DKIM exploit fix

2025-09-07 20:44:15 +08:00 · 2024-05-18 10:39:27 +02:00 · 2024-05-18 10:39:27 +02:00 · 21137080f8
commit 21137080f8
parent 7535caf5da
8 changed files with 15 additions and 12 deletions
--- a/crates/cli/Cargo.toml
+++ b/crates/cli/Cargo.toml
@ -29,4 +29,4 @@ human-size = "0.4.2"
 futures = "0.3.28"
 pwhash = "1.0.0"
 rand = "0.8.5"
-mail-auth = "0.3.7"
+mail-auth = { version = "0.4" }
--- a/crates/common/Cargo.toml
+++ b/crates/common/Cargo.toml
@ -12,7 +12,7 @@ directory = { path = "../directory" }
 jmap_proto = { path = "../jmap-proto" }
 sieve-rs = { version = "0.5" }
 mail-parser = { version = "0.9", features = ["full_encoding", "ludicrous_mode"] } 
-mail-auth = { version = "0.3" }
+mail-auth = { version = "0.4" }
 mail-send = { version = "0.4", default-features = false, features = ["cram-md5"] }
 smtp-proto = { version = "0.1", features = ["serde_support"] }
 dns-update = { version = "0.1" }
--- a/crates/common/src/config/smtp/auth.rs
+++ b/crates/common/src/config/smtp/auth.rs
@ -34,6 +34,7 @@ pub struct MailAuthConfig {
 pub struct DkimAuthConfig {
    pub verify: IfBlock,
    pub sign: IfBlock,
+    pub strict: bool,
 }

 #[derive(Clone)]
@ -95,6 +96,7 @@ impl Default for MailAuthConfig {
                    )],
                    "false",
                ),
+                strict: true,
            },
            arc: ArcAuthConfig {
                verify: IfBlock::new::<VerifyStrategy>("auth.arc.verify", [], "relaxed"),
@ -180,6 +182,9 @@ impl MailAuthConfig {
                *value = if_block;
            }
        }
+        mail_auth.dkim.strict = config
+            .property_or_default("auth.dkim.strict", "true")
+            .unwrap_or(true);

        // Parse signatures
        for id in config
@ -364,11 +369,6 @@ fn parse_signature<T: SigningKey, U: SigningKey<Hasher = Sha256>>(
        sealer = sealer.expiration(c.as_secs());
    }

-    if let Some(true) = config.property::<bool>(("signature", id, "set-body-length")) {
-        signer = signer.body_length(true);
-        sealer = sealer.body_length(true);
-    }
-
    if let Some(true) = config.property::<bool>(("signature", id, "report")) {
        signer = signer.reporting(true);
    }
--- a/crates/jmap/Cargo.toml
+++ b/crates/jmap/Cargo.toml
@ -16,7 +16,7 @@ smtp-proto = { version = "0.1" }
 mail-parser = { version = "0.9", features = ["full_encoding", "serde_support", "ludicrous_mode"] } 
 mail-builder = { version = "0.3", features = ["ludicrous_mode"] }
 mail-send = { version = "0.4", default-features = false, features = ["cram-md5"] }
-mail-auth = { version = "0.3", features = ["generate"] }
+mail-auth = { version = "0.4", features = ["generate"] }
 sieve-rs = { version = "0.5" } 
 serde = { version = "1.0", features = ["derive"]}
 serde_json = "1.0"
--- a/crates/smtp/Cargo.toml
+++ b/crates/smtp/Cargo.toml
@ -17,7 +17,7 @@ utils = { path =  "../utils" }
 nlp = { path =  "../nlp" }
 directory = { path =  "../directory" }
 common = { path =  "../common" }
-mail-auth = { version = "0.3" }
+mail-auth = { version = "0.4" }
 mail-send = { version = "0.4", default-features = false, features = ["cram-md5"] }
 mail-parser = { version = "0.9", features = ["full_encoding", "ludicrous_mode"] } 
 mail-builder = { version = "0.3", features = ["ludicrous_mode"] } 
--- a/crates/smtp/src/inbound/data.rs
+++ b/crates/smtp/src/inbound/data.rs
@ -56,7 +56,10 @@ impl<T: SessionStream> Session<T> {
    pub async fn queue_message(&mut self) -> Cow<'static, [u8]> {
        // Authenticate message
        let raw_message = Arc::new(std::mem::take(&mut self.data.message));
-        let auth_message = if let Some(auth_message) = AuthenticatedMessage::parse(&raw_message) {
+        let auth_message = if let Some(auth_message) = AuthenticatedMessage::parse_with_opts(
+            &raw_message,
+            self.core.core.smtp.mail_auth.dkim.strict,
+        ) {
            auth_message
        } else {
            tracing::info!(parent: &self.span,
--- a/crates/utils/Cargo.toml
+++ b/crates/utils/Cargo.toml
@ -12,7 +12,7 @@ tokio = { version = "1.23", features = ["net", "macros"] }
 tokio-rustls = { version = "0.25.0"}
 serde = { version = "1.0", features = ["derive"]}
 tracing = "0.1"
-mail-auth = { version = "0.3" }
+mail-auth = { version = "0.4" }
 smtp-proto = { version = "0.1" }
 mail-send = { version = "0.4", default-features = false, features = ["cram-md5"] }
 dashmap = "5.4"
--- a/tests/Cargo.toml
+++ b/tests/Cargo.toml
@ -29,7 +29,7 @@ common = { path = "../crates/common", features = ["test_mode"] }
 managesieve = { path = "../crates/managesieve", features = ["test_mode"] }
 smtp-proto = { version = "0.1" }
 mail-send = { version = "0.4", default-features = false, features = ["cram-md5"] }
-mail-auth = { version = "0.3", features = ["test"] }
+mail-auth = { version = "0.4", features = ["test"] }
 sieve-rs = { version = "0.5" } 
 utils = { path = "../crates/utils", features = ["test_mode"] }
 jmap-client = { version = "0.3", features = ["websockets", "debug", "async"] }