OpenDKIM
OpenDKIM copied to clipboard
trusteddomainproject
OpenDKIM doesn't reject unvalidated mails on Centos8 and Archlinux
There are 3 mail-servers (Archlinux, Centos8, Centos7) with similar configurations Opendkim and Postfix. On all of them activated Opendkim's options:
[On-BadSignature reject On-NoSignature reject On-SignatureError reject On-KeyNotFound reject
The problem occurs on new systems Arch and Centos8. Opendkim verifies incoming mails with valid signature, but seems not to veryfy what comes without signature or bad one, thus not rejecting them as expected. The versions are these: Archlinux:
opendkim: OpenDKIM Filter v2.10.3
Compiled with OpenSSL 1.1.1h 22 Sep 2020
SMFI_VERSION 0x1000001
libmilter version 1.0.1
Supported signing algorithms:
rsa-sha1
rsa-sha256
Supported canonicalization algorithms:
relaxed
simple
libopendkim 2.10.3:
Centos8:
opendkim: OpenDKIM Filter v2.11.0
Compiled with OpenSSL 1.1.1c FIPS 28 May 2019
SMFI_VERSION 0x1000001
libmilter version 1.0.1
Supported signing algorithms:
rsa-sha1
rsa-sha256
Supported canonicalization algorithms:
relaxed
simple
Active code options:
QUERY_CACHE
USE_DB
USE_LDAP
USE_LUA
USE_ODBX
libopendkim 2.11.0: query_cache
Centos7:
opendkim: OpenDKIM Filter v2.11.0
Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013
SMFI_VERSION 0x1000001
libmilter version 1.0.1
Supported signing algorithms:
rsa-sha1
rsa-sha256
Supported canonicalization algorithms:
relaxed
simple
Active code options:
QUERY_CACHE
USE_DB
USE_LDAP
USE_ODBX
libopendkim 2.11.0: query_cache
That's very strange behaviour, on the old Centos7 it works ok, but the newest Centos8 and Arch verifications not provided. All the packages Opendkim were installed from the standart repositories, I also tried to compile Opendkim on the Arch, unfortunately didn't help: fake mails without dkim-signature pass..
This looks related to https://bugzilla.redhat.com/show_bug.cgi?id=1895321 Description of problem:
When I set
On-KeyNotFound a On-NoSignature r IgnoreMalformedMail no MustBeSigned From RequiredHeaders yes
-
messages which have not to be signed, because no public key is published (sender does not use DKIM) are rejected
-
Moreover, messages which do not contain any header are passed even if they should be rejected because of missing signature: opendkim[****]: **: can't determine message sender; accepting sendmail[]: ******: Milter (opendkim) insert (1): header: Authentication-Results: *****; dkim=permerror (bad message/signature format)
Version-Release number of selected component (if applicable): opendkim-2.11.0-0.17.fc33.x86_64
How reproducible: By sending emails.
Steps to Reproduce:
- Setup opendkim.
- Send mail from domain which does not implement DKIM -> REJECTED and should not be.
- Send mail from the outside spoofing local domain without using headers -> ACCEPTED and should not be.
Actual results: Policy not working correctly.
Expected results: Policy working correctly.
Marek Greško 2020-11-06 17:43:30 UTC The first problem is caused by:
switch (dfc->mctx_status)
{
case DKIMF_STATUS_BAD:
ar = "fail";
break;
case DKIMF_STATUS_NOKEY:
case DKIMF_STATUS_BADFORMAT:
ar = "permerror";
break;
Clearly the DKIMF_STATUS_NOKEY is treated in the same manner as DKIMF_STATUS_BADFORMAT.
Comment 2Marek Greško 2020-11-06 19:09:04 UTC Second problem:
if (conf->conf_reqhdrs)
{
_Bool ok = TRUE;
... if (!ok) { if (conf->conf_dolog) { syslog(LOG_INFO, "%s: RFC5322 header requirement error", dfc->mctx_jobid); }
dfc->mctx_addheader = TRUE;
dfc->mctx_headeronly = TRUE;
dfc->mctx_status = DKIMF_STATUS_BADFORMAT;
return SMFIS_CONTINUE;
}
Why there is SMFIS_CONTINUE?
Yes. Unfortunately, the Opendkim developers look like abandon their project. On newest Arch and Centos8 it works correctly in signing outgoing mails, neither in verifying incoming ones.
Any news on this?
On-NoSignature reject does not work in messages with
opendkim[25684]: 14EDFC0EDB: no signature data
Or am I missing something?
I have the same problem in Debian 12, and because of this problem I can reproduce smtp smuggling, since my postfix (via opendkim) does not check the signature of the original letter, I add another one in the same letter through line breaks "/r./r"
2024-04-05T09:10:47.209626+03:00 postfix-test opendkim[3812418]: 1FABE100000AC0E6: can't determine message sender; accepting
2024-04-05T09:10:47.267961+03:00 postfix-test postfix/qmgr[4072373]: 1FABE100000AC0E6: from=<[email protected]>, size=279, nrcpt=1 (queue active)
2024-04-05T09:10:47.305135+03:00 postfix-test postfix/cleanup[4072604]: 4A106100000AC0E7: message-id=<>
2024-04-05T09:10:47.314744+03:00 postfix-test postfix/local[4072606]: 1FABE100000AC0E6: to=<[email protected]>, relay=local, delay=1.3, delays=1.2/0.01/0/0.04, dsn=2.0.0, status=sent (forwarded as 4A106100000AC0E7)
2024-04-05T09:10:47.322930+03:00 postfix-test postfix/qmgr[4072373]: 4A106100000AC0E7: from=<[email protected]>, size=535, nrcpt=1 (queue active)
2024-04-05T09:10:47.324577+03:00 postfix-test postfix/qmgr[4072373]: 1FABE100000AC0E6: removed
2024-04-05T09:10:47.983604+03:00 postfix-test postfix/smtp[4072607]: 4A106100000AC0E7: to=<[email protected]>, orig_to=<[email protected]>, relay=mxs.org[217.69.139.150]:25, delay=0.68, delays=0.01/0.01/0.03/0.62, dsn=2.0.0, status=sent (250 OK id=1rscml-00000004U9X-1tGM)
2024-04-05T09:10:47.985460+03:00 postfix-test postfix/qmgr[4072373]: 4A106100000AC0E7: removed
script:
#!/usr/bin/expect
set host relay-test.example.org
set port 25
set legit_mail_from [email protected]
set legit_mail_recipent [email protected]
spawn telnet $host $port
expect "220"
send "HELO $host\r"
expect "250"
send "MAIL FROM: $legit_mail_from\r"
expect "250"
send "RCPT TO: $legit_mail_recipent\r"
expect "250"
send "data\r"
expect "354"
send "Test Smugling\r"
sleep 1
send "\r.\r"
sleep 1
send "quit\r"
