From 21137080f85bfc9c86868e759b13060381935f9e Mon Sep 17 00:00:00 2001 From: mdecimus Date: Sat, 18 May 2024 10:39:27 +0200 Subject: [PATCH] DKIM exploit fix --- crates/cli/Cargo.toml | 2 +- crates/common/Cargo.toml | 2 +- crates/common/src/config/smtp/auth.rs | 10 +++++----- crates/jmap/Cargo.toml | 2 +- crates/smtp/Cargo.toml | 2 +- crates/smtp/src/inbound/data.rs | 5 ++++- crates/utils/Cargo.toml | 2 +- tests/Cargo.toml | 2 +- 8 files changed, 15 insertions(+), 12 deletions(-) diff --git a/crates/cli/Cargo.toml b/crates/cli/Cargo.toml index 1605e955..6ee8ff6f 100644 --- a/crates/cli/Cargo.toml +++ b/crates/cli/Cargo.toml @@ -29,4 +29,4 @@ human-size = "0.4.2" futures = "0.3.28" pwhash = "1.0.0" rand = "0.8.5" -mail-auth = "0.3.7" +mail-auth = { version = "0.4" } diff --git a/crates/common/Cargo.toml b/crates/common/Cargo.toml index 7b811c91..ffb4f239 100644 --- a/crates/common/Cargo.toml +++ b/crates/common/Cargo.toml @@ -12,7 +12,7 @@ directory = { path = "../directory" } jmap_proto = { path = "../jmap-proto" } sieve-rs = { version = "0.5" } mail-parser = { version = "0.9", features = ["full_encoding", "ludicrous_mode"] } -mail-auth = { version = "0.3" } +mail-auth = { version = "0.4" } mail-send = { version = "0.4", default-features = false, features = ["cram-md5"] } smtp-proto = { version = "0.1", features = ["serde_support"] } dns-update = { version = "0.1" } diff --git a/crates/common/src/config/smtp/auth.rs b/crates/common/src/config/smtp/auth.rs index f01e39d9..64c67608 100644 --- a/crates/common/src/config/smtp/auth.rs +++ b/crates/common/src/config/smtp/auth.rs @@ -34,6 +34,7 @@ pub struct MailAuthConfig { pub struct DkimAuthConfig { pub verify: IfBlock, pub sign: IfBlock, + pub strict: bool, } #[derive(Clone)] @@ -95,6 +96,7 @@ impl Default for MailAuthConfig { )], "false", ), + strict: true, }, arc: ArcAuthConfig { verify: IfBlock::new::("auth.arc.verify", [], "relaxed"), @@ -180,6 +182,9 @@ impl MailAuthConfig { *value = if_block; } } + mail_auth.dkim.strict = config + .property_or_default("auth.dkim.strict", "true") + .unwrap_or(true); // Parse signatures for id in config @@ -364,11 +369,6 @@ fn parse_signature>( sealer = sealer.expiration(c.as_secs()); } - if let Some(true) = config.property::(("signature", id, "set-body-length")) { - signer = signer.body_length(true); - sealer = sealer.body_length(true); - } - if let Some(true) = config.property::(("signature", id, "report")) { signer = signer.reporting(true); } diff --git a/crates/jmap/Cargo.toml b/crates/jmap/Cargo.toml index 248cd050..ad600bc6 100644 --- a/crates/jmap/Cargo.toml +++ b/crates/jmap/Cargo.toml @@ -16,7 +16,7 @@ smtp-proto = { version = "0.1" } mail-parser = { version = "0.9", features = ["full_encoding", "serde_support", "ludicrous_mode"] } mail-builder = { version = "0.3", features = ["ludicrous_mode"] } mail-send = { version = "0.4", default-features = false, features = ["cram-md5"] } -mail-auth = { version = "0.3", features = ["generate"] } +mail-auth = { version = "0.4", features = ["generate"] } sieve-rs = { version = "0.5" } serde = { version = "1.0", features = ["derive"]} serde_json = "1.0" diff --git a/crates/smtp/Cargo.toml b/crates/smtp/Cargo.toml index b8b55689..0e961db7 100644 --- a/crates/smtp/Cargo.toml +++ b/crates/smtp/Cargo.toml @@ -17,7 +17,7 @@ utils = { path = "../utils" } nlp = { path = "../nlp" } directory = { path = "../directory" } common = { path = "../common" } -mail-auth = { version = "0.3" } +mail-auth = { version = "0.4" } mail-send = { version = "0.4", default-features = false, features = ["cram-md5"] } mail-parser = { version = "0.9", features = ["full_encoding", "ludicrous_mode"] } mail-builder = { version = "0.3", features = ["ludicrous_mode"] } diff --git a/crates/smtp/src/inbound/data.rs b/crates/smtp/src/inbound/data.rs index 13bb1bc5..2e3a1976 100644 --- a/crates/smtp/src/inbound/data.rs +++ b/crates/smtp/src/inbound/data.rs @@ -56,7 +56,10 @@ impl Session { pub async fn queue_message(&mut self) -> Cow<'static, [u8]> { // Authenticate message let raw_message = Arc::new(std::mem::take(&mut self.data.message)); - let auth_message = if let Some(auth_message) = AuthenticatedMessage::parse(&raw_message) { + let auth_message = if let Some(auth_message) = AuthenticatedMessage::parse_with_opts( + &raw_message, + self.core.core.smtp.mail_auth.dkim.strict, + ) { auth_message } else { tracing::info!(parent: &self.span, diff --git a/crates/utils/Cargo.toml b/crates/utils/Cargo.toml index 22a36ada..14ef9a71 100644 --- a/crates/utils/Cargo.toml +++ b/crates/utils/Cargo.toml @@ -12,7 +12,7 @@ tokio = { version = "1.23", features = ["net", "macros"] } tokio-rustls = { version = "0.25.0"} serde = { version = "1.0", features = ["derive"]} tracing = "0.1" -mail-auth = { version = "0.3" } +mail-auth = { version = "0.4" } smtp-proto = { version = "0.1" } mail-send = { version = "0.4", default-features = false, features = ["cram-md5"] } dashmap = "5.4" diff --git a/tests/Cargo.toml b/tests/Cargo.toml index c7ff46c5..f29f48a8 100644 --- a/tests/Cargo.toml +++ b/tests/Cargo.toml @@ -29,7 +29,7 @@ common = { path = "../crates/common", features = ["test_mode"] } managesieve = { path = "../crates/managesieve", features = ["test_mode"] } smtp-proto = { version = "0.1" } mail-send = { version = "0.4", default-features = false, features = ["cram-md5"] } -mail-auth = { version = "0.3", features = ["test"] } +mail-auth = { version = "0.4", features = ["test"] } sieve-rs = { version = "0.5" } utils = { path = "../crates/utils", features = ["test_mode"] } jmap-client = { version = "0.3", features = ["websockets", "debug", "async"] }