dkim: Implement internal dkim signing and verification

This patch implements internal DKIM signing and verification.
2026-01-25 20:25:55 +00:00 · 2024-02-10 23:55:05 +00:00
parent f13fdf0ac8
commit 76a72367ae
90 changed files with 4902 additions and 112 deletions
--- a/test/t-04-aliases/chasquid-util.sh
+++ b/test/t-04-aliases/chasquid-util.sh
@@ -3,4 +3,4 @@

 # Run from the config directory because data_dir is relative.
 cd config || exit 1
-go run ../../../cmd/chasquid-util/chasquid-util.go -C=. "$@"
+go run ../../../cmd/chasquid-util/ -C=. "$@"
--- a/test/t-19-dkimpy/config/hooks/post-data
+++ b/test/t-19-dkimpy/config/hooks/post-data
@@ -30,7 +30,6 @@ if [ "$AUTH_AS" != "" ]; then
 		< "$TF" > "$TF.dkimout"
 	# dkimpy doesn't provide a way to just show the new headers, so we
 	# have to compute the difference.
-	# ALSOCHANGE(etc/chasquid/hooks/post-data)
 	diff --changed-group-format='%>' \
 		--unchanged-group-format='' \
 		"$TF" "$TF.dkimout" && exit 1
--- a/test/t-20-bad_configs/c-11-bad_dkim_key/.expected-error
+++ b/test/t-20-bad_configs/c-11-bad_dkim_key/.expected-error
@@ -0,0 +1 @@
+DKIM loading error: error decoding PEM block
--- a/test/t-20-bad_configs/c-11-bad_dkim_key/chasquid.conf
+++ b/test/t-20-bad_configs/c-11-bad_dkim_key/chasquid.conf
@@ -0,0 +1,9 @@
+smtp_address: ":1025"
+submission_address: ":1587"
+submission_over_tls_address: ":1465"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data"
+mail_log_path: "../.logs/mail_log"
--- a/test/t-20-bad_configs/c-11-bad_dkim_key/domains/testserver/dkim:selector.pem
+++ b/test/t-20-bad_configs/c-11-bad_dkim_key/domains/testserver/dkim:selector.pem
@@ -0,0 +1 @@
+Bad key
--- a/test/t-20-bad_configs/run.sh
+++ b/test/t-20-bad_configs/run.sh
@@ -18,7 +18,8 @@ mkdir -p c-04-no_cert_dirs/certs/

 # Generate certs for the tests that need them.
 for i in c-05-no_addrs c-06-bad_maillog c-07-bad_domain_info \
-	c-08-bad_sts_cache c-09-bad_queue_dir c-10-empty_listening_addr ;
+	c-08-bad_sts_cache c-09-bad_queue_dir c-10-empty_listening_addr \
+	c-11-bad_dkim_key;
 do
 	CONFDIR=$i/ generate_certs_for testserver
 done
--- a/test/t-21-dkim/.gitignore
+++ b/test/t-21-dkim/.gitignore
@@ -0,0 +1,2 @@
+# Ignore the configuration domain directories.
+?/domains
--- a/test/t-21-dkim/A/chasquid.conf
+++ b/test/t-21-dkim/A/chasquid.conf
@@ -0,0 +1,9 @@
+smtp_address: ":1025"
+submission_address: ":1587"
+monitoring_address: ":1099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-A"
+mail_log_path: "../.logs-A/mail_log"
--- a/test/t-21-dkim/A/s1._domainkey.srv-a.pem
+++ b/test/t-21-dkim/A/s1._domainkey.srv-a.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEID6bjSoiW6g6NJA67RNl0SZ7zpylVOq9w/VGAXF5whnS
+-----END PRIVATE KEY-----
--- a/test/t-21-dkim/B/chasquid.conf
+++ b/test/t-21-dkim/B/chasquid.conf
@@ -0,0 +1,9 @@
+smtp_address: ":2025"
+submission_address: ":2587"
+monitoring_address: ":2099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-B"
+mail_log_path: "../.logs-B/mail_log"
--- a/test/t-21-dkim/from_A_to_B
+++ b/test/t-21-dkim/from_A_to_B
@@ -0,0 +1,11 @@
+DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+	d=srv-a; s=s1; t=1709494311;
+	h=from:subject:to:from:subject:date:to:cc:message-id;
+	bh=0MIF2K4/fGA4bxV9yOwV0PQSZ3Glv67jLvQ8NwgjcKQ=;
+	b=JkROrF9he5gqMhWcU47h6koleiwkz0IWcRV467KuzsMdTeWPMUVB+JDu+6HElBofdzNsz5
+	  Ptug637opt4UaAAg==;
+From: user-a@srv-a
+To: user-b@srv-b
+Subject: Hola amigo pingüino!
+
+Que tal va la vida?
--- a/test/t-21-dkim/from_A_to_B.expected
+++ b/test/t-21-dkim/from_A_to_B.expected
@@ -0,0 +1,14 @@
+Authentication-Results: srv-b
+	;spf=none (no DNS record found)
+	;dkim=pass  header.b=JkROrF9he5gq  header.d=srv-a
+DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+	d=srv-a; s=s1; t=1709494311;
+	h=from:subject:to:from:subject:date:to:cc:message-id;
+	bh=0MIF2K4/fGA4bxV9yOwV0PQSZ3Glv67jLvQ8NwgjcKQ=;
+	b=JkROrF9he5gqMhWcU47h6koleiwkz0IWcRV467KuzsMdTeWPMUVB+JDu+6HElBofdzNsz5
+	  Ptug637opt4UaAAg==;
+From: user-a@srv-a
+To: user-b@srv-b
+Subject: Hola amigo pingüino!
+
+Que tal va la vida?
--- a/test/t-21-dkim/from_B_to_A
+++ b/test/t-21-dkim/from_B_to_A
@@ -0,0 +1,5 @@
+From: user-b@srv-b
+To: user-a@srv-a
+Subject: Feliz primavera!
+
+Espero que florezcas feliz!
--- a/test/t-21-dkim/from_B_to_A.expected
+++ b/test/t-21-dkim/from_B_to_A.expected
@@ -0,0 +1,15 @@
+From user-a@srv-a
+Authentication-Results: srv-a
+	;spf=none (no DNS record found)
+	;dkim=pass  header.b=*
+DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+	d=srv-b; s=sel77; *
+	h=from:subject:to:from:subject:date:to:cc:message-id;
+	bh=*
+	b=*
+	  *
+From: user-b@srv-b
+To: user-a@srv-a
+Subject: Feliz primavera!
+
+Espero que florezcas feliz!
--- a/test/t-21-dkim/run.sh
+++ b/test/t-21-dkim/run.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+set -e
+. "$(dirname "$0")/../util/lib.sh"
+
+init
+check_hostaliases
+
+rm -rf .data-A .data-B .mail
+
+skip_if_python_is_too_old
+
+# Build with the DNS override, so we can fake DNS records.
+export GOTAGS="dnsoverride"
+
+# srv-A has a pre-generated key, and the mail has a pre-generated header.
+# Generate a key for srv-B, and append it to our statically configured zones.
+# Use a fixed selector so we can be more thorough in from_B_to_A.expected.
+rm -f B/domains/srv-b/*.pem
+mkdir -p B/domains/srv-b/
+CONFDIR=B chasquid-util dkim-keygen srv-b sel77 --algo=ed25519 > /dev/null
+
+cp zones .zones
+CONFDIR=B chasquid-util dkim-dns srv-b | sed 's/"//g' >> .zones
+
+# Launch minidns in the background using our configuration.
+minidns_bg --addr=":9053" -zones=.zones >> .minidns.log 2>&1
+
+# Two servers:
+# A - listens on :1025, hosts srv-A
+# B - listens on :2015, hosts srv-B
+
+CONFDIR=A generate_certs_for srv-A
+CONFDIR=A add_user user-a@srv-a nadaA
+
+CONFDIR=B generate_certs_for srv-B
+CONFDIR=B add_user user-b@srv-b nadaB
+
+mkdir -p .logs-A .logs-B
+
+chasquid -v=2 --logfile=.logs-A/chasquid.log --config_dir=A \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__outgoing_smtp_port=2025 &
+chasquid -v=2 --logfile=.logs-B/chasquid.log --config_dir=B \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__outgoing_smtp_port=1025 &
+
+wait_until_ready 1025
+wait_until_ready 2025
+wait_until_ready 9053
+
+# Send from A to B.
+smtpc.py --server=localhost:1025 --user=user-a@srv-a --password=nadaA \
+	< from_A_to_B
+
+wait_for_file .mail/user-b@srv-b
+mail_diff from_A_to_B.expected .mail/user-b@srv-b
+
+# Send from B to A.
+smtpc.py --server=localhost:2025 --user=user-b@srv-b --password=nadaB \
+	< from_B_to_A
+
+wait_for_file .mail/user-a@srv-a
+mail_diff from_B_to_A.expected .mail/user-a@srv-a
+
+
+success
--- a/test/t-21-dkim/zones
+++ b/test/t-21-dkim/zones
@@ -0,0 +1,6 @@
+srv-a  A     127.0.0.1
+srv-a  AAAA  ::1
+srv-b  A     127.0.0.1
+srv-b  AAAA  ::1
+
+s1._domainkey.srv-a  TXT  v=DKIM1; k=ed25519; p=SvoPT692bVrQBT8UNxt6SF538O3snA4fE3/i/glCxwQ=
--- a/test/util/chamuyero
+++ b/test/util/chamuyero
@@ -43,7 +43,7 @@ class Process (object):
        return self.cmd.wait()

    def close(self):
-        return self.cmd.terminate()
+        return self.cmd.stdin.close()

 class Sock (object):
    """A (generic) socket.
--- a/test/util/lib.sh
+++ b/test/util/lib.sh
@@ -48,7 +48,7 @@ function chasquid-util() {
 	# data_dir is relative to the config.
 	CONFDIR="${CONFDIR:-config}"
 	( cd "$CONFDIR" && \
-	  go run "${TBASE}/../../cmd/chasquid-util/chasquid-util.go" \
+	  go run "${TBASE}/../../cmd/chasquid-util/" \
 		-C=. \
 		"$@" \
 	)
				`@@ -0,0 +1 @@`
				`DKIM loading error: error decoding PEM block`