#114 dkim-milter rejects validly signed mail

v2.5.4
closed-fixed
8
2008-04-25
2008-04-20
Doug Kingston
No

Valid signed messages (as verified by dkim-milter and externals like dk.elandsys.com) are rejected. Tracing shows:
Apr 20 16:26:41 home dkim-filter[28333]: 4D0273ACE8 no MTA name match
Apr 20 16:26:41 home dkim-filter[28333]: 4D0273ACE8 not internal
Apr 20 16:26:41 home dkim-filter[28333]: 4D0273ACE8 not authenticated
Apr 20 16:26:41 home dkim-filter[28333]: 4D0273ACE8 not POP authenticated
Apr 20 16:26:41 home dkim-filter[28333]: 4D0273ACE8 mode select: verifying
Apr 20 16:26:41 home dkim-filter[28333]: 4D0273ACE8 DKIM verification successful
Apr 20 16:26:41 home dkim-filter[28333]: 4D0273ACE8 rejected per sender domain policy

The error appears to be in mlfi_eom(), around line 5715. I also believe the partial signatures will not be handled properly in version 2.5.4. I believe the bug(s) is as fixed by the following patch:
diff -cr dkim-milter-2.5.4/dkim-filter/dkim-filter.c dkim-milter-2.5.4-dpk/dkim-filter/dkim-filter.c
*** dkim-milter-2.5.4/dkim-filter/dkim-filter.c 2008-04-15 21:42:29.000000000 +0100
--- dkim-milter-2.5.4-dpk/dkim-filter/dkim-filter.c 2008-04-20 18:27:25.000000000 +0100
***************
*** 5712,5718 ****
** messages.
*/

! if (dfc->mctx_status == DKIMF_STATUS_GOOD ||
dfc->mctx_status == DKIMF_STATUS_BAD ||
dfc->mctx_status == DKIMF_STATUS_BADFORMAT ||
dfc->mctx_status == DKIMF_STATUS_VERIFYERR ||
--- 5712,5718 ----
** messages.
*/

! if (dfc->mctx_status == DKIMF_STATUS_PARTIAL ||
dfc->mctx_status == DKIMF_STATUS_BAD ||
dfc->mctx_status == DKIMF_STATUS_BADFORMAT ||
dfc->mctx_status == DKIMF_STATUS_VERIFYERR ||

Discussion

  • Doug Kingston
    Doug Kingston
    2008-04-20

    • priority: 5 --> 8
     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    We definitely want to check for DKIMF_STATUS_GOOD because a message signed by a third-party signature which verifies but whose author domain advertises a "discardable" policy should be rejected. Thus, we still need to check in the "GOOD" case.

    I believe you're right though that the PARTIAL case should get checked.

    Do you have a saved example of a message that verifies successfully yet gets rejected incorrectly? I wonder if there's a bug in the author signature check evaluation, i.e. dkimf_authorsigok().

     
    • assigned_to: nobody --> sm-msk
     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    I need full steps-to-reproduce in order to investigate further.

     
    • status: open --> pending
     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    I'm confused by the idea that dk.elandsys.com mail was rejected even though its verification passed when that domain doesn't advertise a "dkim=discardable" policy.

     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    Somewhat by accident, SM and I managed to reproduce the problem.

    Try the attached patch.
    File Added: PATCH

     
  • Proposed patch #1

     
    Attachments
    • status: pending --> open
     
    • status: open --> closed-fixed
     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    v2.5.5 released, containing this patch.