dkim: Implement internal dkim signing and verification

This patch implements internal DKIM signing and verification.
2026-01-05 17:37:03 +00:00 · 2024-02-10 23:55:05 +00:00
parent f13fdf0ac8
commit 76a72367ae
90 changed files with 4902 additions and 112 deletions
--- a/etc/chasquid/hooks/post-data
+++ b/etc/chasquid/hooks/post-data
@@ -7,7 +7,6 @@
 #  - spamc (from Spamassassin) to filter spam.
 #  - rspamc (from rspamd) or chasquid-rspamd to filter spam.
 #  - clamdscan (from ClamAV) to filter virus.
-#  - dkimsign (from driusan/dkim or dkimpy) to do DKIM signing.
 #
 # If it exits with code 20, it will be considered a permanent error.
 # Otherwise, temporary.
@@ -78,46 +77,3 @@ if command -v clamdscan >/dev/null; then
        fi
        echo "X-Virus-Scanned: pass"
 fi
-
-# DKIM sign with either driusan/dkim or dkimpy.
-#
-# Do it only if all the following are true:
-#  - User has authenticated.
-#  - dkimsign binary exists.
-#  - domains/$DOMAIN/dkim_selector file exists.
-#  - certs/$DOMAIN/dkim_privkey.pem file exists.
-#
-# Note this has not been thoroughly tested, so might need further adjustments.
-if [ "$AUTH_AS" != "" ] && command -v dkimsign >/dev/null; then
-	DOMAIN=$( echo "$MAIL_FROM" | cut -d '@' -f 2 )
-
-	if [ -f "domains/$DOMAIN/dkim_selector" ] \
-		&& [ -f "certs/$DOMAIN/dkim_privkey.pem" ];
-	then
-		# driusan/dkim and dkimpy both provide the same binary (dkimsign) but
-		# take different arguments, so we need to tell them apart.
-		# This is awful but it should work reasonably well.
-		if dkimsign --help 2>&1 | grep -q -- --identity; then
-			# dkimpy
-			dkimsign \
-				"$(cat "domains/$DOMAIN/dkim_selector")" \
-				"$DOMAIN" \
-				"certs/$DOMAIN/dkim_privkey.pem" \
-				< "$TF" > "$TF.dkimout"
-			# dkimpy doesn't provide a way to just show the new
-			# headers, so we have to compute the difference.
-			# ALSOCHANGE(test/t-19-dkimpy/config/hooks/post-data)
-			diff --changed-group-format='%>' \
-				--unchanged-group-format='' \
-				"$TF" "$TF.dkimout" && exit 1
-			rm "$TF.dkimout"
-		else
-			# driusan/dkim
-			dkimsign -n -hd \
-				-key "certs/$DOMAIN/dkim_privkey.pem" \
-				-s "$(cat "domains/$DOMAIN/dkim_selector")" \
-				-d "$DOMAIN" \
-				< "$TF"
-		fi
-	fi
-fi