OpenDKIM add CheckSigningTable config option

When CheckSigningTable is set to no, the keys in KeyTable are no longer verified when config is loaded. This helps with large databases. This commit only adds support for USE_ODBX.

Sep 15 '24 19:09 r-a-z-v-a-n

Simple test results: If the private key is bad:

Sep 08 19:32:56 bookworm01 opendkim[759]: OpenDKIM Filter v2.11.0 starting
Sep 08 19:59:13 bookworm01 opendkim[759]: 349634048D: SSL error:0680008E:asn1 encoding routines::not enough data
Sep 08 19:59:13 bookworm01 opendkim[759]: 349634048D: dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed

451 4.7.1 Service unavailable - try again later

If selector is NULL (should be prevented by sql not null option):

451 4.7.1 Service unavailable - try again later
Sep 08 20:06:12 bookworm01 postfix/cleanup[1546]: BCE424048F: milter-reject: END-OF-MESSAGE from localhost[::1]: 4.7.1 Service unavailable - try again later; from=<xxxx@linux>

Sep 08 20:06:12 bookworm01 opendkim[759]: KeyTable entry for '1' corrupt
Sep 08 20:06:12 bookworm01 opendkim[759]: BCE424048F: error loading key '1'

If key is NULL

Sep 08 20:09:16 bookworm01 opendkim[759]: KeyTable entry for '1' corrupt
Sep 08 20:09:16 bookworm01 opendkim[759]: 527A24048D: error loading key '1'

Sep 08 20:09:16 bookworm01 postfix/cleanup[1573]: 527A24048D: milter-reject: END-OF-MESSAGE from localhost[::1]: 4.7.1 Service unavailable - try again later; from=<xxx@linux>

in neither case did opendkim crash. Furthermore, you can solve a lot of these issues with db table constraints.

Sep 15 '24 20:09 r-a-z-v-a-n

this is continued from https://github.com/trusteddomainproject/OpenDKIM/pull/226

Sep 15 '24 20:09 r-a-z-v-a-n

also should there be a command line option for it ? example, opendkim/opendkim.c:15594: /* process command line options */ if yes, which letter may I use ?

Sep 15 '24 20:09 r-a-z-v-a-n

in neither case did opendkim crash. Furthermore, you can solve a lot of these issues with db table constraints.

I'll take a look later, if it can avoid crash even if the key entry is corrupted. (But it is another issue)

Sep 15 '24 20:09 futatuki

also should there be a command line option for it ? example, opendkim/opendkim.c:15594: /* process command line options */ if yes, which letter may I use ?

Currently 'C' is not in use, however it might be the time we shoud consider to use word options, although getopt_long() is not in POSIX...

Sep 15 '24 20:09 futatuki

can we consider the long options issue as a separate issue? one commit at a time so we dont get overloaded.

Sep 15 '24 20:09 r-a-z-v-a-n

can we consider the long options issue as a separate issue? one commit at a time so we dont get overloaded.

ya, sorry, I think it is a separate issue. It is not good that multiple issue in a PR.

Sep 15 '24 21:09 futatuki

This feature may useful even if ODBX feature is not used, so I think it is not need to restrict it on USE_ODBX is true. No other things to say, it looks good to me, for the commits till 906a8b4.

You can freely determine the command line option letter for this feature, if you implement it (perhaps no one complains about it). However if I implement a command line option for checking SiginigTable consistency and exit, I'll select 'C' for it if it is still not in use :)

Sep 15 '24 21:09 futatuki

see commit https://github.com/trusteddomainproject/OpenDKIM/pull/228/commits/898f6ec9410b1dd5cd4f192d86cce3a8891c21dc for args option -C see commit https://github.com/trusteddomainproject/OpenDKIM/pull/228/commits/35f13b11770214e462ead7cb0551f6afa659b04e to allow for disabling CheckSigningTable for all databases.

Sep 15 '24 23:09 r-a-z-v-a-n

lhy is the develop branch so far ahead of master branch ? There are 127 pending commits, last one 2 years ago. The master branch has not been updated in 6 years. When is the next planned release ?

Sep 15 '24 23:09 r-a-z-v-a-n

You can freely determine the command line option letter for this feature, if you implement it (perhaps no one complains about it). However if I implement a command line option for checking SiginigTable consistency and exit, I'll select 'C' for it if it is still not in use :)

oops i just realized what you said. I changed the option to -g in commit https://github.com/trusteddomainproject/OpenDKIM/pull/228/commits/ee40b42743857df4d23a2c602488d3deeb24ffb6

Sep 16 '24 00:09 r-a-z-v-a-n

As you added a new command line option, it should be described in opendkim(8) :)

lhy is the develop branch so far ahead of master branch ? There are 127 pending commits, last one 2 years ago. The master branch has not been updated in 6 years. When is the next planned release ?

I think this project is not working any more. So I made my own branch, maintain it, and I use here as a collection center of issues and proposals of the changes.

Sep 16 '24 04:09 futatuki

Thank you @futatuki . I would like to commit these changes to your mirror as well. I see your stable branch is 212 commits ahead : )

Sep 16 '24 05:09 r-a-z-v-a-n

It would be great if you could add a description about new "-g" option to opendkim/opendkim.8.in? I'd like to see your commit for it, not mine :)

Sep 16 '24 12:09 futatuki

see commit https://github.com/trusteddomainproject/OpenDKIM/pull/228/commits/3fc8cb7232e7bacc79b5031d72664c9d7c1c6f56 for -g in opendkim(8) man page.

Sep 16 '24 19:09 r-a-z-v-a-n

see commit 3fc8cb7 for -g in opendkim(8) man page.

Thank you!

Although I 'm not good at writing English, I've reviewed it.

Sep 16 '24 20:09 futatuki

thank you so much for all your help futatuki!

Sep 16 '24 21:09 r-a-z-v-a-n

Looks good. Thank you!

Sep 19 '24 08:09 futatuki