search

trusteddomainproject / OpenDKIM

Other
91 stars 50 forks source link

OpenDKIM doesn't reject unvalidated mails on Centos8 and Archlinux #106

Open rorusvan opened 3 years ago

rorusvan commented 3 years ago

There are 3 mail-servers (Archlinux, Centos8, Centos7) with similar configurations Opendkim and Postfix. On all of them activated Opendkim's options:

[On-BadSignature reject On-NoSignature reject On-SignatureError reject On-KeyNotFound reject

The problem occurs on new systems Arch and Centos8. Opendkim verifies incoming mails with valid signature, but seems not to veryfy what comes without signature or bad one, thus not rejecting them as expected. The versions are these: Archlinux:

opendkim: OpenDKIM Filter v2.10.3
    Compiled with OpenSSL 1.1.1h  22 Sep 2020
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    libopendkim 2.10.3:

Centos8:

opendkim: OpenDKIM Filter v2.11.0
    Compiled with OpenSSL 1.1.1c FIPS  28 May 2019
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    Active code options:
        QUERY_CACHE
        USE_DB
        USE_LDAP
        USE_LUA
        USE_ODBX
    libopendkim 2.11.0: query_cache

Centos7:

opendkim: OpenDKIM Filter v2.11.0
    Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    Active code options:
        QUERY_CACHE
        USE_DB
        USE_LDAP
        USE_ODBX
    libopendkim 2.11.0: query_cache

That's very strange behaviour, on the old Centos7 it works ok, but the newest Centos8 and Arch verifications not provided. All the packages Opendkim were installed from the standart repositories, I also tried to compile Opendkim on the Arch, unfortunately didn't help: fake mails without dkim-signature pass..

mdomsch commented 3 years ago

This looks related to https://bugzilla.redhat.com/show_bug.cgi?id=1895321 Description of problem:

When I set

On-KeyNotFound a On-NoSignature r IgnoreMalformedMail no MustBeSigned From RequiredHeaders yes

  1. messages which have not to be signed, because no public key is published (sender does not use DKIM) are rejected

  2. Moreover, messages which do not contain any header are passed even if they should be rejected because of missing signature: opendkim[]: **: can't determine message sender; accepting sendmail[]: **: Milter (opendkim) insert (1): header: Authentication-Results: *****; dkim=permerror (bad message/signature format)

Version-Release number of selected component (if applicable): opendkim-2.11.0-0.17.fc33.x86_64

How reproducible: By sending emails.

Steps to Reproduce:

  1. Setup opendkim.
  2. Send mail from domain which does not implement DKIM -> REJECTED and should not be.
  3. Send mail from the outside spoofing local domain without using headers -> ACCEPTED and should not be.

Actual results: Policy not working correctly.

Expected results: Policy working correctly.

Marek Greško 2020-11-06 17:43:30 UTC The first problem is caused by:

            switch (dfc->mctx_status)
            {
              case DKIMF_STATUS_BAD:
                    ar = "fail";
                    break;

              case DKIMF_STATUS_NOKEY:
              case DKIMF_STATUS_BADFORMAT:
                    ar = "permerror";
                    break;

Clearly the DKIMF_STATUS_NOKEY is treated in the same manner as DKIMF_STATUS_BADFORMAT.

Comment 2Marek Greško 2020-11-06 19:09:04 UTC Second problem:

    if (conf->conf_reqhdrs)
    {
            _Bool ok = TRUE;

... if (!ok) { if (conf->conf_dolog) { syslog(LOG_INFO, "%s: RFC5322 header requirement error", dfc->mctx_jobid); }

                    dfc->mctx_addheader = TRUE;
                    dfc->mctx_headeronly = TRUE;
                    dfc->mctx_status = DKIMF_STATUS_BADFORMAT;
                    return SMFIS_CONTINUE;
            }

Why there is SMFIS_CONTINUE?

rorusvan commented 3 years ago

Yes. Unfortunately, the Opendkim developers look like abandon their project. On newest Arch and Centos8 it works correctly in signing outgoing mails, neither in verifying incoming ones.

Deepcuts commented 1 year ago

Any news on this? On-NoSignature reject does not work in messages with opendkim[25684]: 14EDFC0EDB: no signature data Or am I missing something?

tetesh commented 5 months ago

I have the same problem in Debian 12, and because of this problem I can reproduce smtp smuggling, since my postfix (via opendkim) does not check the signature of the original letter, I add another one in the same letter through line breaks "/r./r"

2024-04-05T09:10:47.209626+03:00 postfix-test opendkim[3812418]: 1FABE100000AC0E6: can't determine message sender; accepting
2024-04-05T09:10:47.267961+03:00 postfix-test postfix/qmgr[4072373]: 1FABE100000AC0E6: from=<admin@example.org>, size=279, nrcpt=1 (queue active)
2024-04-05T09:10:47.305135+03:00 postfix-test postfix/cleanup[4072604]: 4A106100000AC0E7: message-id=<>
2024-04-05T09:10:47.314744+03:00 postfix-test postfix/local[4072606]: 1FABE100000AC0E6: to=<test@test.example.org>, relay=local, delay=1.3, delays=1.2/0.01/0/0.04, dsn=2.0.0, status=sent (forwarded as 4A106100000AC0E7)
2024-04-05T09:10:47.322930+03:00 postfix-test postfix/qmgr[4072373]: 4A106100000AC0E7: from=<admin@example.org>, size=535, nrcpt=1 (queue active)
2024-04-05T09:10:47.324577+03:00 postfix-test postfix/qmgr[4072373]: 1FABE100000AC0E6: removed
2024-04-05T09:10:47.983604+03:00 postfix-test postfix/smtp[4072607]: 4A106100000AC0E7: to=<other_mail@myorg.com>, orig_to=<test@test.example.org>, relay=mxs.org[217.69.139.150]:25, delay=0.68, delays=0.01/0.01/0.03/0.62, dsn=2.0.0, status=sent (250 OK id=1rscml-00000004U9X-1tGM)
2024-04-05T09:10:47.985460+03:00 postfix-test postfix/qmgr[4072373]: 4A106100000AC0E7: removed

script:

#!/usr/bin/expect

set host relay-test.example.org
set port 25
set legit_mail_from admin@example.org
set legit_mail_recipent test@test.example.org

spawn telnet $host $port
expect "220"

send "HELO $host\r"
expect "250"

send "MAIL FROM: $legit_mail_from\r"
expect "250"

send "RCPT TO: $legit_mail_recipent\r"
expect "250"

send "data\r"
expect "354"

send "Test Smugling\r"
sleep 1
send "\r.\r"
sleep 1

send "quit\r"
tetesh commented 4 months ago

up