OpenDKIM doesn't reject unvalidated mails on Centos8 and Archlinux

[rorusvan]

There are 3 mail-servers (Archlinux, Centos8, Centos7) with similar configurations Opendkim and Postfix. On all of them activated Opendkim's options:

[On-BadSignature reject On-NoSignature reject On-SignatureError reject On-KeyNotFound reject

The problem occurs on new systems Arch and Centos8. Opendkim verifies incoming mails with valid signature, but seems not to veryfy what comes without signature or bad one, thus not rejecting them as expected. The versions are these: Archlinux:

opendkim: OpenDKIM Filter v2.10.3
    Compiled with OpenSSL 1.1.1h  22 Sep 2020
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    libopendkim 2.10.3:

Centos8:

opendkim: OpenDKIM Filter v2.11.0
    Compiled with OpenSSL 1.1.1c FIPS  28 May 2019
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    Active code options:
        QUERY_CACHE
        USE_DB
        USE_LDAP
        USE_LUA
        USE_ODBX
    libopendkim 2.11.0: query_cache

Centos7:

opendkim: OpenDKIM Filter v2.11.0
    Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    Active code options:
        QUERY_CACHE
        USE_DB
        USE_LDAP
        USE_ODBX
    libopendkim 2.11.0: query_cache

That's very strange behaviour, on the old Centos7 it works ok, but the newest Centos8 and Arch verifications not provided. All the packages Opendkim were installed from the standart repositories, I also tried to compile Opendkim on the Arch, unfortunately didn't help: fake mails without dkim-signature pass..

[mdomsch]

This looks related to https://bugzilla.redhat.com/show_bug.cgi?id=1895321 Description of problem:

When I set

On-KeyNotFound a On-NoSignature r IgnoreMalformedMail no MustBeSigned From RequiredHeaders yes

1. messages which have not to be signed, because no public key is published (sender does not use DKIM) are rejected

2. Moreover, messages which do not contain any header are passed even if they should be rejected because of missing signature: opendkim[]: **: can't determine message sender; accepting sendmail[]: **: Milter (opendkim) insert (1): header: Authentication-Results: *****; dkim=permerror (bad message/signature format)

Version-Release number of selected component (if applicable): opendkim-2.11.0-0.17.fc33.x86_64

How reproducible: By sending emails.

Steps to Reproduce:

1. Setup opendkim.
2. Send mail from domain which does not implement DKIM -> REJECTED and should not be.
3. Send mail from the outside spoofing local domain without using headers -> ACCEPTED and should not be.

Actual results: Policy not working correctly.

Expected results: Policy working correctly.

Marek Greško 2020-11-06 17:43:30 UTC The first problem is caused by:

            switch (dfc->mctx_status)
            {
              case DKIMF_STATUS_BAD:
                    ar = "fail";
                    break;

              case DKIMF_STATUS_NOKEY:
              case DKIMF_STATUS_BADFORMAT:
                    ar = "permerror";
                    break;

Clearly the DKIMF_STATUS_NOKEY is treated in the same manner as DKIMF_STATUS_BADFORMAT.

Comment 2Marek Greško 2020-11-06 19:09:04 UTC Second problem:

    if (conf->conf_reqhdrs)
    {
            _Bool ok = TRUE;

... if (!ok) { if (conf->conf_dolog) { syslog(LOG_INFO, "%s: RFC5322 header requirement error", dfc->mctx_jobid); }

                    dfc->mctx_addheader = TRUE;
                    dfc->mctx_headeronly = TRUE;
                    dfc->mctx_status = DKIMF_STATUS_BADFORMAT;
                    return SMFIS_CONTINUE;
            }

Why there is SMFIS_CONTINUE?

[rorusvan]

Yes. Unfortunately, the Opendkim developers look like abandon their project. On newest Arch and Centos8 it works correctly in signing outgoing mails, neither in verifying incoming ones.

[Deepcuts]

Any news on this? On-NoSignature reject does not work in messages with opendkim[25684]: 14EDFC0EDB: no signature data Or am I missing something?

[tetesh]

I have the same problem in Debian 12, and because of this problem I can reproduce smtp smuggling, since my postfix (via opendkim) does not check the signature of the original letter, I add another one in the same letter through line breaks "/r./r"

2024-04-05T09:10:47.209626+03:00 postfix-test opendkim[3812418]: 1FABE100000AC0E6: can't determine message sender; accepting
2024-04-05T09:10:47.267961+03:00 postfix-test postfix/qmgr[4072373]: 1FABE100000AC0E6: from=<admin@example.org>, size=279, nrcpt=1 (queue active)
2024-04-05T09:10:47.305135+03:00 postfix-test postfix/cleanup[4072604]: 4A106100000AC0E7: message-id=<>
2024-04-05T09:10:47.314744+03:00 postfix-test postfix/local[4072606]: 1FABE100000AC0E6: to=<test@test.example.org>, relay=local, delay=1.3, delays=1.2/0.01/0/0.04, dsn=2.0.0, status=sent (forwarded as 4A106100000AC0E7)
2024-04-05T09:10:47.322930+03:00 postfix-test postfix/qmgr[4072373]: 4A106100000AC0E7: from=<admin@example.org>, size=535, nrcpt=1 (queue active)
2024-04-05T09:10:47.324577+03:00 postfix-test postfix/qmgr[4072373]: 1FABE100000AC0E6: removed
2024-04-05T09:10:47.983604+03:00 postfix-test postfix/smtp[4072607]: 4A106100000AC0E7: to=<other_mail@myorg.com>, orig_to=<test@test.example.org>, relay=mxs.org[217.69.139.150]:25, delay=0.68, delays=0.01/0.01/0.03/0.62, dsn=2.0.0, status=sent (250 OK id=1rscml-00000004U9X-1tGM)
2024-04-05T09:10:47.985460+03:00 postfix-test postfix/qmgr[4072373]: 4A106100000AC0E7: removed

script:

#!/usr/bin/expect

set host relay-test.example.org
set port 25
set legit_mail_from admin@example.org
set legit_mail_recipent test@test.example.org

spawn telnet $host $port
expect "220"

send "HELO $host\r"
expect "250"

send "MAIL FROM: $legit_mail_from\r"
expect "250"

send "RCPT TO: $legit_mail_recipent\r"
expect "250"

send "data\r"
expect "354"

send "Test Smugling\r"
sleep 1
send "\r.\r"
sleep 1

send "quit\r"

[tetesh]

up

[createyourpersonalaccount]

It works for me on Debian 12.

[tetesh]

It works for me on Debian 12.

Do you have this vulnerability or does it work without problems? I don't understand your answer

[rorusvan]

I have recently tested on Archlinux, Centos 9 and Debian 11, not working. Do you mean Opendkim works as expected on Debian 12? Mails without DKIM signature pass SPF-Dmarc checks and being rejected by Opendkim on your system?

[rorusvan]

What to say.. I have tested a mail system on Debian 12. The test failed. Mail domain is @netvpn.cyou A fake email being sent:

From: Joe Biden joe.biden@gmail.com To: Adminu admin@netvpn.cyou Subject: You are very happy Hello! I have good news for you. Your Joe Biden

Postfix log:

postfix/smtpd[432810]: connect from fake.domain[aa.bb.cc.dd] postfix/policy-spf[432815]: Policy action=PREPEND Received-SPF: none (fake.domain: No applicable sender policy available) receiver=my.domain; identity=mailfrom; envelope-from="root@fake.domain"; helo=fake.domain; client-ip=aa.bb.cc.dd postfix/smtpd[432810]: 74F6240D59: client=fake.domain[aa.bb.cc.dd] postfix/cleanup[432818]: 74F6240D59: message-id=20241001071431.B22BC21F5D4@fake.domain postfix/qmgr[432523]: 74F6240D59: from=root@fake.domain, size=785, nrcpt=1 (queue active) postfix/smtpd[432810]: disconnect from fake.domain[aa.bb.cc.dd] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 postfix/lmtp[432819]: 74F6240D59: to=admin@orig.domain, orig_to=admin@netvpn.cyou, relay=my.domain[/var/run/dovecot/dovecot-lmtp], delay=0.54, delays=0.48/0.01/0.01/0.04, dsn=2.0.0, status=sent (250 2.0.0 admin@orig.domain MahaI1ih+2a0mgYAU4+nkA Saved) postfix/qmgr[432523]: 74F6240D59: removed

Opendkim log:

opendkim[432022]: 74F6240D59: fake.domain [aa.bb.cc.dd] not internal opendkim[432022]: 74F6240D59: not authenticated

Received fake mail headers:

Return-Path: root@fake.domain Delivered-To: admin@orig.domain Received: from mail.domain by mail.domain with LMTP id MahaI1ih+2a0mgYAU4+nkA (envelope-from root@fake.domain) for admin@orig.domain; Tue, 01 Oct 2024 10:14:32 +0300 Authentication-Results: mail.domain; dmarc=fail (p=none dis=none) header.from=gmail.com DKIM-Filter: OpenDKIM Filter v2.11.0 mail.domain 74F6240D59 Authentication-Results: OpenDKIM; dkim=none; dkim-atps=neutral Received-SPF: none (fake.domain: No applicable sender policy available) receiver=mail.domain; identity=mailfrom; envelope-from="root@fake.domain"; helo=fake.domain; client-ip=aa.bb.cc.dd Received: from fake.domain (fake.domain [aa.bb.cc.dd]) by mail.domain (Postfix) with ESMTP id 74F6240D59 for admin@netvpn.cyou; Tue, 1 Oct 2024 10:14:32 +0300 (EEST) Received: by fake.domain (Postfix, from userid 0) id B22BC21F5D4; Tue, 01 Oct 2024 10:14:31 +0300 (EEST) From: Joe Biden joe.biden@gmail.com To: Adminu admin@netvpn.cyou Subject: You are very happy Message-Id: 20241001071431.B22BC21F5D4@fake.domain Date: Tue, 01 Oct 2024 10:14:31 +0300 (EEST)

Hello! I have good news for you. Your Joe Biden

OS Debian 12 (bookworm), Opendkim v2.11.0. included lines in opendkim.conf:

On-BadSignature r On-NoSignature r On-SignatureError r On-KeyNotFound r

[createyourpersonalaccount]

The right way to report your postfix configuration is by showing

postconf -nf
postconf -Mf

@tetesh Yes it works fine for me on Debian 12, no bugs.

I've added the postfix user to opendkim group with:

usermod -a -G opendkim postfix
mkdir -p -m750 "/var/spool/postfix/opendkim"
chown "opendkim:opendkim" "/var/spool/postfix/opendkim"

In my /etc/postfix/main.cf I have:

milter_default_action = reject
milter_protocol = 6
smtpd_milters = unix:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

My /etc/opendkim.conf is:

Syslog                  yes
SyslogSuccess           yes
Canonicalization        relaxed/relaxed
Mode                    vs
UserID                  opendkim
UMask                   007
Socket                  local:/var/spool/postfix/opendkim/opendkim.sock
TrustAnchorFile         /usr/share/dns/root.key
On-BadSignature         reject
On-NoSignature          reject
On-SignatureError       reject
On-KeyNotFound          reject

Don't forget to systemctl restart opendkim and then postfix reload. This only takes care of OpenDKIM but you should also implement SPF and DMARC.

This GitHub PR issue page is not the right place to ask for this sort of technical support, I won't be answering further in this page. A fully fledged e-mail solution is https://www.iredmail.org/ that is open-source and will have these preconfigured for you.