fastmail / mail-dkim Goto Github PK

        unless ( $self->{'Domain'} ) {
            die 'invalid header property';
        }

shouldnt that be "invalid domain property" ?

Hi,

I (and a lot of other people) are using Mail::DKIM as part of SpamAssassin to verify the DKIM signatures on mails. SpamAssassin logs that the signatures on my mails were faulty, but opendkim says they're okay (but opendkim-testmsg fails to parse the DKIM headers, so I'm even further down the rabbit hole).

Is there some way to make this packet tell me why it regards the signature as valid?

In Debian, we have the following bug report about scripts/dkimsign.pl (shipped as dkimproxy-sign):
https://bugs.debian.org/961472
which, in two parts, suggest to change the default algorithm from rsa-sha1 to rsa-sha256, referring to RFC 8301, and also notes that the POD in the script only documents part of the actual options.

Thanks for considering,
gregor, Debian Perl Group

While testing a test version of Net::DNS which is version 1.40_02 I encountered an error in DKIM/PublickKey.pm where it checks the version. Also, see issue #8 in which the actual problem was the same bug in SpamAssassin that I have fixed in the upcoming 4.0.1 release, although your workaround in DKIM avoids the bug in SpamAssassin and is fine.

The correct way to check versions in perl is to add

use version;

(See https://metacpan.org/pod/version)
and then change line 107 to do the version comparison like this

if ( version->parse(Net::DNS->VERSION) >= version->parse(0.69) )

RFC 6376 section 5.3.1 defines the "l=" tag of the DKIM-Signature header
field.
Mail::DKIM supports this for verification but not for signing.

https://tools.ietf.org/html/rfc6376#section-3.2 states:

Tags with duplicate names MUST NOT occur within a single tag-list;
if a tag name does occur more than once, the entire tag-list is invalid.

Suggestion:

diff --git a/lib/Mail/DKIM/KeyValueList.pm b/lib/Mail/DKIM/KeyValueList.pm
index 0d98574..1c33fe9 100644
--- a/lib/Mail/DKIM/KeyValueList.pm
+++ b/lib/Mail/DKIM/KeyValueList.pm
@@ -50 +50,6 @@ sub parse {
-        $self->{tags_by_name}->{$tagname} = $tag;
+        if (defined $self->{tags_by_name}->{$tagname}) {
+            # https://tools.ietf.org/html/rfc6376#section-3.2
+            croak 'reused tag name';
+        } else {
+            $self->{tags_by_name}->{$tagname} = $tag;
+        }

Hello,

I'm getting a crash on FreeBSD 13.2 while checking DKIM signature in Amavisd-new. Stack trace attached..

Mail-DKIM-1.20230911
amavisd-new-2.12.2_1,1
AmavisCrash.txt

Regards,
Armin.

See fastmail/authentication_milter#28

I think I've might stumbled upon a bug when the 'v=' tag is missing in a DKIM record. The DKIM record below does not have a 'v=' tag. This tag is RECOMMENDED but not REQUIRED in the key record but the absence seems to result in a 'temperror' with a human_result blaming an unsupported algorithm.

Example:

20160525114544pm._domainkey.paddle.com descriptive text "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ6rcSjbkJ/G7dApE4FynJ6jTYI2pKgE9QVDAf0OLpg6WdvtwqyKaayHcqrIljorgs9jZjhQbdF14e1DGcTXPJF8m0tfeQeeNgP5PaHel0plhLJDpT964zfZaUEr5NLeE0fkMZ16CiAyB8ZpH4y4m8FK5O5HGvkAuTgmfF4bVYhwIDAQAB"

DMARC report:

<dkim>
	<domain>paddle.com</domain>
	<selector>20160525114544pm</selector>
	<result>temperror</result>
	<human_result>invalid (unsupported algorithm rsa-sha1)</human_result>
</dkim>

Hi. I'm the author of "better-qmail-remote", a wrapper around qmail-remote that adds DKIM signatures. The project is currently using Mail::DKIM. I've been asked to support EdDSA (ed25519) keys, which I have done, but have realized that Mail::DKIM does not yet support such keys. What are your thoughts on adding such support?

Here is my project branch that supports EdDSA: https://github.com/pflanze/better-qmail-remote/tree/issue1

Here is the original issue on the matter: pflanze/better-qmail-remote#1

Thanks a lot!

Running /usr/bin/sa-learn --sync via a cronjob of amavisd-new complains about wrong arguments:

Argument "1.20200513.1" isn't numeric in numeric ge (>=) at /usr/share/perl5/Mail/SpamAssassin/Plugin/DKIM.pm line 686.

Argument "1.20200513.1" isn't numeric in numeric ge (>=) at /usr/share/perl5/Mail/SpamAssassin/Plugin/DKIM.pm line 809.

This seems to be caused by the new versioning of libmail-dkim-perl.