search

stalwartlabs / mail-auth

DKIM, ARC, SPF and DMARC library for Rust
https://docs.rs/mail-auth/
Apache License 2.0
82 stars 13 forks source link

Expired DKIM signatures should be a fail? #24

Closed scsmith closed 8 months ago

scsmith commented 8 months ago

Hey, currently passing x=value where the time is passed to a DKIM signature will cause the signature to be marked as Neutral.

I don't think this is the right call. I could take an email that has been completely modified from the original (for example changing the from header) and instead of failing it will now be neutral. I understand that doing this skips the requirement of validation before it takes place because the signature has expired anyway but I think it might be better to either, 1> continue validation and pass neutral if the signature passes or 2> just go ahead and fail the signature as it's actually now invalid.

I'd be happy to put a pull request forward but it would be good to get a steer on your thinking first?

mdecimus commented 8 months ago

Can you include here the code to reproduce this issue?

scsmith commented 8 months ago

I added this as 007.txt in resources/dkim:

newengland._domainkey.example.com v=DKIM1; p=MIGJAoGBALVI635dLK4cJJAH3Lx6upo3X/Lm1tQz3mezcWTA3BUBnyIsdnRf57aD5BtNmhPrYYDlWlzw3UgnKisIxktkk5+iMQMlFtAS10JB8L3YadXNJY+JBcbeSi5TgJe4WFzNgW95FWDAuSTRXSWZfA/8xjflbTLDx0euFZOM7C4T0GwLAgMBAAE=

DKIM-Signature: a=rsa-sha256; bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
 c=simple/simple; d=example.com; x=1234;
 h=Received:From:To:Subject:Date:Message-ID; i=joe@football.example.com;
 s=newengland; t=1615825284; v=1;
 b=Xh4Ujb2wv5x54gXtulCiy4C0e+plRm6pZ4owF+kICpYzs/8WkTVIDBrzhJP0DAYCpnL62T0G
 k+0OH8pi/yqETVjKtKk+peMnNvKkut0GeWZMTze0bfq3/JUK3Ln3jTzzpXxrgVnvBxeY9EZIL4g
 s4wwFRRKz/1bksZGSjD8uuSU=
Received: from client1.football.example.com  [192.0.2.1]
      by submitserver.example.com with SUBMISSION;
      Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
From: Joe SixPack <joe@shopping.example.com>
To: Suzie Q <suzie@shopping.example.net>
Subject: Is dinner ready?
Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
Message-ID: <20030712040037.46341.5F8J@football.example.com>

Hi.

We lost the game. Are you hungry yet?

Joe.

If you remove x=1234; then the result is fail (the uses own domain is simulated to make it a 'trusted' sender. With it present the result is 'downgraded' to neutral.

mdecimus commented 8 months ago

That is correct, expired signatures are marked as Neutral. And, when you manually modify the expiration time the DKIM validation is failing because the hash no longer matches.