A new version of dkim-milter is now available for download from SourceForge.
This is a major new release containing substantial new features. The most
prominent changes include the addition of full support for verification of
messages containing multiple signatures and more complete support for the
new Sender Signing Policy (SSP) specification from the IETF's DKIM working
Another important change is the fact that support for older versions of
DKIM has been completely removed.
There were also various minor fixes and adjustments included.
Thanks go out to all the beta testers and other contributors. If any
attributions are missing or incorrect in the RELEASE_NOTES, please let me
know. Special thanks go to Chris Behrens and S. Moonesamy for their
extensive testing and reviews.
The formal release notes entry:
Remove all support for versions older than RFC4871. Older
statistics databases will not be incompatible with the
new code since version information is no longer included
in the record format.
Add "Resent-Sender" and "Resent-From" to the list of headers
checked to determine whether or not the message should
be signed or verified.
Report an authentication result of "permerror" when the message
can't be verified for syntax or other non-crypto reasons.
New configuration file item "RemoveARFrom" allows specification
of hostnames/domains whose existing Authentication-Results:
headers should be removed. Also add "RemoveARAll" which
allows selection of whether all such headers should be removed
or only those containing a DKIM result.
New configuration file item "RemoveOldSignatures" deletes existing
signatures when signing.
Fix bug #SF1743896: Don't crash if a From: header with no domain
is found. Patch from Andy Fiddaman.
Fix bug #SF1743964: Remove the pid file on shutdown or startup
failure. Patch from Mike Markley.
LIBAR: Plug descriptor and memory leaks in ar_shutdown().
LIBDKIM: Rework _FFR_VBR code to prepare it for extraction into
an independent library.
LIBDKIM: The key and policy lookup callbacks must now return
a DKIM_CBSTAT constant so that they can have their
corresponding libdkim functions return DKIM_STAT_CBTRYAGAIN
if desired. Suggested by Chris Behrens of Concentric
LIBDKIM: Add _FFR_DIFFHEADERS which adds dkim_diffheaders() to enable
the caller to search for headers that may have been munged
in transit thus causing a verification failure.
LIBDKIM: Feature request #SF1473131: Overhaul data structures,
functions and documentation to allow fine-grained handling
of messages bearing multiple signatures. This included the
o Extend draft-ietf-dkim-ssp-00 support to cover
o Introduce DKIM_SIGERROR type/constants for associating
an error code with each individual signature.
o New libary flag DKIM_LIBFLAG_DELAYSIGPROC delays all
signature processing until dkim_eom().
o New libary flag DKIM_LIBFLAG_EOHCHECK causes dkim_eoh()
to return an error if it was unable to find any
valid signatures when verifying.
o Add new DKIM_CANON data type, referring to a
parallel canonicalization required for signature
generation or verification.
o New function dkim_getsiglist() retrieves an array of
DKIM_SIGINFO handles referring to all of the
signatures discovered on a message.
o New function dkim_getsignature() retrieves a single
DKIM_SIGINFO handle which is the one libdkim will
use to return its final result.
o New function dkim_sig_getflags() to retrieve flags
attached to a signature handle after processing.
o New function dkim_sig_geterror() to retrieve the error
code associated with a signature handle after
o New function dkim_sig_getbh() to retrieve the body
hash test result on a signature after processing.
o New function dkim_set_final() sets a user-provided
callback called by dkim_eom() to do any final
processing the caller may desire.
o New function dkim_sig_process() manually executes
verification of a signature, for use from within the
prescreen or final callbacks.
o Rename dkim_getcanonlen() to dkim_sig_getcanonlen(),
dkim_getsigntime() to dkim_sig_getsigntime(),
dkim_getselector() to dkim_sig_getselector(),
dkim_getsigndomain() to dkim_sig_getdomain(),
dkim_getsignalg() to dkim_sig_getsignalg() and
dkim_getkeysize() to dkim_sig_getkeysize()
as they now act on a specific signature rather than
on an entire message.
o The user-provided key and policy lookup functions must
now accept a DKIM_SIGINFO handle as an additional
o dkim_reportinfo() and dkim_ohdrs() now also require a
DKIM_SIGINFO handle as an additional parameter.
LIBDKIM: Fix signal logic in dkim_cache_read_unlock(). Patch from
Chris Behrens of Concentric Network Corporation.
LIBDKIM: Add _FFR_KEY_REUSE which avoids doing duplicate key
lookups if the same key is used on two signatures in the
same message. Suggested by Chris Behrens of Concentric
LIBDKIM: Changed prototype for dkim_policy() to reflect the new code.
Remove _FFR_FLUSH_HEADERS. The functionality it provided is now
accessed via the new configuration options described above.
BUILD: More unit tests.
Please use the trackers and mailing lists on SourceForge to report problems or
make comments or other suggestions.
Murray S. Kucherawy ========================================= msk@...
Senior Software Engineer Sendmail, Inc. Emeryville, CA, USA
(510) 594-5400 http://www.sendmail.com