fastmail / mail-dkim Goto Github PK

Mail::DKIM version 1.20240619 started to require YAML to run tests. The YAML module is deprecated by its author so please consider to switch to another YAML implementation.

        unless ( $self->{'Domain'} ) {
            die 'invalid header property';
        }

shouldnt that be "invalid domain property" ?

Hi. I'm the author of "better-qmail-remote", a wrapper around qmail-remote that adds DKIM signatures. The project is currently using Mail::DKIM. I've been asked to support EdDSA (ed25519) keys, which I have done, but have realized that Mail::DKIM does not yet support such keys. What are your thoughts on adding such support?

Here is my project branch that supports EdDSA: https://github.com/pflanze/better-qmail-remote/tree/issue1

Here is the original issue on the matter: pflanze/better-qmail-remote#1

Thanks a lot!

RFC 6376 section 5.3.1 defines the "l=" tag of the DKIM-Signature header
field.
Mail::DKIM supports this for verification but not for signing.

Running /usr/bin/sa-learn --sync via a cronjob of amavisd-new complains about wrong arguments:

Argument "1.20200513.1" isn't numeric in numeric ge (>=) at /usr/share/perl5/Mail/SpamAssassin/Plugin/DKIM.pm line 686.

Argument "1.20200513.1" isn't numeric in numeric ge (>=) at /usr/share/perl5/Mail/SpamAssassin/Plugin/DKIM.pm line 809.

This seems to be caused by the new versioning of libmail-dkim-perl.

Hello!

I have noticed that the DKIM test (https://www.appmaildev.com/en/dkim) fails if the subject is too long. Specifically, this happens when the subject in the mail body is two lines long. Is there a solution for this?

Best regards, Perler

See fastmail/authentication_milter#28

I think I've might stumbled upon a bug when the 'v=' tag is missing in a DKIM record. The DKIM record below does not have a 'v=' tag. This tag is RECOMMENDED but not REQUIRED in the key record but the absence seems to result in a 'temperror' with a human_result blaming an unsupported algorithm.

Example:

20160525114544pm._domainkey.paddle.com descriptive text "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ6rcSjbkJ/G7dApE4FynJ6jTYI2pKgE9QVDAf0OLpg6WdvtwqyKaayHcqrIljorgs9jZjhQbdF14e1DGcTXPJF8m0tfeQeeNgP5PaHel0plhLJDpT964zfZaUEr5NLeE0fkMZ16CiAyB8ZpH4y4m8FK5O5HGvkAuTgmfF4bVYhwIDAQAB"

DMARC report:

<dkim>
	<domain>paddle.com</domain>
	<selector>20160525114544pm</selector>
	<result>temperror</result>
	<human_result>invalid (unsupported algorithm rsa-sha1)</human_result>
</dkim>

https://tools.ietf.org/html/rfc6376#section-3.2 states:

Tags with duplicate names MUST NOT occur within a single tag-list;
if a tag name does occur more than once, the entire tag-list is invalid.

Suggestion:

diff --git a/lib/Mail/DKIM/KeyValueList.pm b/lib/Mail/DKIM/KeyValueList.pm
index 0d98574..1c33fe9 100644
--- a/lib/Mail/DKIM/KeyValueList.pm
+++ b/lib/Mail/DKIM/KeyValueList.pm
@@ -50 +50,6 @@ sub parse {
-        $self->{tags_by_name}->{$tagname} = $tag;
+        if (defined $self->{tags_by_name}->{$tagname}) {
+            # https://tools.ietf.org/html/rfc6376#section-3.2
+            croak 'reused tag name';
+        } else {
+            $self->{tags_by_name}->{$tagname} = $tag;
+        }

While testing a test version of Net::DNS which is version 1.40_02 I encountered an error in DKIM/PublickKey.pm where it checks the version. Also, see issue #8 in which the actual problem was the same bug in SpamAssassin that I have fixed in the upcoming 4.0.1 release, although your workaround in DKIM avoids the bug in SpamAssassin and is fine.

The correct way to check versions in perl is to add

use version;

(See https://metacpan.org/pod/version)
and then change line 107 to do the version comparison like this

if ( version->parse(Net::DNS->VERSION) >= version->parse(0.69) )

Hello,

I'm getting a crash on FreeBSD 13.2 while checking DKIM signature in Amavisd-new. Stack trace attached..

Mail-DKIM-1.20230911
amavisd-new-2.12.2_1,1
AmavisCrash.txt

Regards,
Armin.

The outgoing headers from the hogehoge-kk.com domain are respectively
DKIM-Signature:
v=1; a=rsa-sha256; c=relaxed/relaxed; d=hogehoge-kk.com;
It is correctly sent, but
The outgoing headers from the hogehoge-kk.co.jp domain are respectively
DKIM-Signature:
v=1; a=rsa-sha256; c=relaxed/relaxed; d= hogehoge-kk.co.jp;
which is one extra space after"d=".

If extra spaces are added to the d tag, some MTAs, such as outlook.com, may receive a DKIM fail decision.

In Debian, we have the following bug report about scripts/dkimsign.pl (shipped as dkimproxy-sign):
https://bugs.debian.org/961472
which, in two parts, suggest to change the default algorithm from rsa-sha1 to rsa-sha256, referring to RFC 8301, and also notes that the POD in the script only documents part of the actual options.

Thanks for considering,
gregor, Debian Perl Group

Hi,

I (and a lot of other people) are using Mail::DKIM as part of SpamAssassin to verify the DKIM signatures on mails. SpamAssassin logs that the signatures on my mails were faulty, but opendkim says they're okay (but opendkim-testmsg fails to parse the DKIM headers, so I'm even further down the rabbit hole).

Is there some way to make this packet tell me why it regards the signature as valid?