dkimpy_milter/__init__.py
+213 -107
View File
@@ -1,4 +1,4 @@
#! /usr/bin/python2
#! /usr/bin/python3
# Original dkim-milter.py code:
# Author: Stuart D. Gathman <stuart@bmsi.com>
# Copyright 2007 Business Management Systems, Inc.
@@ -25,26 +25,24 @@ import sys
import syslog
import Milter
import dkim
from dkim.dnsplug import get_txt
from dkim.util import parse_tag_value
import authres
import os
import tempfile
import StringIO
import io
import re
from Milter.config import MilterConfigParser
from Milter.utils import iniplist,parse_addr,parseaddr
import codecs
from Milter.utils import parse_addr, parseaddr
import dkimpy_milter.config as config
from dkimpy_milter.util import drop_privileges
from dkimpy_milter.util import setExceptHook
from dkimpy_milter.util import write_pid
from dkimpy_milter.util import read_keyfile
from dkimpy_milter.util import own_socketfile
from dkimpy_milter.util import fold
__version__ = "0.9.4"
__version__ = "1.0.1"
FWS = re.compile(r'\r?\n[ \t]+')
class dkimMilter(Milter.Base):
"Milter to check and sign DKIM. Each connection gets its own instance."
@@ -56,94 +54,111 @@ class dkimMilter(Milter.Base):
self.privatersa = privateRSA
self.privateed25519 = privateEd25519
self.fp = None
self.fdomain = ''
@Milter.noreply
def connect(self,hostname,unused,hostaddr):
def connect(self, hostname, unused, hostaddr):
self.internal_connection = False
self.external_connection = False
self.hello_name = None
# sometimes people put extra space in sendmail config, so we strip
self.receiver = self.getsymval('j').strip()
self.receiver = self.getsymval('j')
if self.receiver is not None:
self.receiver = self.receiver.strip()
try:
self.AuthservID = milterconfig['AuthservID']
except:
self.AuthservID = self.receiver
if hostaddr and len(hostaddr) > 0:
ipaddr = hostaddr[0]
if milterconfig['InternalHostsObj']:
if milterconfig['InternalHostsObj'].match(ipaddr):
if milterconfig['IntHosts']:
if milterconfig['IntHosts'].match(ipaddr):
self.internal_connection = True
else: ipaddr = ''
else:
ipaddr = ''
self.connectip = ipaddr
if milterconfig.get('MacroList') and not self.internal_connection:
macrolist = milterconfig.get('MacroList')
for macro in macrolist:
macroname = macro.split('|')[0]
macroname = '{' + macroname + '}'
macroresult = self.getsymval(macroname)
if ((len(macro.split('|')) == 1 and macroresult) or macroresult
in macro.split('|')[1:]):
self.internal_connection = True
if milterconfig.get('MacroListVerify'):
macrolist = milterconfig.get('MacroListVerify')
for macro in macrolist:
macroname = macro.split('|')[0]
macroname = '{' + macroname + '}'
macroresult = self.getsymval(macroname)
if ((len(macro.split('|')) == 1 and macroresult) or macroresult
in macro.split('|')[1:]):
self.external_connection = True
if self.internal_connection:
connecttype = 'INTERNAL'
else:
connecttype = 'EXTERNAL'
if milterconfig.get('Syslog'):
syslog.syslog("connect from {0} at {1} {2}".format(hostname,hostaddr,connecttype))
if milterconfig.get('Syslog') and milterconfig.get('debugLevel') >= 1:
syslog.syslog("connect from {0} at {1} {2}"
.format(hostname, hostaddr, connecttype))
return Milter.CONTINUE
# multiple messages can be received on a single connection
# envfrom (MAIL FROM in the SMTP protocol) seems to mark the start
# of each message.
@Milter.noreply
def envfrom(self,f,*str):
if milterconfig.get('Syslog'):
syslog.syslog("mail from: {0} {1}".format(f,str))
self.fp = StringIO.StringIO()
def envfrom(self, f, *str):
if milterconfig.get('Syslog') and milterconfig.get('debugLevel') >= 2:
syslog.syslog("mail from: {0} {1}".format(f, str))
self.fp = io.BytesIO()
self.mailfrom = f
t = parse_addr(f)
if len(t) == 2: t[1] = t[1].lower()
if len(t) == 2:
t[1] = t[1].lower()
self.canon_from = '@'.join(t)
self.user = self.getsymval('{auth_authen}')
self.has_dkim = 0
self.author = None
self.arheaders = []
self.arresults = []
'''if self.user:
# Very simple SMTP AUTH policy by default:
# any successful authentication is considered INTERNAL
self.internal_connection = True
auth_type = self.getsymval('{auth_type}')
ssl_bits = self.getsymval('{cipher_bits}')
if milterconfig.get('Syslog'):
syslog.syslog(
"SMTP AUTH:",self.user,"sslbits =",ssl_bits, auth_type,
"ssf =",self.getsymval('{auth_ssf}'), "INTERNAL"
)
# Detailed authorization policy is configured in the access file below.
self.arresults.append(
authres.SMTPAUTHAuthenticationResult(result = 'pass',
result_comment = auth_type+' sslbits='+ssl_bits, smtp_auth = self.user)
)'''
return Milter.CONTINUE
@Milter.noreply
def header(self,name,val):
def header(self, name, val):
lname = name.lower()
if lname == 'dkim-signature':
if milterconfig.get('Syslog'):
syslog.syslog("{0}: {1}".format(name,val))
if (milterconfig.get('Syslog') and
milterconfig.get('debugLevel') >= 1):
syslog.syslog("{0}: {1}".format(name, val))
self.has_dkim += 1
if lname == 'from':
fname,self.author = parseaddr(val)
self.fdomain = self.author.split('@')[1]
if milterconfig.get('Syslog'):
syslog.syslog("{0}: {1}".format(name,val))
fname, self.author = parseaddr(val)
try:
self.fdomain = self.author.split('@')[1].lower()
except IndexError as er:
pass # self.author was not a proper email address
if (milterconfig.get('Syslog') and
milterconfig.get('debugLevel') >= 1):
syslog.syslog("{0}: {1}".format(name, val))
elif lname == 'authentication-results':
self.arheaders.append(val)
if self.fp:
self.fp.write("%s: %s\n" % (name,val))
try:
self.fp.write(b"%s: %s\n" % (codecs.encode(name, 'ascii'), codecs.encode(val, 'ascii')))
except:
# Don't choke on header fields with non-ascii garbage in them.
pass
return Milter.CONTINUE
@Milter.noreply
def eoh(self):
if self.fp:
self.fp.write("\n") # terminate headers
self.fp.write(b"\n") # terminate headers
self.bodysize = 0
return Milter.CONTINUE
@Milter.noreply
def body(self,chunk): # copy body to temp file
def body(self, chunk): # copy body to temp file
if self.fp:
self.fp.write(chunk) # IOError causes TEMPFAIL in milter
self.bodysize += len(chunk)
@@ -153,65 +168,92 @@ class dkimMilter(Milter.Base):
if not self.fp:
return Milter.ACCEPT # no message collected - so no eom processing
# Remove existing Authentication-Results headers for our authserv_id
for i,val in enumerate(self.arheaders,1):
for i, val in enumerate(self.arheaders, 1):
# FIXME: don't delete A-R headers from trusted MTAs
try:
ar = authres.AuthenticationResultsHeader.parse_value(FWS.sub('',val))
ar = (authres.AuthenticationResultsHeader
.parse_value(FWS.sub('', val)))
if ar.authserv_id == self.AuthservID:
self.chgheader('authentication-results',i,'')
if milterconfig.get('Syslog'):
self.chgheader('authentication-results', i, '')
if (milterconfig.get('Syslog') and
milterconfig.get('debugLevel') >= 1):
syslog.syslog('REMOVE: {0}'.format(val))
except:
# Don't error out on unparseable AR header fiels
pass
# Check or sign DKIM
# Check and/or sign DKIM
self.fp.seek(0)
txt = self.fp.read()
if milterconfig.get('Domain'):
domain = milterconfig.get('Domain')
else:
domain = ''
if (self.fdomain in domain) and (not milterconfig.get('Mode') == 'v'):
txt = self.fp.read()
if milterconfig.get('SubDomains'):
self.fdomain = _get_parent_domain(self.fdomain, domain)
if ((self.fdomain in domain) and not milterconfig.get('Mode') == 'v'
and not self.external_connection):
self.sign_dkim(txt)
result = None
if (self.has_dkim) and (not self.internal_connection) and (milterconfig.get('Mode') == 'v' or milterconfig.get('Mode') == 'sv'):
txt = self.fp.read()
if ((self.has_dkim) and (not self.internal_connection) and
(milterconfig.get('Mode') == 'v' or
milterconfig.get('Mode') == 'sv')):
self.check_dkim(txt)
else:
result = 'none'
if self.arresults:
h = authres.AuthenticationResultsHeader(authserv_id = self.AuthservID,
h = authres.AuthenticationResultsHeader(authserv_id=
self.AuthservID,
results=self.arresults)
h = fold(str(h))
if milterconfig.get('Syslog'):
syslog.syslog(str(h))
name,val = str(h).split(': ',1)
self.addheader(name,val,0)
h = fold(codecs.encode(str(h), 'ascii'))
if (milterconfig.get('Syslog') and
milterconfig.get('debugLevel') >= 2):
syslog.syslog(codecs.decode(h, 'ascii'))
name, val = codecs.decode(h, 'ascii').split(': ', 1)
self.addheader(name, val, 0)
return Milter.CONTINUE
def sign_dkim(self,txt):
canon = milterconfig.get('Canonicalization')
def sign_dkim(self, txt):
canon = codecs.encode(milterconfig.get('Canonicalization'), 'ascii')
canonicalize = []
if len(canon.split('/')) == 2:
canonicalize.append(canon.split('/')[0])
canonicalize.append(canon.split('/')[1])
if len(canon.split(b'/')) == 2:
canonicalize.append(canon.split(b'/')[0])
canonicalize.append(canon.split(b'/')[1])
else:
canonicalize.append(canon)
canonicalize.append(canon)
if (milterconfig.get('Syslog') and
milterconfig.get('debugLevel') >= 1):
syslog.syslog('canonicalize: {0}'.format(canonicalize))
try:
if privateRSA:
d = dkim.DKIM(txt)
h = d.sign(milterconfig.get('Selector'), self.fdomain, privateRSA,
canonicalize=(canonicalize[0], canonicalize[1]))
name,val = h.split(': ',1)
self.addheader(name,val.strip().replace('\r\n','\n'),0)
h = d.sign(codecs.encode(milterconfig.get('Selector'), 'ascii'), codecs.encode(self.fdomain, 'ascii'),
codecs.encode(privateRSA, 'ascii'),
canonicalize=(canonicalize[0],
canonicalize[1]))
name, val = h.split(b': ', 1)
self.addheader(codecs.decode(name, 'ascii'), codecs.decode(val, 'ascii').strip().replace('\r\n', '\n'), 0)
if (milterconfig.get('Syslog') and
(milterconfig.get('SyslogSuccess')
or milterconfig.get('debugLevel') >= 1)):
syslog.syslog('{0}: {1} DKIM signature added (s={2} '
'd={3})'.format(self.getsymval('i'),
d.signature_fields.get(b'a').decode(),
d.signature_fields.get(b's').decode(),
d.domain.decode().lower()))
if privateEd25519:
d = dkim.DKIM(txt)
h = d.sign(milterconfig.get('SelectorEd25519'), self.fdomain, privateEd25519,
canonicalize=(canonicalize[0], canonicalize[1]), signature_algorithm='ed25519-sha256')
name,val = h.split(': ',1)
self.addheader(name,val.strip().replace('\r\n','\n'),0)
h = d.sign(codecs.encode(milterconfig.get('SelectorEd25519'), 'ascii'), codecs.encode(self.fdomain, 'ascii'),
privateEd25519, canonicalize=(canonicalize[0],
canonicalize[1]),
signature_algorithm=b'ed25519-sha256')
name, val = h.split(b': ', 1)
self.addheader(codecs.decode(name, 'ascii'), codecs.decode(val, 'ascii').strip().replace('\r\n', '\n'), 0)
if (milterconfig.get('Syslog') and
(milterconfig.get('SyslogSuccess')
or milterconfig.get('debugLevel') >= 1)):
syslog.syslog('{0}: {1} DKIM signature added (s={2} '
'd={3})'.format(self.getsymval('i'),
d.signature_fields.get(b'a').decode(),
d.signature_fields.get(b's').decode(),
d.domain.decode().lower()))
except dkim.DKIMException as x:
if milterconfig.get('Syslog'):
syslog.syslog('DKIM: {0}'.format(x))
@@ -220,17 +262,29 @@ class dkimMilter(Milter.Base):
syslog.syslog("sign_dkim: {0}".format(x))
raise
def check_dkim(self,txt):
def check_dkim(self, txt):
res = False
conf = self.conf
self.header_a = None
for y in range(self.has_dkim): # Verify _ALL_ the signatures
d = dkim.DKIM(txt)
try:
res = d.verify(idx=y)
if res:
self.dkim_comment = 'Good {0} bit {1} signature.'.format(d.keysize, d.signature_fields.get(b'a'))
dnsoverride = milterconfig.get('DNSOverride')
if isinstance(dnsoverride, str):
syslog.syslog("DNSOverride: {0}".format(dnsoverride))
res = d.verify(idx=y, dnsfunc=lambda _x: dnsoverride)
else:
self.dkim_comment = 'Bad {0} bit {1} signature.'.format(d.keysize, d.signature_fields.get(b'a'))
res = d.verify(idx=y)
algo = codecs.decode(d.signature_fields.get(b'a'), 'ascii')
if res:
if algo == 'ed25519-sha256':
self.dkim_comment = ('Good {0} signature'
.format(algo))
else:
self.dkim_comment = ('Good {0} bit {1} signature'
.format(d.keysize, algo))
else:
self.dkim_comment = ('Bad {0} bit {1} signature.'
.format(d.keysize, algo))
except dkim.DKIMException as x:
self.dkim_comment = str(x)
if milterconfig.get('Syslog'):
@@ -238,35 +292,75 @@ class dkimMilter(Milter.Base):
except Exception as x:
self.dkim_comment = str(x)
if milterconfig.get('Syslog'):
syslog.syslog("check_dkim: {0}".format(x))
self.header_i = d.signature_fields.get(b'i')
self.header_d = d.signature_fields.get(b'd')
self.header_a = d.signature_fields.get(b'a')
if res:
syslog.syslog("check_dkim: Internal program fault while verifying: {0}".format(x))
try:
# i= is optional and dkimpy is fine if it's not provided
self.header_i = codecs.decode(d.signature_fields.get(b'i'), 'ascii')
except TypeError as x:
self.header_i = None
try:
self.header_d = codecs.decode(d.signature_fields.get(b'd'), 'ascii')
self.header_a = codecs.decode(d.signature_fields.get(b'a'), 'ascii')
except Exception as x:
self.dkim_comment = str(x)
if milterconfig.get('Syslog'):
syslog.syslog('DKIM: Pass ({0})'.format(d.domain))
self.dkim_domain = d.domain
syslog.syslog("check_dkim: Internal proram fuault extracting header a or d: {0}".format(x))
self.header_d = None
if not self.header_a:
self.header_a = 'rsa-sha256'
if res:
if (milterconfig.get('Syslog') and
(milterconfig.get('SyslogSuccess') or
milterconfig.get('debugLevel') >= 1)):
syslog.syslog('{0}: {1} DKIM signature verified (s={2} '
'd={3})'.format(self.getsymval('i'),
d.signature_fields.get(b'a').decode(),
d.signature_fields.get(b's').decode(),
d.domain.decode().lower()))
self.dkim_domain = d.domain.lower()
else:
if milterconfig.get['DiagnosticDirectory']:
fd,fname = tempfile.mkstemp(".dkim")
with os.fdopen(fd,"w+b") as fp:
if milterconfig.get('DiagnosticDirectory'):
fd, fname = tempfile.mkstemp(".dkim")
with os.fdopen(fd, "w+b") as fp:
fp.write(txt)
if milterconfig.get('Syslog'):
syslog.syslog('DKIM: Fail (saved as {0})'.format(fname))
syslog.syslog('DKIM: Fail (saved as {0})'
.format(fname))
else:
syslog.syslog('DKIM: Fail ({0})'.format(d.domain))
if milterconfig.get('Syslog'):
if d.domain:
syslog.syslog('DKIM: Fail ({0})'
.format(d.domain.lower()))
else:
syslog.syslog('DKIM: Fail, unextractable domain')
if res:
result = 'pass'
else:
result = 'fail'
res = False
if self.header_d:
self.arresults.append(
authres.DKIMAuthenticationResult(result=result,
header_i = self.header_i, header_d = self.header_d, header_a = self.header_a,
result_comment = self.dkim_comment)
header_i=self.header_i,
header_d=self.header_d,
header_a=self.header_a,
result_comment=
self.dkim_comment)
)
self.header_a = None
return
# get parent domain to be signed for if fdomain is a subdomain
def _get_parent_domain(fdomain, domains):
for domain in domains:
rhs = '.'+domain
# compare right hand side of fdomain against .domain
if fdomain[-len(rhs):] == rhs:
# return parent domain on match
return domain
# or return the fdomain itself
return fdomain
def main():
# Ugh, but there's no easy way around this.
global milterconfig
@@ -274,15 +368,16 @@ def main():
global privateEd25519
privateRSA = False
privateEd25519 = False
configFile = '/etc/dkimpy-milter.conf'
configFile = '/usr/local/etc/dkimpy-milter.conf'
if len(sys.argv) > 1:
if sys.argv[1] in ( '-?', '--help', '-h' ):
if sys.argv[1] in ('-?', '--help', '-h'):
print('usage: dkimpy-milter [<configfilename>]')
sys.exit(1)
configFile = sys.argv[1]
milterconfig = config._processConfigFile(filename = configFile)
milterconfig = config._processConfigFile(filename=configFile)
if milterconfig.get('Syslog'):
facility = eval("syslog.LOG_{0}".format(milterconfig.get('SyslogFacility').upper()))
facility = eval("syslog.LOG_{0}"
.format(milterconfig.get('SyslogFacility').upper()))
syslog.openlog(os.path.basename(sys.argv[0]), syslog.LOG_PID, facility)
setExceptHook()
pid = write_pid(milterconfig)
@@ -294,12 +389,23 @@ def main():
Milter.set_flags(Milter.CHGHDRS + Milter.ADDHDRS)
miltername = 'dkimpy-filter'
socketname = milterconfig.get('Socket')
if milterconfig.get('Syslog'):
syslog.syslog('dkimpy-milter started:{0} user:{1}'.format(pid,milterconfig.get('UserID')))
sys.stdout.flush()
Milter.runmilter(miltername,socketname,240)
own_socketfile(milterconfig)
if socketname is None:
if int(os.environ.get('LISTEN_PID', '0')) == os.getpid():
lfds = os.environ.get('LISTEN_FDS')
if lfds is not None:
if lfds != '1':
syslog.syslog('LISTEN_FDS is set to "{0}", but we only know how to deal with "1", ignoring it'.
format(lfds))
else:
socketname = 'fd:3'
if socketname is None:
socketname = 'local:/var/run/dkimpy-milter/dkimpy-milter.sock'
drop_privileges(milterconfig)
sys.stdout.flush()
if milterconfig.get('Syslog'):
syslog.syslog('dkimpy-milter starting:{0} user:{1}'
.format(pid, milterconfig.get('UserID')))
Milter.runmilter(miltername, socketname, 240)
if __name__ == "__main__":
main()
dkimpy_milter/__main__.py
+6
View File
@@ -0,0 +1,6 @@
#!/usr/bin/python3
from dkimpy_milter import main
if __name__ == "__main__":
main()
dkimpy_milter/config.py
+120 -99
View File
@@ -27,36 +27,38 @@
import syslog
import os
import sys
import re
import urllib
import stat
import dkim
import socket
import ipaddress
from dnsplug import Session
from .dnsplug import Session
# default values
defaultConfigData = {
'Syslog' : 'yes',
'SyslogFacility' : 'mail',
'UMask' : 007,
'Mode' : 'sv',
'Socket' : 'local:/var/run/dkimpy-milter/dkimpy-milter.sock',
'PidFile' : '/var/run/dkimpy-milter/dkimpy-milter.pid',
'UserID' : 'dkimpy-milter',
'Canonicalization' : 'relaxed/simple',
'InternalHosts' : '127.0.0.1',
'InternalHostsObj' : False,
'DiagnosticDirectory' : ''
'Syslog': 'yes',
'SyslogFacility': 'mail',
'UMask': 0o07,
'Mode': 'sv',
'Socket': None,
'PidFile': None,
'UserID': 'dkimpy-milter',
'Canonicalization': 'relaxed/simple',
'InternalHosts': '127.0.0.1',
'IntHosts': False,
'DiagnosticDirectory': '',
'MacroList': '',
'MacroListVerify': '',
'DNSOverride': None,
'SubDomains': False,
'debugLevel': 0 # Undocumented config item for developer use
}
#################################
class ConfigException(Exception):
'''Exception raised when there's a configuration file error.'''
pass
#################################
class HostsDataset(object):
'''Hold a group of host related dataset objects'''
@@ -84,35 +86,42 @@ class HostsDataset(object):
self.item = item[1:]
self.negative = True
try:
self.item = ipaddress.ip_address(unicode(self.item, "utf-8"))
if isinstance(self.item, ipaddress.IPv4Address): self.isipv4 = True
elif isinstance(self.item, ipaddress.IPv6Address): self.isipv6 = True
self.item = ipaddress.ip_address(str(self.item, "utf-8"))
if isinstance(self.item, ipaddress.IPv4Address):
self.isipv4 = True
elif isinstance(self.item, ipaddress.IPv6Address):
self.isipv6 = True
except ValueError as e:
try:
self.item = ipaddress.ip_network(unicode(self.item, "utf-8"), strict=False)
if isinstance(self.item, ipaddress.IPv4Network): self.isipv4cidr = True
elif isinstance(self.item, ipaddress.IPv6Network): self.isipv6cidr = True
self.item = ipaddress.ip_network(str
(self.item, "utf-8"),
strict=False)
if isinstance(self.item, ipaddress.IPv4Network):
self.isipv4cidr = True
elif isinstance(self.item, ipaddress.IPv6Network):
self.isipv6cidr = True
except ValueError as e2:
if self.item[0] == '.' and len(self.item.split('.')) > 2:
self.isdomain = True
elif len(self.item.split('.')) > 1: # It has a '.' in it
self.ishostname = True
else:
raise ConfigException('Unknown dataset item: {0}'.format(item))
raise ConfigException('Unknown dataset item: {0}'
.format(item))
def match(self, connectip):
'''Check if the connect IP is part of the dataset'''
source = ipaddress.ip_address(unicode(connectip, "utf-8"))
source = ipaddress.ip_address(str(connectip, "utf-8"))
for item in self.dataset:
if item.isdomain or item.ishostname:
result = self.matchname(source) # Match host/domain names first
result = self.matchname(source) # Match host/domains first
if result:
return(result)
elif item.isipv4 or item.isipv4cidr:
if isinstance(source, ipaddress.IPv4Address): # Then IPv4/6 addresses
return(self.match4(source)) # or networks depending
elif item.isipv6 or item.isipv6cidr: # on the item type and
if isinstance(source, ipaddress.IPv6Address): # connection type
elif item.isipv4 or item.isipv4cidr: # Then IPv4/6 addresses or
if isinstance(source, ipaddress.IPv4Address): # networks
return(self.match4(source)) # depending on the item type
elif item.isipv6 or item.isipv6cidr: # and connect type
if isinstance(source, ipaddress.IPv6Address):
return(self.match6(source))
def matchname(self, source):
@@ -126,7 +135,7 @@ class HostsDataset(object):
for item in self.dataset:
if item.isdomain:
for ptr in ptrlist:
# Strip the leading '.' off the domain name so exact match works.
# Strip the leading '.' off the domain name for exact match
if item.item[1:] == ptr[-len(item.item)+1:]:
matchdomain = True
negativedomain = item.negative
@@ -152,13 +161,13 @@ class HostsDataset(object):
if isinstance(source, ipaddress.IPv4Address):
ips = s.dns(name, 'A')
for ip in ips:
ip = ipaddress.IPv4Address(unicode(ip, 'UTF-8'))
ip = ipaddress.IPv4Address(str(ip, 'UTF-8'))
if ip == source:
results.append(name)
if isinstance(source, ipaddress.IPv6Address):
ips = s.dns(name, 'AAAA')
for ip in ips:
ip = ipaddress.IPv6Address(unicode(ip, 'UTF-8'))
ip = ipaddress.IPv6Address(str(ip, 'UTF-8'))
if ip == source:
results.append(name)
return results
@@ -211,24 +220,19 @@ class HostsDataset(object):
match = False
return(match)
def dump(self):
for item in self.dataset:
print 'name: {0} ip4: {1} cidr4: {2} ip6: {3} cidr6: {4} host: {5} domain: {6} negat: {7} type: {8}'.format(item.item,
item.isipv4, item.isipv4cidr, item.isipv6, item.isipv6cidr, item.ishostname, item.isdomain,
item.negative, type(item.item))
####################################################################
def _processConfigFile(filename = None, configdata = None, useSyslog = 1,
useStderr = 0):
def _processConfigFile(filename=None, configdata=None, useSyslog=1,
useStderr=0):
'''Load the specified config file, exit and log errors if it fails,
otherwise return a config dictionary.'''
import config
if configdata == None: configdata = config.defaultConfigData
if filename != None:
from . import config
if configdata is None:
configdata = config.defaultConfigData
if filename is not None:
try:
_readConfigFile(filename, configdata)
except Exception, e:
except Exception as e:
raise
if useSyslog:
syslog.syslog(e.args[0])
@@ -237,7 +241,7 @@ def _processConfigFile(filename = None, configdata = None, useSyslog = 1,
sys.exit(1)
return(configdata)
####################
def _find_boolean(item):
if type(item) == int:
item = str(item)
@@ -248,14 +252,15 @@ def _find_boolean(item):
else:
raise dkim.ParameterError()
return item
####################
def _calculate_authserv_id(as_id):
def _make_authserv_id(as_id):
"""Determine AuthservID if needed"""
if as_id == 'HOSTNAME':
as_id = socket.gethostname()
return as_id
####################
def _dataset_to_list(dataset):
"""Convert a dataset (as defined in dkimpymilter.8) and return a python
list of values."""
@@ -291,78 +296,82 @@ def _dataset_to_list(dataset):
else:
return [dataset.strip().strip(',')]
if dataset[-3:] == '.db' or dataset[:3] == 'db:':
# This is a Sleepycat (Oracle) DB dataset
import whichdb # Will need rewriting someday for python3
if dataset[-3:] == '.db':
dbname = dataset
elif dataset[:3] == 'db:':
dbname = dataset[3:]
else:
raise dkim.ParameterError('Unimplmented dataset type: {0}'.format(type(dataset)))
if whichdb.whichdb(dbname) != 'dbhash':
raise dkim.ParameterError('Unimplmented dataset type: {0}'.format(type(dataset)))
#TODO replace this with code to use db maps
raise dkim.ParameterError('Unsupported dataset db dataset not yet used: {0}'.format(type(dataset)))
# This is a Sleepycat (Oracle) DB dataset, which we dont support
raise dkim.ParameterError('Unsupported dataset db datase: {0}'
.format(type(dataset)))
raise dkim.ParameterError('Unimplmented dataset type: {0}'.format(type(dataset)))
raise dkim.ParameterError('Unimplmented dataset type: {0}'
.format(type(dataset)))
###############################################################
commentRx = re.compile(r'^(.*)#.*$')
def _readConfigFile(path, configData = None, configGlobal = {}):
def _readConfigFile(path, configData=None, configGlobal={}):
'''Reads a configuration file from the specified path, merging it
with the configuration data specified in configData. Returns a
dictionary of name/value pairs based on configData and the values
read from path.'''
debugLevel = configGlobal.get('debugLevel', 0)
if debugLevel >= 5: syslog.syslog('readConfigFile: Loading "%s"' % path)
if configData == None: configData = {}
# No config file data is available yet, so to debug _readConfigFile, set
# the value here.
debugLevel = 0
if debugLevel >= 5:
syslog.syslog('readConfigFile: Loading "%s"' % path)
if configData is None:
configData = {}
nameConversion = {
'AuthservID' : 'str',
'Syslog' : 'bool',
'SyslogFacility' : 'str',
'SyslogSuccess' : 'bool',
'UMask' : 'int',
'Mode' : 'str',
'Socket' : 'str',
'PidFile' : 'str',
'UserID' : 'str',
'Domain' : 'dataset',
'KeyFile' : 'str',
'KeyFileEd25519' : 'str',
'Selector' : 'str',
'AuthservID': 'str',
'Syslog': 'bool',
'SyslogFacility': 'str',
'SyslogSuccess': 'bool',
'UMask': 'int',
'Mode': 'str',
'Socket': 'str',
'PidFile': 'str',
'UserID': 'str',
'Domain': 'dataset',
'SubDomains': 'bool',
'KeyFile': 'str',
'KeyFileEd25519': 'str',
'Selector': 'str',
'SelectorEd25519': 'str',
'Canonicalization' : 'str',
'InternalHosts' : 'dataset',
'InternalHostsObj': 'bool',
'DiagnosticDirectory' : 'str'
'Canonicalization': 'str',
'InternalHosts': 'dataset',
'IntHosts': 'bool',
'DiagnosticDirectory': 'str',
'MacroList': 'dataset',
'MacroListVerify': 'dataset',
'DNSOverride': 'str',
'debugLevel': 'int'
}
# check to see if it's a file
try:
mode = os.stat(path)[0]
except OSError, e:
syslog.syslog(syslog.LOG_ERR,'ERROR stating "%s": %s' % ( path, e.strerror ))
except OSError as e:
syslog.syslog(syslog.LOG_ERR, 'ERROR stating "%s": %s'
% (path, e.strerror))
return(configData)
if not stat.S_ISREG(mode):
syslog.syslog(syslog.LOG_ERR,'ERROR: is not a file: "%s", mode=%s' % ( path, oct(mode) ))
syslog.syslog(syslog.LOG_ERR, 'ERROR: is not a file: "%s", mode=%s'
% (path, oct(mode)))
return(configData)
# load file
fp = open(path, 'r')
while 1:
line = fp.readline()
if not line: break
if not line:
break
# parse line
line = line.split('#', 1)[0].strip()
if not line: continue
if not line:
continue
data = line.split()
if len(data) != 2:
if len(data) == 1:
if debugLevel >= 1:
syslog.syslog('Configuration item "%s" not defined in file "%s"'
% ( line, path ))
syslog.syslog('Config item "%s" not defined in file "%s"'
% (line, path))
if len(data) == 1:
name = data
value = ''
@@ -373,28 +382,40 @@ def _readConfigFile(path, configData = None, configGlobal = {}):
value = data[1:]
# check validity of name
try:
conversion = nameConversion.get(name)
if conversion == None:
syslog.syslog('ERROR: Unknown name "%s" in file "%s"' % ( name, path ))
except TypeError:
name = name[0]
syslog.syslog('Config item "%s" does not provide a value in file "%s"'
% (name, path))
conversion = None
if conversion is None:
syslog.syslog('ERROR: Unknown name or name missing value "%s" in file "%s"'
% (name, path))
continue
if debugLevel >= 5: syslog.syslog('readConfigFile: Found entry "%s=%s"'
% ( name, value ))
if debugLevel >= 5:
syslog.syslog('readConfigFile: Found entry "%s=%s"'
% (name, value))
if conversion == 'bool':
configData[name] = _find_boolean(value)
elif conversion == 'str':
if isinstance(value, list):
configData[name] = line.split(None, 1)[1]
else:
configData[name] = str(value)
elif conversion == 'int':
configData[name] = int(value)
elif conversion == 'dataset':
configData[name] = _dataset_to_list(value)
else:
syslog.syslog(str('name: ' + name + ' value: ' + value + ' conversion: ' + conversion))
syslog.syslog(str('name: ' + name + ' value: ' + value +
' conversion: ' + conversion))
configData[name] = conversion(value)
fp.close()
try:
configData['AuthservID'] = _calculate_authserv_id(configData['AuthservID'])
configData['InternalHostsObj'] = HostsDataset(configData['InternalHosts'])
configData['AuthservID'] = _make_authserv_id(configData.get('AuthservID', 'HOSTNAME'))
configData['IntHosts'] = HostsDataset(configData['InternalHosts'])
except:
pass
dkimpy_milter/dnsplug.py
+8 -8
View File
@@ -84,7 +84,7 @@ class Session(object):
raise DNSError('Length of CNAME chain exceeds %d' % MAX_CNAME)
cnames[name] = cname
if cname in cnames:
raise DNSError, 'CNAME loop'
raise DNSError('CNAME loop')
result = self.dns(cname, qtype, cnames=cnames)
return result
@@ -103,16 +103,16 @@ def DNSLookup_pydns(name, qtype, tcpfallback=True, timeout=30):
#
if resp.header['tc'] == True:
if not tcpfallback:
raise DNS.DNSError, 'DNS: Truncated UDP Reply, SPF records should fit in a UDP packet'
raise DNS.DNSError('DNS: Truncated UDP Reply, SPF records should fit in a UDP packet')
try:
req = DNS.DnsRequest(name, qtype=qtype, protocol='tcp',
timeout=timeout)
resp = req.req()
except DNS.DNSError, x:
raise DNS.DNSError, 'TCP Fallback error: ' + str(x)
except DNS.DNSError as x:
raise DNS.DNSError('TCP Fallback error: ' + str(x))
return [((a['name'], a['typename']), a['data']) for a in resp.answers]
except IOError, x:
raise DNS.DNSError, 'DNS: ' + str(x)
except IOError as x:
raise DNS.DNSError('DNS: ' + str(x))
def DNSLookup_dnspython(name,qtype,tcpfallback=True,timeout=30):
retVal = []
@@ -164,5 +164,5 @@ if __name__ == '__main__':
import sys
s = Session()
for n,t in zip(*[iter(sys.argv[1:])]*2):
print n,t
print s.dns(n,t)
print(n,t)
print(s.dns(n,t))
dkimpy_milter/util.py
+48 -26
View File
@@ -16,6 +16,7 @@
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
def fold(header):
"""Fold a header line into multiple crlf-separated lines at column 72.
Borrowed from dkimpy and updated to only add \n instead of \r\n because
@@ -46,9 +47,9 @@ def fold(header):
j = i + 1
pre += header[:j] + b"\n "
header = header[j:]
namelen = 0
return pre + header
def user_group(userid):
"""Return user and group from UserID"""
import grp
@@ -64,13 +65,14 @@ def user_group(userid):
running_gid = grp.getgrnam(gidname).gr_gid
return running_uid, running_gid
def drop_privileges(milterconfig):
import os
import syslog
if os.getuid() != 0:
if milterconfig.get('Syslog'):
syslog.syslog('drop_privileges: Not running as root. Cannot drop permissions.')
syslog.syslog('drop_privileges: Not root. No action taken.')
return
# Get user and group
@@ -86,9 +88,9 @@ def drop_privileges(milterconfig):
# Set umask
old_umask = os.umask(milterconfig.get('UMask'))
#################
class ExceptHook:
def __init__(self, useSyslog = 1, useStderr = 0):
def __init__(self, useSyslog=1, useStderr=0):
self.useSyslog = useSyslog
self.useStderr = useStderr
@@ -104,53 +106,49 @@ class ExceptHook:
sys.stderr.write(line)
####################
def setExceptHook():
import sys
sys.excepthook = ExceptHook(useSyslog = 1, useStderr = 1)
sys.excepthook = ExceptHook(useSyslog=1, useStderr=1)
####################
def write_pid(milterconfig):
"""Write PID in pidfile. Will not overwrite an existing file."""
import os
import syslog
if not os.path.isfile(milterconfig.get('PidFile')):
pidfile = milterconfig.get('PidFile')
if pidfile is None:
return
if not os.path.isfile(pidfile):
pid = str(os.getpid())
try:
f = open(milterconfig.get('PidFile'), 'w')
f = open(pidfile, 'w')
except IOError as e:
if str(e)[:35] == '[Errno 2] No such file or directory':
piddir = milterconfig.get('PidFile').rsplit('/', 1)[0]
piddir = pidfile.rsplit('/', 1)[0]
os.mkdir(piddir)
user, group = user_group(milterconfig.get('UserID'))
os.chown(piddir, user, group)
f = open(milterconfig.get('PidFile'), 'w')
f = open(pidfile, 'w')
if milterconfig.get('Syslog'):
syslog.syslog('Missing pid dir created: {0}'.format(piddir))
syslog.syslog('PID dir created: {0}'.format(piddir))
else:
if milterconfig.get('Syslog'):
syslog.syslog('Unable to write pidfle {0}. IOError: {1}'.format(milterconfig.get('PidFile'), e))
syslog.syslog('Unable to write pidfle {0}. IOError: {1}'
.format(pidfile, e))
raise
f.write(pid)
f.close()
user, group = user_group(milterconfig.get('UserID'))
os.chown(milterconfig.get('PidFile'), user, group)
os.chown(pidfile, user, group)
else:
if milterconfig.get('Syslog'):
syslog.syslog('Unable to write pidfle {0}. File exists.'.format(milterconfig.get('PidFile')))
raise RuntimeError('Unable to write pidfle {0}. File exists.'.format(milterconfig.get('PidFile')))
syslog.syslog('Unable to write pidfle {0}. File exists.'
.format(pidfile))
raise RuntimeError('Unable to write pidfle {0}. File exists.'
.format(pidfile))
return pid
def own_socketfile(milterconfig):
"""If socket is Unix socket, chown to UserID before dropping privileges"""
import os
user, group = user_group(milterconfig.get('UserID'))
if milterconfig.get('Socket')[:1] == '/':
os.chown(milterconfig.get('Socket')[1:], user, group)
if milterconfig.get('Socket')[:6] == "local:":
os.chown(milterconfig.get('Socket')[6:], user, group)
####################
def read_keyfile(milterconfig, keytype):
"""Read private key from file."""
import syslog
@@ -163,10 +161,34 @@ def read_keyfile(milterconfig, keytype):
keylist = f.readlines()
except IOError as e:
if milterconfig.get('Syslog'):
syslog.syslog('Unable to read keyfile {0}. IOError: {1}'.format(keyfile, e))
syslog.syslog('Unable to read keyfile {0}. IOError: {1}'
.format(keyfile, e))
raise
f.close()
key = ''
for line in keylist:
key += line
return key
def read_keytable(milterconfig, tabletype):
"""Read keytables into in memory configuration data so all keys are read
before priviledges are dropped."""
import syslog
if tabletype == "RSA":
tablefile = milterconfig.get('KeyTable')
if tabletype == "Ed25519":
tablefile = milterconfig.get('KeyTableEd25519')
if milterconfig.get(tablefile):
keytabledata = []
try:
f = open(milterconfig.get(tablefile))
for row in f:
keytabledata.append(row)
f.close()
except IOError as e:
if milterconfig.get('Syslog'):
syslog.syslog('Unable to read keytable {0}. IOError: {1}'
.format(tablefile, e))
raise
return keytabledata
etc/dkimpy-milter.conf
+1 -1
View File
@@ -38,7 +38,7 @@ Socket inet:8892@localhost
### Name of the file where the filter should write its pid before beginning
### normal operations.
#
PidFile /var/run/dkimpy-milter/dkimpy-milter.pid
PidFile /run/dkimpy-milter/dkimpy-milter.pid
## Userid userid
### default dkimpy-milter
man/dkimpy-milter.8
+5 -4
View File
@@ -127,7 +127,6 @@
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "dkimpy-milter 8"
.TH dkimpyy-milter 8
.SH NAME
.B dkimpy
@@ -269,7 +268,7 @@ proposal, and Cisco's
.B Internet Identified Mail
(IIM) proposal.
.SH VERSION
This man page covers version 0.9.4 of
This man page covers version 1.1.0 of
.I dkimpy-milter.
.SH COPYRIGHT
Copyright (c) 2005-2008, Sendmail, Inc. and its suppliers. All rights
@@ -278,7 +277,7 @@ reserved.
Copyright (c) 2009-2013, 2015, The Trusted Domain Project.
All rights reserved.
Copyright (c) 2018 Scott Kitterman <scott@kitterman.com>
Copyright (c) 2018, 2019 Scott Kitterman <scott@kitterman.com>
.SH SEE ALSO
.I dkimpy-milter.conf(5), sendmail(8)
.P
@@ -292,4 +291,6 @@ RFC6376 - DomainKeys Identified Mail
.P
RFC7601 - Message Header Field for Indicating Message Authentication Status
.P
draft-ietf-dcrup-dkim-crypto - A new cryptographic signature method for DKIM
RFC8301 - Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM)
.P
RFC8463 - A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM)
man/dkimpy-milter.conf.5
+99 -19
View File
@@ -127,16 +127,13 @@
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "dkimpy-milter.conf 5"
.TH dkimpy-milter.conf 5 "2018-02-12"
.SH "NAME"
dkimpy-milter \- Python milter for DKIM signing and validation
.SH "VERSION"
.IX Header "VERSION"
0\.9\.2
1\.1\.0
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
.I dkimpy-milter(8)
implements the
.B DKIM
@@ -160,18 +157,15 @@ The provided setup.py installs this configuration file in /etc or
Command line invocation of parameters as is done by OpenDKIM is not supported.
.SH "USAGE"
.IX Header "USAGE"
Usage:
dkimpy-milter [/etc/dkimpy-milter.conf]
.SH "OTHER DOCUMENTATION"
.IX Header "OTHER DOCUMENTATION"
This documentation assumes you have read Postfix's README_FILES/MILTER_README
(or Sendmail equivalent) and are generally familiar with Domain Keys Identified
Mail (DKIM). See RFC 6376 for details.
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
dkimpy-milter operates with a default installed configuration file and
set of default configuration options that are used if the configuration file
@@ -181,14 +175,12 @@ files can be used directly. Not all OpenDKIM options are supported. If an
unsupported option from OpenDKIM is specified, an error will be raised.
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Configuration options are described here and in the configuration file
provided with the package. The provided setup.py installs this configuration
file in /etc or /usr/local/etc.
.SH "OPTIONS"
.IX Header "OPTIONS"
.TP
.I AuthservID (string)
@@ -229,12 +221,16 @@ domains will be verified rather than being signed.
This parameter is not required if a
.I SigningTable
or
.I SigningTableEd25519
is in use; in that case, the list of signed domains is implied by the
lines in that file. [SigningTable NOT IMPLEMENTED]
lines in that file.
This parameter is ignored if a
.I KeyTable
is defined. [KeyTable NOT IMPLEMENTED]
or
.I KeyTableD25119
is defined.
.TP
.I InternalHosts (dataset)
@@ -252,15 +248,62 @@ address explicitly. [PeerList NOT IMPLEMENTED]
Gives the location of a PEM-formatted private key to be used for RSA signing
all messages. Ignored if a
.I KeyTable
is defined. [KeyTable NOT IMPLEMENTED]
is defined.
.TP
.I KeyFileEd25119 (string)
.I KeyFileEd25519 (string)
Gives the location of a Ed25519 private key to be used for Ed25519 signing
all messages. File is the Base64 encoded output of RFC 8032 Ed25519 private Key
generation (as used in dkimpy). Ignored if a
.I KeyTableEd25519
is defined. [KeyTableEd25519 NOT IMPLEMENTED]
is defined.
.TP
.I KeyTable (dataset)
Gives the location of a file mapping key names to RSA signing keys. If present, overrides any KeyFile setting in the configuration file. The data set named here maps each key name to three values: (a) the name of the domain to use in the signatures "d=" value; (b) the name of the selector to use in the signatures "s=" value; and (c) the path to a file containing a private key. If the first value consists solely of a percent sign ("%") character, it will be replaced by the apparent domain of the sender when generating a signature. The third value must start with a slash ("/") character, or "./" or "../" to indicate it refers to a file from which the private key should be read. The SigningTable (see below) is used to select records from this table to be used to add signatures based on the message sender. NOTE: direct specification of keys in the table as is done by OpenDKIM is not supported.
.TP
.I KeyTableEd25519 (dataset)
Gives the location of a file mapping key names to Ed25519 signing keys. If present, overrides any KeyFile setting in the configuration file. The data set named here maps each key name to three values: (a) the name of the domain to use in the signatures "d=" value; (b) the name of the selector to use in the signatures "s=" value; and (c) the path to a file containing a private key. If the first value consists solely of a percent sign ("%") character, it will be replaced by the apparent domain of the sender when generating a signature. The third value must start with a slash ("/") character, or "./" or "../" to indicate it refers to a file from which the private key should be read. The SigningTable (see below) is used to select records from this table to be used to add signatures based on the message sender. NOTE: direct specification of keys in the table as is done by OpenDKIM is not support
ed.
.TP
.I MacroList (dataset)
Defines a set of MTA-provided
.I macros
that should be checked to see if the sender has been determined to be a
local user and therefore whether or not the message should be signed. If
a
.I value
is specified matching a macro name in the data set, the value of the macro
must match a value specified (matching is case-sensitive), otherwise the
macro must be defined but may contain any value. The set is empty by
default, meaning macros are not considered when making the sign-verify
decision. The general format of the value is
.I value1[|value2[|...]];
if one or more value is defined then the macro must be set to one of the
listed values, otherwise the macro must be set but can contain any
value.
In order for the macro and its value to be available to the filter for
checking, the MTA must send it during the protocol exchange. This is either
accomplished via manual configuration of the MTA to send the desired macros
or, for MTA/filter combinations that support the feature, the filter can
request those macros that are of interest. The latter is a feature negotiated
at the time the filter receives a connection from the MTA and its availability
depends upon the version of milter used to compile the filter and the version
of the MTA making the connection.
.TP
.I MacroListVerify (dataset)
Defines a set of MTA-provided
.I macros
that should be checked to see if the sender has been determined to be an
external source and therefore whether or not the message should be signed.
Entries in this data set follow the same form as those of the
.I MacroList
option above. [this option is not inhereted from OpenDKIM]
.TP
.I Mode (string)
@@ -280,7 +323,13 @@ When signing mode is enabled, one of the following combinations must also
be set:
(a) Domain, KeyFile, Selector, no KeyTable, no SigningTable;
(b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector;
[fooTable options NOT IMPLEMENTED]
.TP
.I DNSOverride (string)
Provide a text string that a verifying milter should use instead of
consulting the DNS on each message. This is useful primarily for
testing purposes in environments where it is awkward to modify the
system DNS resolution. It should not be used in production.
.TP
.I PeerList (dataset)
@@ -302,7 +351,7 @@ will be checked. [PeerList NOT IMPLEMENTED - included for reference only]
.TP
.I PidFile (string)
Specifies the path to a file that should be created at process start
containing the process ID.
containing the process ID. If not specified, no such file will be created.
.TP
.I Selector (string)
@@ -316,7 +365,7 @@ parameter below for more information.
This parameter is ignored if a
.I KeyTable
is defined. [KeyTable NOT IMPLEMENTED]
is defined.
.TP
.I SelectorEd25519 (string)
@@ -330,7 +379,33 @@ parameter below for more information.
This parameter is ignored if a
.I KeyTableEd25519
is defined. [KeyTable NOT IMPLEMENTED]
is defined.
.TP
.I SigningTable (dataset)
Defines a table used to select one or more signatures to apply to a message based on the address found in the From: header field. Keys in this table vary depending on the type of table used; values in this data set should include one field that contains a name found in the KeyTable (see above) that identifies which key should be used in generating the signature, and an optional second field naming the signer of the message that will be included in the "i=" tag in the generated signature. Note that the "i=" value will not be included in the signature if it conflicts with the signing domain (the "d=" value).
If the first field contains only a "%" character, it will be replaced by the domain found in the From: header field. Similarly, within the optional second field, any "%" character will be replaced by the domain found in the From: header field.
If this table specifies a regular expression file ("refile"), then the keys are wildcard patterns that are matched against the address found in the From: header field. Entries are checked in the order in which they appear in the file. ["refile support not implemented"].
For all other database types, the full user@host is checked first, then simply host, then user@.domain (with all superdomains checked in sequence, so "foo.example.com" would first check "user@foo.example.com", then "user@.example.com", then "user@.com"), then .domain, then user@*, and finally *.
In any case, only the first match is applied.
.TP
.I SigningTableEd25519 (dataset)
Defines a table used to select one or more signatures to apply to a message based on the address found in the From: header field. Keys in this table vary depending on the type of table used; values in this data set should include one field that contains a name found in the KeyTable (see above) that identifies which key should be used in generating the signature, and an optional second field naming the signer of the message that will be included in the "i=" tag in the generated signature. Note that the "i=" value will not be included in the signature if it conflicts with the signing domain (the "d=" value).
If the first field contains only a "%" character, it will be replaced by the domain found in the From: header field. Similarly, within the optional second field, any "%" character will be replaced by the domain found in the From: header field.
If this table specifies a regular expression file ("refile"), then the keys are wildcard patterns that are matched against the address found in the From: header field. Entries are checked in the order in which they appear in the file. ["refile support not implemented"].
For all other database types, the full user@host is checked first, then simply host, then user@.domain (with all superdomains checked in sequence, so "foo.example.com" would first check "user@foo.example.com", then "user@.example.com", then "user@.com"), then .domain, then user@*, and finally *.
In any case, only the first match is applied.
.TP
.I Socket (string)
@@ -355,6 +430,12 @@ is not given as either a hostname or an IP address, the socket will be
listening on all interfaces. A literal IP address must be enclosed in
square brackets. This option is mandatory in the configuration file.
.TP
.I SubDomains (Boolean)
Sign subdomains of those listed by the
.I Domain
parameter as well as the actual domains.
.TP
.I Syslog (Boolean)
Log via calls to
@@ -404,7 +485,6 @@ unless an alternate
is specified.
.SH "AUTHORS"
.IX Header "AUTHORS"
\ddkimpy-milter\fR was written by Scott Kitterman <scott@kitterman.com>.
It is based on dkimpy-milter.py Copyright (c) 2001-2013 Business Management Systems, Inc.
Copyright (c) 2013-2015 Stuart D. Gathman
setup.py
+15 -9
View File
@@ -1,7 +1,7 @@
#! /usr/bin/python
#! /usr/bin/python3
# dkimpy-milter: A DKIM signing/verification Milter application
# Author: Scott Kitterman <scott@kitterman.com>
# Copyright 2018 Scott Kitterman
# Copyright 2018,2019 Scott Kitterman
""" This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
@@ -18,26 +18,32 @@
from setuptools import setup
import os
import dkimpy_milter
description = "Domain Keys Identified Mail (DKIM) signing/verifying milter for Postfix/Sendmail."
kw = {} # Work-around for lack of 'or' requires in setuptools.
try:
import dns
kw['install_requires'] = ['dkimpy>=0.7', 'pymilter', 'authres>=1.1.0', 'PyNaCl', 'dnspython']
except ImportError: # If PyDNS is not installed, prefer dnspython
kw['install_requires'] = ['dkimpy>=0.7', 'pymilter', 'authres>=1.1.0', 'PyNaCl', 'Py3DNS']
setup(
name='dkimpy-milter',
version=dkimpy_milter.__version__,
version='1.1.4',
author='Scott Kitterman',
author_email='scott@kitterman.com',
url='https://launchpad.net/dkimpy-milter',
description=description,
download_url = "https://pypi.python.org/pypi/dkimpy-milter",
classifiers= [
'Development Status :: 3 - Alpha',
'Development Status :: 5 - Production/Stable',
'Environment :: No Input/Output (Daemon)',
'Intended Audience :: System Administrators',
'License :: OSI Approved :: GNU General Public License (GPL)',
'Natural Language :: English',
'Operating System :: POSIX',
'Programming Language :: Python :: 2 :: Only',
'Programming Language :: Python :: 3 :: Only',
'Topic :: Communications :: Email :: Mail Transport Agents',
'Topic :: Communications :: Email :: Filters',
'Topic :: Security',
@@ -52,9 +58,9 @@ setup(
data_files=[(os.path.join('share', 'man', 'man5'),
['man/dkimpy-milter.conf.5']), (os.path.join('share', 'man', 'man8'),
['man/dkimpy-milter.8']), ('etc', ['etc/dkimpy-milter.conf']),
(os.path.join('/lib', 'systemd', 'system'),
['system/dkimpy-milter.service']),(os.path.join('/etc', 'init.d'),
(os.path.join('lib', 'systemd', 'system'),
['system/dkimpy-milter.service']),(os.path.join('etc', 'init.d'),
['system/dkimpy-milter'])],
install_requires = ['dkimpy>=0.7', 'pymilter', 'authres>=1.1.0', 'PyNaCl', 'ipaddress', 'dns'],
zip_safe = False,
**kw
)
system/dkimpy-milter
Regular → Executable
+9 -9
View File
@@ -13,8 +13,6 @@
# Provides: dkim-milter dkim-milter-python dkimpy-milter
# Required-Start: $remote_fs $syslog $network $time
# Required-Stop: $remote_fs $syslog $network
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: dkimpy-milter
@@ -22,16 +20,16 @@
### END INIT INFO
prefix="/usr/local"
exec_prefix=${prefix}
sysconfdir="/etc/dkimpy-milter"
sysconfdir="/usr/local/etc"
bindir="${exec_prefix}/bin/"
RUNDIR="/var/run/dkimpy-milter"
RUNDIR="/run/dkimpy-milter"
DAEMON=${bindir}/dkimpy-milter
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:
NAME=dkimpy-milter
DESC="Python DKIM Milter"
USER=dkimpy-milter
GROUP=dkimpy-milter
SOCKET=$RUNDIR/dkimpy-milter.pid
SOCKET=$RUNDIR/dkimpy-milter.sock
test -x $DAEMON || exit 0
@@ -69,14 +67,14 @@ case "$1" in
fi
fi
fi
start-stop-daemon --start --chuid $USER --background --quiet --pidfile \
start-stop-daemon --start --background --quiet --pidfile \
$RUNDIR/$NAME.pid --exec $DAEMON $sysconfdir/$NAME.conf
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
if [ -f $RUNDIR/$NAME.pid ]; then
chown root:root $RUNDIR/$NAME.pid
start-stop-daemon --stop --pidfile $RUNDIR/$NAME.pid
rm $RUNDIR/$NAME.pid
#echo $SOCKET
@@ -89,6 +87,7 @@ case "$1" in
force-reload)
echo -n "Force reloading $DESC: "
if [ -f $RUNDIR/$NAME.pid ]; then
chown root:root $RUNDIR/$NAME.pid
start-stop-daemon --stop --pidfile $RUNDIR/$NAME.pid
rm $RUNDIR/$NAME.pid
#echo $SOCKET
@@ -97,7 +96,7 @@ case "$1" in
fi
fi
sleep 1
start-stop-daemon --start --chuid $USER --background --quiet --pidfile \
start-stop-daemon --start --background --quiet --pidfile \
$RUNDIR/$NAME.pid --exec $DAEMON $sysconfdir/$NAME.conf
echo "$NAME."
;;
@@ -105,6 +104,7 @@ case "$1" in
echo "Restarting $DESC: "
echo -n "Stopping $DESC: "
if [ -f $RUNDIR/$NAME.pid ]; then
chown root:root $RUNDIR/$NAME.pid
start-stop-daemon --stop --pidfile $RUNDIR/$NAME.pid
rm $RUNDIR/$NAME.pid
#echo $SOCKET
@@ -115,7 +115,7 @@ case "$1" in
echo "$NAME."
sleep 1
echo -n "Starting $DESC: "
start-stop-daemon --start --chuid $USER --background --quiet --pidfile \
start-stop-daemon --start --background --quiet --pidfile \
$RUNDIR/$NAME.pid --exec $DAEMON $sysconfdir/$NAME.conf
echo "$NAME."
;;
system/dkimpy-milter.service
+4 -3
View File
@@ -1,11 +1,12 @@
[Unit]
Description=DKIMpy Milter
After=syslog.target network.target
Documentation=man:dkimpy-milter(8) man:dkimpy-milter.conf(5)
After=network.target
[Service]
Type=simple
PIDFile=/var/run/dkimpy-milter/dkimpy-milter.pid
ExecStart=/usr/local/bin/dkimpy-milter
PIDFile=/run/dkimpy-milter/dkimpy-milter.pid
ExecStart=/usr/local/bin/dkimpy-milter /usr/local/etc/dkimpy-milter.conf
[Install]
WantedBy=multi-user.target
system/socket-activation/README.md
+32
View File
@@ -0,0 +1,32 @@
This directory contains example systemd unit files for running a
supervised, socket-activated instance of dkimpy-milter.
There are several advantages of using socket activation:
- dkimpy-milter never runs with elevated privileges, they are dropped
before any dkimpy-milter code is executed.
- The socket is opened before dkimpy-milter runs. This means that
clients can connect() to the socket immediately. So even if there
is a delay in dkimpy-milter startup, or in libmilter itself, the
connection will not fail.
- You can set the privileges of a listening Unix-domain socket by an
override of ListenGroup= in dkimpy-milter.socket (see
systemd.unit(5) for how to override). This lets you control who has
access to the daemon with finer granularity than is available with
dkimpy-milter on its own.
- dkimpy-milter will not consume system resources if it is not used.
- A fully-supervised dkimpy-milter needs no PIDFile, UMask, UserID, or
Socket configuation. This eliminates common race conditions and
startup failures, and simplifies the resulting configuration file.
There is one downside to using socket activation:
- it will only work on systems where libmilter can support connection
strings like "fd:3". This has been supported on Debian and derived
systems since sendmail 8.14.4-6 (before Debian Jessie, in early
2014), see for example:
https://sources.debian.org/src/sendmail/8.15.2-8/debian/patches/socket_activation.patch/
system/socket-activation/dkimpy-milter.service
+11
View File
@@ -0,0 +1,11 @@
[Unit]
Description=DKIMpy Milter
Documentation=man:dkimpy-milter(8) man:dkimpy-milter.conf(5)
Requires=dkimpy-milter.socket
[Service]
ExecStart=/usr/bin/dkimpy-milter /etc/dkimpy-milter.conf
User=dkimpy-milter
[Install]
Also=dkimpy-milter.socket
system/socket-activation/dkimpy-milter.socket
+12
View File
@@ -0,0 +1,12 @@
[Unit]
Description=DKIMpy Milter socket
Documentation=man:dkimpy-milter(8) man:dkimpy-milter.conf(5)
[Socket]
ListenStream=/run/dkimpy-milter/dkimpy-milter.sock
SocketMode=0660
# override SocketGroup to grant access to members of another system group:
SocketGroup=dkimpy-milter
[Install]
WantedBy=sockets.target
tests/00_minimal.miltertest
+12
View File
@@ -0,0 +1,12 @@
-- -*- lua -*-
for _, keytype in ipairs({"ed25519", "rsa"}) do
for _, func in ipairs({"signing", "verify"}) do
mt.echo("testing "..keytype.." "..func)
conn = mt.connect("unix:"..keytype.."."..func..".sock")
if conn == nil then
error("mt.connect() failed "..keytype.." "..func)
end
mt.disconnect(conn)
mt.echo(keytype.." "..func.." complete")
end
end
tests/01_connect.miltertest
Executable
+40
View File
@@ -0,0 +1,40 @@
-- -*- lua -*-
for _, keytype in ipairs({"ed25519", "rsa"}) do
for _, func in ipairs({"signing", "verify"}) do
mt.echo("testing "..keytype.." "..func)
conn = mt.connect("unix:"..keytype.."."..func..".sock")
if conn == nil then
error("mt.connect() failed "..keytype.." "..func)
end
if mt.conninfo(conn, "localhost", "127.0.0.1") ~= nil then
error("mt.conninfo() failed "..keytype.." "..func)
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error("mt.conninfo() unexpected reply "..keytype.." "..func)
end
if mt.test_action(conn, SMFIF_ADDHDRS) then
print("could add headers "..keytype.." "..func)
else
error("mt.test_action() says could not add headers "..keytype.." "..func)
end
if mt.test_action(conn, SMFIF_CHGHDRS) then
print("could change headers "..keytype.." "..func)
else
error("mt.test_action() says could not change headers "..keytype.." "..func)
end
-- -- FIXME: this part of the test fails, as apparently the
-- -- dkimpy-milter claims the right to change the body of a message,
-- -- even though it shouldn't. How can we fix the negotiation?
-- if mt.test_action(conn, SMFIF_CHGBODY) then
-- error("mt.test_action() says could change body "..keytype.." "..func)
-- else
-- print("could not change body "..keytype.." "..func)
-- end
mt.disconnect(conn)
mt.echo(keytype.." "..func.." test complete")
end
end
tests/02_sign_message.miltertest
+100
View File
@@ -0,0 +1,100 @@
-- -*- lua -*-
msg = {
['headers'] = {
['From'] = 'Alice <alice@example.net>',
['Message-Id'] = '<dkimpy-milter-test-02@example.net>',
['To'] = 'Bob <bob@example.biz>',
['Date'] = 'Mon, 18 Feb 2019 08:32:50 -0500',
['Subject'] = 'Signing test',
['Content-Type'] = 'text/plain',
},
['body'] = "This is a test!\r\n",
}
-- returns miltertest connection object
function connect_and_send (sockname, headers, body)
conn = mt.connect(sockname)
if conn == nil then
error "mt.connect() failed"
end
if mt.conninfo(conn, "localhost", "127.0.0.1") ~= nil then
error "mt.conninfo() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.conninfo() unexpected reply"
end
-- mt.macro(conn, SMFIC_MAIL, "i", "simple-message")
if mt.mailfrom(conn, "<alice@example.net>") ~= nil then
error "mt.mailfrom() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.mailfrom() unexpected reply"
end
-- mt.rcptto() is called implicitly
-- send headers
for key,value in pairs(headers) do
if mt.header(conn, key, value) ~= nil then
error("mt.header(" .. key .. ") failed")
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error("mt.header(" .. key .. ") unexpected reply")
end
end
-- send EOH
if mt.eoh(conn) ~= nil then
error "mt.eoh() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.eoh() unexpected reply"
end
-- send body
if mt.bodystring(conn, body) ~= nil then
error "mt.bodystring() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.bodystring() unexpected reply"
end
-- end of message; let the filter react
if mt.eom(conn) ~= nil then
error "mt.eom() failed"
end
reply = mt.getreply(conn)
if reply ~= SMFIR_CONTINUE then
error ("mt.eom() unexpected reply: " .. reply)
end
return conn
end
for _, keytype in ipairs({"ed25519", "rsa"}) do
mt.echo("testing "..keytype)
signing = connect_and_send("unix:"..keytype..".signing.sock", msg.headers, msg.body)
-- verify that a test header field got added
if not mt.eom_check(signing, MT_HDRINSERT) then
error "no header added by signer"
end
signature = mt.getheader(signing, "DKIM-Signature", 0)
mt.disconnect(signing)
mt.echo("DKIM-Signature: " .. signature)
msg.headers['DKIM-Signature'] = signature
verify = connect_and_send("unix:"..keytype..".verify.sock", msg.headers, msg.body)
if not mt.eom_check(verify, MT_HDRINSERT) then
error "no header added in verify"
end
authres = mt.getheader(verify, "Authentication-Results", 0)
mt.echo("Authentication-Results: "..authres)
mt.disconnect(verify)
mt.echo(keytype.." complete")
end
tests/dkimpy-milter
Executable
+2
View File
@@ -0,0 +1,2 @@
#!/bin/sh
python3 -m dkimpy_milter "$@"
tests/runtests
Executable
+84
View File
@@ -0,0 +1,84 @@
#!/bin/bash
set -e
WORKDIR=$(mktemp -d)
TESTDIR=$(realpath "$(dirname "$0")")
DKIMPY_MILTER=${DKIMPY_MILTER:-"$TESTDIR/dkimpy-milter"}
KEY_TYPES=(ed25519 rsa)
cd "$WORKDIR"
printf "Testing %s from directory %s\n" "$DKIMPY_MILTER" "$WORKDIR"
for keytype in "${KEY_TYPES[@]}"; do
dknewkey --ktype "$keytype" "testkey.$keytype"
if [ "$keytype" = ed25519 ]; then
keyfile=KeyFileEd25519
selector=SelectorEd25519
else
keyfile=KeyFile
selector=Selector
fi
cat > "$keytype.signing.conf" <<EOF
Domain example.net
$keyfile testkey.$keytype.key
$selector testkey
Socket unix:$keytype.signing.sock
PidFile $keytype.signing.pid
Mode s
UserID $(id --name --user):$(id --name --group)
EOF
cat > "$keytype.verify.conf" <<EOF
Socket unix:$keytype.verify.sock
PidFile $keytype.verify.pid
Mode v
DNSOverride $(cat testkey.$keytype.dns)
UserID $(id --name --user):$(id --name --group)
EOF
done
cleanup() {
echo cleaning up jobs:
jobs
for keytype in "${KEY_TYPES[@]}"; do
for func in signing verify; do
if [ -s "$keytype.$func.pid" ] && kill -0 "$(cat "$keytype.$func.pid")"; then
kill "$(cat $keytype.$func.pid)"
fi
done
done
wait
for keytype in "${KEY_TYPES[@]}"; do
for func in signing verify; do
errdata="$keytype.$func.stderr"
if [ -s "$errdata" ]; then
printf -- "-> %s:\n" "$errdata"
cat "$errdata"
printf -- "-> end %s\n" "$errdata"
fi
done
done
rm -rf "$WORKDIR"
}
for keytype in "${KEY_TYPES[@]}"; do
for func in signing verify; do
PYTHONPATH="$(dirname "$TESTDIR")" "$DKIMPY_MILTER" "$keytype.$func.conf" 2>"$keytype.$func.stderr" &
done
done
trap cleanup EXIT
# ugly ugly (how are we supposed to know that the milters are all ready?):
sleep 2
# uses miltertest from opendkim:
for x in ${TESTS:-"$TESTDIR"/*.miltertest}; do
if ! [ -e "$x" ]; then
if [ -e "$TESTDIR/$x" ]; then
x="$TESTDIR/$x"
fi
fi
printf -- "-> running %s...\n" "$x"
miltertest -s "$x"
done