Menu
▾
▴
dkim-milter-announce — DKIM Milter Package Announcements
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(2) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2006 |
Jan
(2) |
Feb
|
Mar
(3) |
Apr
(2) |
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2007 |
Jan
|
Feb
|
Mar
(4) |
Apr
(4) |
May
(5) |
Jun
(2) |
Jul
(2) |
Aug
(7) |
Sep
(1) |
Oct
(3) |
Nov
(1) |
Dec
(1) |
| 2008 |
Jan
(3) |
Feb
|
Mar
(3) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
(2) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Murray S. K. <ms...@se...> - 2009-06-01 02:40:35
|
A new version of dkim-milter is now available for download from
SourceForge.
This is a minor cleanup release that takes care of some housekeeping
issues found during code inspection and runs of the filter with memory and
descriptor analysis tools. No new features or major bugs are fixed. Some
additional logging has been added in failure cases, however.
The formal release notes entry:
2.8.3 2009/05/31
Close the configuration file after reading it, plugging a
descriptor leak.
Release memory associated with old configuration nodes (i.e. strings)
as well as the nodes themselves.
Connect the configuration handle to its allocated data so cleanup can
actually be thorough.
Fix an error message reported inside _FFR_REPLACE_RULES.
Plug a memory leak in mlfi_header() tripped when errors occur.
Since ADSP has not yet been registered by IANA, adjust its method
label in Authentication-Results accordingly.
Include selector, domain and other text if possible when logging
key retrieval failures.
Add _FFR_SENDER_HEADERS, allowing user control over which header
fields are used to make the sign/verify decision and
perform key selection.
LIBDKIM: Initialize canon_lastchar in dkim_add_canon().
LIBDKIM: Clean up any compiled regular expressions in dkim_close().
LIBDKIM: Fix some type-related compiler warnings.
Please use the trackers and mailing lists on SourceForge to report problems or
make comments or other suggestions.
--
Murray S. Kucherawy ========================================= ms...@se...
Principal Engineer Sendmail, Inc. Emeryville, CA, USA
(510) 594-5400 http://www.sendmail.com
|
|
From: Murray S. K. <ms...@se...> - 2009-02-17 23:12:00
|
A new version of dkim-milter is now available for download from SourceForge. This is a bug fix release. Upgrade is recommended, but need not be considered mandatory. The bugs fixed include "i=" tag generation when key lists are in use, a socket cleanup issue, an issue with reporting of libcrypto errors, and several other minor fixes. It also contains a thread safety fix in libar. There was a minor fix in the build scripts as well. Finally, this version allows libdkim and libar to be compiled without reference to the provided libsm, for systems which include the strl*() functions. The formal release notes entry: 2.8.2 2009/02/17 Request a signature with an "i=" tag if signing for subdomains and a keylist entry matches. Previously this only occurred when using an explicit domain list. Problem noted by S. Moonesamy of Eland Systems. Fixes in and around dkim_socket_cleanup(). Problem noted by S. Moonesamy of Eland Systems. LIBDKIM: When logging a d2i_PUBKEY_bio() or EVP_PKEY_get1_RSA() failure, also log the selector and domain involved so manual diagnostics are possible. LIBDKIM/LIBAR: Feature request #SF2380508: Add new test for WITHOUT_LIBSM which removes references to libsm's sm_strl*() functions, so that libdkim and libar can stand on their own on systems which provide the strl*() functions. Requested by Frederik Pettai. LIBDKIM: Report DKIM_STAT_NOSIG if the caller commands that all signatures should be ignored. LIBDKIM: Plug a memory leak caused when responding to a malloc() failure. LIBDKIM: New signature error code DKIM_SIGERROR_KEYDECODE, used if d2i_PUBKEY_BIO() or EVP_PKEY_get1_RSA fails in dkim_sig_process(). LIBAR: Make reference to the "_res" structure more thread-safe. BUILD: Make use of conf_dkim_filter_ENVDEF since site.config.m4.dist refers to it. Problem noted by S. Moonesamy of Eland Systems. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2009-01-16 19:38:05
|
A new version of dkim-milter is now available for download from SourceForge.
This release fixes a security issue with the filter. In particular, a key
record with an empty "p=" value (i.e. a revoked key) will cause the filter
to crash from an assertion failure. This applies to versions 2.6.0
through 2.8.0.
Thanks to Mike Markley for detecting and reporting the problem.
The formal release notes entry:
2.8.1 2009/01/16
LIBDKIM: Fix bug #SF2508602: Add a translation string for
DKIM_SIGERROR_KEYREVOKED and fix dkim_eom_verify() so it
returns DKIM_STAT_REVOKED when appropriate. Problem noted
by Mike Markley of Bank of America.
Please use the trackers and mailing lists on SourceForge to report problems or
make comments or other suggestions.
--
Murray S. Kucherawy ========================================= ms...@se...
Principal Engineer Sendmail, Inc. Emeryville, CA, USA
(510) 594-5400 http://www.sendmail.com
|
|
From: Murray S. K. <ms...@se...> - 2009-01-09 00:15:01
|
A new version of dkim-milter is now available for download from SourceForge. This release contains a number of minor bug fixes and one fix for a crash condition, as well as some important new features. Of particular interest is: contributed support for DNSSEC, and the ability to react differently when a retrieved key or policy is not secure. There's also experimental support for addition of multiple signatures in one operation, optional compatibility with DomainKeys key records, and support for an experimental DKIM reputation facility. The formal release notes entry: 2.8.0 2009/01/08 Add configuration option "EnableCoredumps" which makes an explicit kernel request for cores on crashes. Currently only meaningful on Linux. Add configuration option "AuthServID" which sets the "authserv-id" token to use when generating Authentication-Results header fields. Report "fail" instead of "hardfail" on authentication failures, in compliance with the Authentication-Results: draft. Add _FFR_REPORT_INTERVALS, experimental support for the "ri" tag extension to DKIM policy and key records for specifying reporting intervals. Feature request #SF1985886: Add _FFR_MULTIPLE_SIGNATURES, allowing one instance of the filter to add multiple signatures. Suggested by Dave Crocker. Add "TemporaryDirectory" configuration file option for requesting that libdkim use an alternate directory for creating temporary files, and "KeepTemporaryFiles" for requesting that libdkim not delete those files for debugging purposes. Add optional support for the "unbound" asynchronous resolver library as it is DNSSEC-aware. Adds four new configuration file items: "BogusKey", "BogusPolicy", "InsecureKey" and "InsecurePolicy". Also add dkim_sig_getdnssec() and dkim_policy_getdnssec() to libdkim so callers can tell what the DNSSEC evaluation result was for each query. Based on a patch from John Dickinson. Add "BaseDirectory" configuration file option for specifying the desired current directory of the process. Make use of the key and policy "rs" tag, if present, when doing SMTP rejections. Use MTA macro "$j" as the hostname in generated reports instead of the output of gethostname() since on some systems the latter may not be fully-qualified. Remove ANTICIPATE_SENDMAIL_MUNGE, replacing it with a runtime check for the milter v2 feature which suppresses the addition of spaces in headers. Add _FFR_COMMAIZE which attempts to predict the reformatting the MTA will do to certain header fields to reduce verification failures. Add _FFR_DKIM_REPUTATION enabling a function used to query an open DKIM reputation service regarding the signing user and signing domain. The service's URL is http://www.dkim-reputation.org. (EXPERIMENTAL) Fix preloading of configuration defaults. Fix bug #SF2236040: Quote all of the POSIX regular expression special characters, not just some of them. Reported by Mark Martinec. When possible, log the selector and domain of the signature evaluated along with any errors in the libcrypto stack. LIBDKIM: Add "smtpbuf", "smtplen" and "interval" parameters to dkim_sig_getreportinfo() and dkim_policy_getreportinfo(). Also, remove the assertion that "addr" be non-NULL. LIBDKIM: Add DKIM_LIBFLAGS_ACCEPTDK which enables compatibility with DomainKeys-formatted key records. LIBDKIM: Adjust signature formatting for legibility. LIBDKIM: Check return status from dkim_canon_getfinal() to avoid bad dereferences. Problem noted by Chris Behrens of Concentric Network Corporation. LIBDKIM: Render the DKIM handle unusable in dkim_eoh_sign() if a required header was absent. Activate _FFR_REQUIRED_HEADERS. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-09-02 21:09:17
|
A new version of dkim-milter is now available for download from SourceForge. This is a bugfix release, resolving a crash bug introduced in the previous patch release. The formal release notes entry: 2.7.2 2008/09/02 Avoid memory leaks and infinite loops when releasing thread-specific memory. Reported by Jeff Earickson. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-08-28 06:27:25
|
A new version of dkim-milter is now available for download from SourceForge. This is a minor bug fix release. Two signature processing issues have been identified and resolved, and a rare issue having to do with crashes inside OpenSSL has been addressed. Thanks this time go out to Zbigniew Szalbot for his help tracking down the OpenSSL problem and then testing the fix. The formal release notes entry: 2.7.1 2008/08/27 Set up required callbacks for OpenSSL thread-safety. Problem noted by Zbigniew Szalbot. Disallow empty "t=" and "x=" tags. Return DKIM_STAT_KEYFAIL for various DNS key retrieval failures instead of DKIM_STAT_INTERNAL. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-07-24 06:09:52
|
A new version of dkim-milter is now available for download from SourceForge. This is an update release of the filter. The main purpose is to update support for the signing practises test, an adjunct to DKIM for evaluating whether or not a message should have been signed and, if it wasn't, what to do with it. In addition, a couple of features have been added. The RELEASE_NOTES file fails to mention that all "ASP" references in the configuration file were changed to "ADSP". This will be fixed in the RELEASE_NOTES for the next version, but please update your configuration files accordingly when installing this version. The formal release notes entry: 2.7.0 2008/07/23 Update to draft-ietf-dkim-ssp-04. In doing so, rename "ASPDiscard" to "ADSPDiscard", "ASPNoSuchDomain" to "ADSPNoSuchDomain" and "SendASPReports" to "SendADSPReports" in the configuration file. Feature request #29738: Add "TrustSignaturesFrom" configuration file item allowing fine-grained control over third-party signature handling. Feature request #SF2018848: Add "LocalADSP" feature allowing policy assertions from domains known to have specific policies but which don't publish ADSP records. Suggested by Bruno Kraychete da Costa. LIBDKIM: Fix an off-by-one overrun check in key and policy record decoding. Problem noted by John Dickinson. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-06-11 10:31:37
|
A new version of dkim-milter is now available for download from SourceForge. This is a new release of the filter which adds a number of new features and fixes a number of minor bugs. Of particular interest is support for the proposed DKIM reporting mechanisms introduced in the revised "feedback-report" and new "dkim-reporting" IETF drafts. The formal release notes entry: 2.6.0 2008/06/11 Remove "signaturemissing" as an old-style configuration action as it has been superseded by "ASPDiscard" and related functions. Add "SendASPReports" configuration option which generates ASP failure reports if requested by the sending domain. Update report generation for verification failures to use the new Abuse Reporting Format (ARF) and DKIM Reporting draft proposals. Add "MustBeSigned" configuration option, requiring signatures to cover specific headers if present. Rename "UseASPDiscard" to "ASPDiscard". Add "ASPNoSuchDomain" configuration option which rejects mail that appears to come from nonexistent domains as reported by the Author Signing Practises check. Add "ReportAddress" configuration option, used for defining the From: header of reports mailed out. Yet another compatibility fix with respect to Sleepycat DB. Fix processing of "LogWhy" configuration parameter. Problem noted by Erik Lotspeich. Add "-n" command line flag which parses the command line arguments and configuration file(s), then exits with an appropriate status code. Report DKIM and ASP results separately via the same Authentication-Results header field. Previous versions would alter the DKIM result based on ASP. Fix bug #SF1976931: Restore function of "nosignature" old-style action configuration, connected to "AlwaysAddARHeader". Problem noted by Lucas Brasilino. Feature request #SF1940233: Add "DontSignMailTo" configuration option, allowing a list of recipient patterns whose mail should not be signed. Requested by Don Hughes. LIBDKIM: Rename dkim_reportinfo() to dkim_sig_getreportinfo(), and add dkim_policy_getreportinfo(). LIBDKIM: Add several more signature error codes covering various key-related errors. LIBDKIM: Add dkim_sig_hdrsigned() utility, DKIM_OPTS_MUSTBESIGNED option, and DKIM_SIGERROR_MBSFAILED error code. LIBDKIM: Fix a bug in the computation of the result for dkim_canon_minbody(). LIBDKIM: Report corrupted base64 chunks instead of quietly tolerating them. LIBDKIM: Tidy up the cleanup code in dkim-canon.c. LIBDKIM: Properly handle "tag=" at the end of a data set (i.e. the tag exists and has an empty value). LIBDKIM: Use larger unsigned data types in dkim_sig_future() as was done elsewhere. LIBDKIM: Always populate a DKIM_SIGINFO with domain and selector before there's an opportunity for other parsing short-circuits. LIBDKIM: Fix bug #SF1984685: Remove the "margin" parameter from dkim_getsighdr(); make it controlled by a new function, dkim_set_margin(), so that the signed copy and the user-requested copy are identical. Activate _FFR_AUTHSERV_JOBID. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-04-25 16:33:11
|
A new version of dkim-milter is now available for download from SourceForge. This is a bugfix release containing a single important fix which could cause mail to be rejected improperly for domains which advertise a "discardable" mail policy. If you are using the "UseASPDiscard" feature, this upgrade should be considered mandatory. The formal release notes entry: 2.5.5 2008/04/25 Fix bug #SF1947301: Close up a logic problem in "UseASPDiscard" handling which could cause false rejections of mail from domains advertising "discardable" policies. Problem noted by Doug Kingston. LIBDKIM: Another compatibility fix with respect to Sleepycat DB. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-04-17 18:11:30
|
A new version of dkim-milter is now available for download from SourceForge. This release fixes one signature correctness bug in the library and a few bugs which could result in crashes in the filter itself. An upgrade is recommended if you're using the filter. The formal release notes entry: 2.5.4 2008/04/17 Skip signatures with errors in dkimf_authorsigok(). Avoid a NULL dereference in dkimf_config_reload() when starting without a configuration file. Fix an alignment problem in dkimf_checkip(). Problem reported by Jeff A. Earickson. LIBDKIM: Fix bug #SF1942387: Per RFC4871, disallow "l=" values that exceed the size of the canonicalized message body. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-04-14 18:39:22
|
A new version of dkim-milter is now available for download from SourceForge. This release contains mainly bug fixes and additional diagnostic information. Two are correctness bugs with parsing of the signature tags, so an upgrade is recommended. The formal release notes entry: 2.5.3 2008/04/14 Add "AllowSHA1Only" configuration option which permits operation of verifiers that only know about SHA1. Without this, a filter compiled with only SHA1 support will refuse to start in verifier mode. Add "LogWhy" configuration parameter and "-W" command line flag to request detailed logging about why a message was not signed by the filter. Intended for debugging; not intended for normal operation. Another tweak to parameters passed to db->open(). Based on patches from Jukka Salmi and S. Moonesamy. Fixes in ares_parse() to match the current syntax. In particular, deal with the fact that some of our tokens can legally appear in e-mail addresses. Problem noted by S. Moonesamy of Eland Systems. LIBDKIM: Evaluate key granularity against the "i=" value rather than the value of the From: header per RFC4871. Problem noted by Jason Long. LIBDKIM: Remove the chartable stuff from dkim-tables.c as it is not used anywhere. LIBDKIM: Fix bug #SF1940302: Perform stronger validation of the value of the "h=" tag. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-03-28 21:15:12
|
A new version of dkim-milter is now available for download from SourceForge. This is mostly a minor bugfix release. One of the fixes, however, repairs a variable scope problem that could cause false negatives during SSP checks. Thus, an upgrade is advised if you're running 2.5.0 or 2.5.1. The formal release notes entry: 2.5.2 2008/03/28 Preserve the sender's domain name outside of mlfi_eoh() as it's now needed in mlfi_eom(). Problem noted by Andy Fiddaman. Fix bug #SF1921873: Pass "-K" command line switch into the new configuration handling code. Problem noted by Al Smith. TOOLS: Fix flags portion of the TXT record output by dkim-genkey. Problem noted by Michael Carland. BUILD: Fix bug #SF1922422: Fix linker problems when POPAUTH is defined. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-03-20 23:46:48
|
A new version of dkim-milter is now available for download from SourceForge. This is a bugfix release following 2.5.0, fixing a few minor problems introduced in that release as well as updating to the latest Authentication-Results: header draft. The formal release notes entry: 2.5.1 2008/03/20 Update for draft-kucherawy-sender-auth-header-14. Add "subject" to "should_signhdrs" per RFC4871 section 5.5. Fix bug #SF1911328: Restore proper behaviour of SignHeaders and OmitHeaders, broken in the prior release's configuration overhaul. Problem reported by Jason Molzen. Fix bug #SF1912332: Fix parameters passed to db->open(). Problem reported by Tony Earnshaw. Fix bug #SF1912569: Initialize mutexes before entering test mode. Patch from Kaspar Brand. LIBDKIM: More boundary checking fixes in dkim_canon_selecthdrs(). Problem noted by Warren Horvath. LIBDKIM: Fix bug #SF1820084: Return DKIM_STAT_MULTIDNSREPLY if a DNS query returns multiple records. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-03-07 06:30:11
|
A new version of dkim-milter is now available for download from SourceForge. This is a major release, adding a number of feature requests and making some changes in line with recent changes to relevant IETF specifications. In particular, one configuration file item has been renamed. Please me familiar with the changes as described below before upgrading. The formal release notes entry: 2.5.0 2008/03/06 Add "AutoRestartCount" and "AutoRestartRate" configuration parameters to limit runaway restart loops. Feature request #SF1735573: Add "AlwaysAddARHeader" option, which will add an Authentication-Results of "none" for unsigned messages from domains without a "strict" policy. Feature request #SF1807748: Reload the configuration file on receipt of SIGUSR1. Requested by Florian Sager. Feature request #SF1811969: Add _FFR_BODYLENGTH_DB which adds a "BodyLengthDBFile" feature, allowing a per-recipient decision on whether or not to use an "l=" tag when signing. Patch contributed by Daniel Black. Feature request #SF1841955: Add an "Include" facility to the configuration file. Feature request #SF1876941: Make the syslog facility selectable. Based on a patch from Jose-Marcio Martins da Cruz of Ecole des Mines de Paris. Feature request #SF1876943: Add _FFR_AUTHSERV_JOBID allowing the job ID to be included as part of the "authserv-id" in Authentication-Results: headers. Based on a patch from Jose-Marcio Martins da Cruz of Ecole des Mines de Paris. Feature request #SF1890581: Attempt to clean up a UNIX domain socket in the non-AutoRestart case as well. Requested by Daniel Black. Add "MilterDebug" configuration file option for requesting debugging output from the filter. Add "FixCRLF" configuration file option which activates the DKIM_LIBFLAGS_FIXCRLF flag (see below). Update to draft-ietf-dkim-ssp-03. In doing so, rename the "UseSSPDeny" configuration option to "UseASPDiscard". Handle an error from dkim_getsighdr() properly in mlfi_eom(). When VERIFY_DOMAINKEYS is active, don't short-circuit mlfi_eoh() between dk_verify() and dk_eoh() or a segmentation fault below dk_body() could result. LIBDKIM: Feature request #SF1823059: Export key, signature and policy syntax checking capability via the API. Based on a patch from Chris Behrens of Concentric Network Corporation. LIBDKIM: Assert defaults for "c" and "q" tags when parsing signature headers. Patch from Chris Behrens of Concentric Network Corporation. LIBDKIM: Better handling of truncated DNS replies; instead of just giving up if the "tc" (truncated) bit is set in the reply, see if there was enough of a reply returned to be able to complete the request. LIBDKIM: Fix recycling bug in header canonicalizations which was causing signatures other than the first one to fail in most cases. LIBDKIM: Add new dkim_chunk() interface. LIBDKIM: Enforce DKIM_OPTS_QUERYMETHOD library option even if there were no valid signatures. LIBDKIM: New DKIM_LIBFLAGS_FIXCRLF which requests that "naked" CRs and LFs be converted to CRLFs during canonicalization when signing. LIBDKIM: Fix bounds checking in dkim_canon_selecthdrs(). LIBAR: Eliminate a possible race condition in ar_dispatcher(). LIBAR: Timeouts passed to select() can't be bigger than 10^8. Problem noted by S. Moonesamy of Eland Systems. BUILD: Feature request #SF1876242: Install the filter in EBINDIR and everything else in UBINDIR. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-01-25 19:22:49
|
A new version of dkim-milter is now available for download from SourceForge. This is a minor patch reelase, fixing two uncommon crash bugs and tidying up a couple of things. One of the crash bugs was introduced in 2.4.3 so if you're running that version you should consider upgrading. The formal release notes entry: 2.4.4 2008/01/25 In mlfi_close(), don't assume the libmilter private context pointer is not NULL. Fail to start up if told to load a key list which resulted in no keys being loaded. When "AutoRestart" is in use, the parent will now wait for the child to terminate before exiting. Thus, something that signals the process ID in the pid file can also wait on that process to be gone before being sure that the service has actually shut down. Include the job ID when logging about Authentication-Results: headers that can't be parsed. Problem noted by S. Moonesamy. LIBDKIM: In dkim_policy(), skip invalid signatures during evaluation of step 1 of SSP as the signature handle may not have been fully populated. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2008-01-18 20:18:18
|
A new version of dkim-milter is now available for download from
SourceForge.
This is a minor bug fix release. Thanks to those who contributed patches
and testing time!
The formal release notes entry:
2.4.3 2008/01/18
Request addition of an "i=" tag in the signature when signing for
subdomains. Patch from Alin Nastac.
TOOLS: Fix bug #SF1867259: "echo -n" is not portable. Problem
noted by Gary Mills.
TOOLS: Fix bug #SF1867869: Output of the "t=" value was incorrect
with respect to the "s" flag. Reported by Geoff Adams.
LIBAR: Further handling of the absence of "nameserver" lines in
resolv.conf, this time in the manual processing code.
LIBDKIM: Fix bug #SF1867839: 64-bit portability in rfc2822.c.
Patch from Geoff Adams.
LIBDKIM: Tighten up correctness of the first SSP test ("valid
originator signature") in dkim_policy(). Problem noted
by Alin Nastac.
BUILD: Fix bug #SF1818906: Update site.config.m4 to include a flag
for installing libdkim when compiling static libraries,
and installing dkim.h in either case. Requested by
Chris Behrens of Concentric Network Corporation.
Please use the trackers and mailing lists on SourceForge to report problems or
make comments or other suggestions.
--
Murray S. Kucherawy ========================================= ms...@se...
Principal Engineer Sendmail, Inc. Emeryville, CA, USA
(510) 594-5400 http://www.sendmail.com
|
|
From: Murray S. K. <ms...@se...> - 2008-01-03 00:42:17
|
Happy 2008 to everyone! A new version of dkim-milter is now available for download from SourceForge. This is a minor bug fix and performance improvement release. The most serious issue addressed is a flaw in the logic of dkim_policy() which can cause incorrect policy conclusions in some circumstances. The formal release notes entry: 2.4.2 2008/01/?? Remove "-H" from the usage message. It was meant to be a command line interface to "AlwaysSignHeaders" but was never implemented. Problem noted by Jeff Anton. LIBDKIM: Make dkim_islwsp() into a macro to drastically reduce the number of function calls made during canonicalization. LIBDKIM: Fix bug #SF1857484: Fix logic problem in dkim_policy() with the new pstate checks. Problem noted by Werner Wiethege; patch from Chris Behrens of Concentric Network Corporation. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2007-12-20 22:33:04
|
A new version of dkim-milter is now available for download from SourceForge. This release contains a number of bug fixes and a number of performance improvement patches. It also updates the use of the proposed Authentication-Results: to match the most recent version of that draft. The formal release notes entry: 2.4.1 2007/12/20 Update for latest Authentication-Results: header draft. Avoid a NULL dereference in dkim_get_key(). Problem noted by Chris Behrens of Concentric Network Corporation. Fix bug #SF1842970: Make the overall header byte count check configurable, and increase the default. Also, add "On-Security" (configuration file) and "security" (command line) options for controlling the default reaction to such conditions. While we're at it, add an "On-Default" and "default" option for making a global action setting. Requested by Mark Martinec. Feature request #SF1841974: Numerous performance enhancements from Chris Behrens of Concentric Network Corporation. LIBAR: Fix bug #SF1852618: Handle default case of no "nameserver" lines in /etc/resolv.conf. Problem noted by Mike Markley of Bank of America. LIBDKIM: Fix bug #SF1824876: Add "dkim_pstate" and make dkim_policy() re-entrant. Requested by Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1843733, SF1843782: Tighten up header name matching in dkim_get_header() and dkim_get_sender(). Patches from Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1843788: Fix an off-by-one length bug in dkim_header(). Patch from Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1850973: Remove MAXHDRCNT; make the arrays it previously defined dynamic. Reported by Mike Markley of Bank of America. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2007-11-30 20:21:41
|
A new version of dkim-milter is now available for download from SourceForge.
This is a major improvement and fix-up release. Upgrade is recommended at
all installations.
You'll see in the RELEASE_NOTES that quite a bit of work was done this
time around. Special thanks this time go out to Chris Behrens of
Concentric Network Corporation for his extensive testing of and patch
contributions to libdkim.
Among the interesting fixes and updates:
- use of milter v2 optimizations
- numerous correctness fixes based on the results of the
DKIM Interoperability Event in October
- new setup and test tools
- numerous libdkim API additions and improvements
- SSP algorithm updates to match the new draft
- fix a few uncommon memory leaks and crash issues
- two new FFRs, one for doing text replacement (anticipating
MTA changes), one for doing selector assignment based
on a specified header
The formal release notes entry:
2.4.0 2007/11/30
Take advantage of some more features that were introduced with
milter v2 in sendmail 8.14.0:
o If all canonicalizations are satisfied in terms of
length limits, advise the MTA to stop sending the
message body to reduce unneeded I/O.
o Turn off as many unnecessary SMTP protocol steps as
possible.
o Fail option negotiation if any of the milter features
required are not available.
o If specific MTA macros are to be used for making the
sign vs. verify decision, explicitly request them.
Prevent corruption in Authentication-Results: headers caused
by signatures that have explicit "i=" values.
Report "hardfail" instead of "fail" on authentication failures,
in compliance with the Authentication-Results: draft.
Amend the "-M" command line option and "MacroList" configuration
options to allow a list of possible values for each
macro.
Add _FFR_SELECTOR_HEADER, adding the means to choose which selector
(and thus which key) is used to sign based on the value
found in a particular header. Requested by Steve Jones
of Bank of America.
Add dkimf_dstring*() (dynamic string) functions and clean up some
code by making use of it.
Skip all the userid and group changes when either "-u" or "UserID"
is in use if the requested user is the same as the
executing user.
Fix use of "UseSSPDeny" to include handling of unsigned messages.
Fix bug #SF1834701: Log a warning and temp-fail the message if
a key list is in use that didn't match the sender for a
message which should be signed. Problem noted by Jim
Hermann.
Patch #SF1796697: Add _FFR_REPLACE_RULES, adding the facility to do
substring replacement before signing to anticipate things
like the MTA "masquerade" and "genericstable" functions.
Requires further development.
Replace "gentxt.csh" with more robust "dkim-genkey" utility.
Feature request #SF1811962: Add new utilities "dkim-testkey" which
verifies that a public key is readable and properly formatted
and matches the locally-provided private key, and
"dkim-testssp" which retrieves a domain's sender signing
practises record and prints it in a human-readable form.
Based on code contributed by Daniel Black.
Feature request #SF1817253: Add "UMask" configuration file option.
Suggested by Daniel Black.
Feature request #SF1818863: Add a section to site.config.m4.dist
to request a build of the shared object version of libdkim.
Requested by Chris Behrens of Concentric Network Corporation.
Feature request #SF1834748: Use a more meaningful SMTP reply when
rejecting a message at the SMTP level due to SSP. Suggested
by S. Moonesamy of Eland Systems.
LIBDKIM: Return DKIM_STAT_NOKEY from dkim_get_key_dns() if the answer
count comes back zero, rather than DKIM_STAT_CANTVRFY.
Problem noted by Chris Behrens of Concentric Network
Corporation.
LIBDKIM: Plug a memory leak in dkim_get_key(). Problem noted by
Chris Behrens of Concentric Network Corporation.
LIBDKIM: Replace a dicey memcpy() call with memmove(). Problem
noted by Chris Behrens of Concentric Network Corporation.
LIBDKIM: Add DKIM_CBSTAT_NOTFOUND and DKIM_CBSTAT_ERROR callback
return codes, and DKIM_STAT_CBERROR return code. Suggested
by Chris Behrens of Concentric Network Corporation.
LIBDKIM: Add dkim_minbody() to determine how much more body text
is required to satisfy canonicalizations.
LIBDKIM: Add dkim_gethandlingstr() and dkim_getpolicystr() for
translation of SSP handling and policy codes into printable
strings.
LIBDKIM: Add _FFR_PARSE_TIME, adding a utility function that can
be used to detect that the timestamp on a signature and the
value of the Date: header wildly differ. Incomplete.
LIBDKIM: If a message comes in with no properly-formed sender headers,
dkim_eoh() now renders the DKIM handle unusable by later
data processing calls.
LIBDKIM: Fix arithmetic in dkim_sig_expired().
LIBDKIM: In dkim_eoh_verify(), check for a NULL user pointer return
from rfc2822_mailbox_split() (was previously only checking
for an error code or NULL domain). Problem noted by Chris
Behrens of Concentric Network Corporation.
LIBDKIM: Fix bug #SF1819489: Fix signature header name check in
dkim_header(). Patch from Chris Behrens of Concentric
Network Corporation.
LIBDKIM: Fix bug #SF1819559: Fix key granularity processing.
LIBDKIM: Fix bug #SF1819571: More robust processing of "s=" in keys.
LIBDKIM: Fix bug #SF1819607: Allow "t=" and "x=" values up to 64 bits
since RFC4871 requires at least 40.
LIBDKIM: Fix bug #SF1820017: Don't accept signatures with no "v=" tag.
LIBDKIM: Fix bug #SF1820060: The value of "q=" may be a colon-separated
list of values to parse.
LIBDKIM: Fix bug #SF1820080: The value of "i=" may be quoted-printable
so do appropriate decoding.
LIBDKIM: Fix bug #SF1820123: "simple" body canonicalization must
contain at least CRLF.
LIBDKIM: Fix bug #SF1820370: More graceful handling of grossly
malformed signature headers. Problem noted by Chris Behrens
of Concentric Network Corporation.
LIBDKIM: Fix bug #SF1822287 and SF1822295: Update policy check code
to use the draft-ietf-dkim-ssp-01 algorithm. Problem noted
by Chris Behrens of Concentric Network Corporation.
LIBDKIM: Fix bug #SF1822329: In dkim_get_policy(), check for and handle
error returns from the subordinate lookup functions. Problem
noted by Chris Behrens of Concentric Network Corporation.
LIBDKIM: Fix bug #SF1822331: Use consistent return codes in
dkim_get_policy_dns(). Problem noted by Chris Behrens of
Concentric Network Corporation.
LIBDKIM: Fix bug #SF1832703: When looking for headers to canonicalize
during verification, disregard spaces between the header name
and the colon (":") character. Problem noted by James
Sargent of AOL.
LIBDKIM: Fix bug #SF1838826: Several fixes with respect to processing
key and policy flags. Problems noted by Marc Martinec.
LIBDKIM: Feature request #SF1821005: Add dkim_getdomain(), an accessor
function for dkim_domain. Requested by Chris Behrens of
Concentric Network Corporation.
Activate _FFR_QUERY_CACHE (Feature request #SF1675359) and
_FFR_SELECT_SIGN_HEADERS.
Please use the trackers and mailing lists on SourceForge to report problems or
make comments or other suggestions.
--
Murray S. Kucherawy ========================================= ms...@se...
Principal Engineer Sendmail, Inc. Emeryville, CA, USA
(510) 594-5400 http://www.sendmail.com
|
|
From: Murray S. K. <ms...@se...> - 2007-10-19 18:53:18
|
A new version of dkim-milter is now available for download from SourceForge. This is a minor bug fix release along the 2.3.x code base. It fixes bugs involving the "RemoveARFrom" and "UseSSPDeny" settings as well as one rare crash condition tripped when malformed key records are retrieved while handling a multiply signed message. The formal release notes entry: 2.3.2 2007/10/19 Fix bug #25896: Fix a bug in parsing of "RemoveARFrom". LIBDKIM: Fix a bug in the key reuse block of dkim_get_key() which assumed that a domain and selector match guaranteed a copied key and key tag list. LIBDKIM: Fix bug #SF1812687: Fix handling check in dkim_get_policy(). Patch from Daniel Black. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2007-10-13 01:41:23
|
A new version of dkim-milter is now available for download from SourceForge. This release fixes a number of minor bugs, most of which are in the recently-introduced test mode. It should not be considered a mandatory release unless you make use of that mode. The formal release notes entry: 2.3.1 2007/10/12 Fix header loss problem in test mode. Fix bug #SF1808886: Handle missing or empty test inputs more gracefully. Based on a patch from Kaspar Brand. Fix bug #SF1808881: Check various integer conversions for negative, overflow or inappropriate values. Suggested by Kaspar Brand. Feature request #SF1809239: Restore performance of test mode on large messages. Requested by Kaspar Brand. Patch #SF1811132: Include <stdlib.h> in test.c for malloc() prototype. Patch from Daniel Black. BUILD: Patch #SF1810712: Correct default location for the Tre regular expression library. Suggested by Daniel Black. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2007-10-06 15:10:22
|
A new version of dkim-milter is now available for download from SourceForge. This new release updates dkim-milter to be compliant with the revised Sender Signing Practises (SSP) draft from the DKIM working group at IETF. A test mode has been added for manual evaluation of messages in both signing and verifying modes. There is also a new configuration option regarding limiting on the length of the signed portion of a message, and support has been re-added for some later versions of the pre-RFC DKIM drafts. Finally, a number of minor bug fixes and have been included. Special thanks go to Kaspar Brand for his extensive testing and code contributions. The formal release notes entry: 2.3.0 2007/10/06 Add "UseSSPDeny" configuration option which causes the filter to reject messages which are determined to be suspicious according to the new draft-ietf-dkim-ssp-01, and whose sending domains advertise a recommended handling of "deny", and whose SSP records are not in "test" mode. Add "MaximumSignedBytes" configuration option limiting the number of bytes of the message body to be signed. Add "-t" command line option for reading an RFC2822-formatted message from a named file and attempting to evaluate it, "-F" command line option for using a fixed signing time, and "-v" command line option for requesting verbose output. Finally, new configuration option "StrictTestMode" asserts that all lines of input must be CRLF-terminated. Based on patches from Kaspar Brand. Add "TestPublicKeys" setting for instructing libdkim to read public keys from a file, for use during automated testing. Based on a patch from Jeff Barry. When using _FFR_QUERY_CACHE, periodically report cache activity statistics. Don't arbitrarily suppress signing of already-signed messages. Fix bug #25728: When "AutoRestart" is in use, try to remove the socket (if it's a UNIX domain socket) prior to trying to start the child. LIBDKIM: Add dkim_getmode() function. LIBDKIM: Fixes to policy evaluation in dkim_policy(). Based on a patch from Jeff Barry. LIBDKIM: Patch #SF1796687: Add DKIM_LIBFLAGS_ACCEPTV05 which causes the library to accept signatures with version strings of "0.5", i.e. those based on later versions of the DKIM draft specification. This does not change any other part of signature validation or canonicalization, only the version string test. Suggested by Jim Fenton of Cisco. LIBDKIM: When closing canonicalizations, flush the temporary files rather than closing them so that things like dkim_reportinfo() return useful descriptors. Close the temporary files in dkim_canon_free() only. Problem noted by Jeff Barry. LIBDKIM: Fix variable argument processing by merging dkim_error() and dkim_verror(). The previous code was causing segmentation faults on selected operating systems. Activate the following FFRs: _FFR_KEY_REUSE _FFR_SET_REPLY Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2007-09-07 16:21:07
|
A new version of dkim-milter is now available for download from SourceForge. This release is mostly a series of minor bug fixes. It also resolves a couple of compile-time problems introduced in the previous version. Nearly all the changes in this version were submitted by the open source community. Thank you for your contributions! The formal release notes entry: 2.2.1 2007/09/07 Insert VBR headers at the top rather than appending them to be sensitive to legacy DomainKeys operations. Patch from S. Moonesamy of Eland Systems. Discontinue use of MAXHOSTNAMELEN as the maximum size of a hostname since some vendors set it to 64 (maximum size of a DNS label) and some to 256 (maximum size of an FQDN). Instead, define and use DKIM_MAXHOSTNAMELEN (256). Problem noted by Jeff Barry. LIBDKIM: Rename and update the default_signhdrs and default_skiphdrs arrays to match what's in RFC4871 section 5.5 SHOULD and SHOULD NOT lists. LIBDKIM: Apply DKIM_OPTS_SKIPHDRS only when signing. LIBDKIM: Add missing entries to prv_results, and add a dkim_getresultstr() function for translating DKIM_STAT result codes. Patch from Kaspar Brand. Fix bug #SF1785624: Resolve build problem introduced in previous version when NETINET6 is in use. Reported by Andrew Benham. Fix bug #SF1786033: Resolve build problem introduced in previous version affecting later versions of Solaris. Reported by Andy Fiddaman. Fix bug #SF1787473: Initialize the default "-i" list properly (given changes made in the previous version) so that mail from localhost still gets signed. Reported by Graham Murray. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2007-08-31 01:13:05
|
A new version of dkim-milter is now available for download from SourceForge. This releases makes some of the configuration files (i.e. the peerfile, internal and external host lists) more versatile in that they can now contain pattern exceptions. It's also now possible to name a group into which the child process should be placed rather than just a userid. One other minor feature request was applied. Finally, this new libdkim contains fixes for handling of replies containing CNAME records and proper handling of signature wrapping. The formal release notes entry: 2.2.0 2007/08/30 Change format of the peerfile, internal and external host lists, etc. to allow exclusion entries. See the man page for additional details. Amend "-u" to include the ability to name a group into which the filter process should be placed. Feature request #SF1783155: Make keylist pattern matching case-insensitive. LIBDKIM: Handle CNAMEs properly when using the standard resolver. Problem noted by Jim Fenton of Cisco. LIBDKIM: Fix bug #SF1782076: Adjust signature header wrapping logic so that a "b=" against the margin gets wrapped consistently when signing and verifying. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |
|
From: Murray S. K. <ms...@se...> - 2007-08-22 13:59:44
|
A new version of dkim-milter is now available for download from SourceForge. This is a bugfix release which repairs two problems in "relaxed" body canonicalization mode, one having to do with length limits and one having to do with general correctness. There's also a minor improvement in the way certain error messages are handled. The formal release notes entry: 2.1.2 2007/08/22 LIBDKIM: At the end of dkim_eoh_verify(), don't overwrite any existing descriptive error text before returning on verification errors. Problem noted by Andy Fiddaman. LIBDKIM: Remove redundant assertion of length limits in dkim_canon_bodychunk(). The code in dkim_canon_write() has it correct, so use that instead. Problem noted by Mark Martinec. LIBDKIM: Fix bug #SF1777332: Fix "relaxed" body canonicalization. Some code from the older implementation was still present conflicting with the newer code. Reported by Andrey Chernov. Please use the trackers and mailing lists on SourceForge to report problems or make comments or other suggestions. -- Murray S. Kucherawy ========================================= ms...@se... Principal Engineer Sendmail, Inc. Emeryville, CA, USA (510) 594-5400 http://www.sendmail.com |