dkim: Implement internal dkim signing and verification

This patch implements internal DKIM signing and verification.
2026-01-07 17:47:14 +00:00 · 2024-02-10 23:55:05 +00:00
parent f13fdf0ac8
commit 76a72367ae
90 changed files with 4902 additions and 112 deletions
--- a/test/t-21-dkim/.gitignore
+++ b/test/t-21-dkim/.gitignore
@@ -0,0 +1,2 @@
+# Ignore the configuration domain directories.
+?/domains
--- a/test/t-21-dkim/A/chasquid.conf
+++ b/test/t-21-dkim/A/chasquid.conf
@@ -0,0 +1,9 @@
+smtp_address: ":1025"
+submission_address: ":1587"
+monitoring_address: ":1099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-A"
+mail_log_path: "../.logs-A/mail_log"
--- a/test/t-21-dkim/A/s1._domainkey.srv-a.pem
+++ b/test/t-21-dkim/A/s1._domainkey.srv-a.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEID6bjSoiW6g6NJA67RNl0SZ7zpylVOq9w/VGAXF5whnS
+-----END PRIVATE KEY-----
--- a/test/t-21-dkim/B/chasquid.conf
+++ b/test/t-21-dkim/B/chasquid.conf
@@ -0,0 +1,9 @@
+smtp_address: ":2025"
+submission_address: ":2587"
+monitoring_address: ":2099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-B"
+mail_log_path: "../.logs-B/mail_log"
--- a/test/t-21-dkim/from_A_to_B
+++ b/test/t-21-dkim/from_A_to_B
@@ -0,0 +1,11 @@
+DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+	d=srv-a; s=s1; t=1709494311;
+	h=from:subject:to:from:subject:date:to:cc:message-id;
+	bh=0MIF2K4/fGA4bxV9yOwV0PQSZ3Glv67jLvQ8NwgjcKQ=;
+	b=JkROrF9he5gqMhWcU47h6koleiwkz0IWcRV467KuzsMdTeWPMUVB+JDu+6HElBofdzNsz5
+	  Ptug637opt4UaAAg==;
+From: user-a@srv-a
+To: user-b@srv-b
+Subject: Hola amigo pingüino!
+
+Que tal va la vida?
--- a/test/t-21-dkim/from_A_to_B.expected
+++ b/test/t-21-dkim/from_A_to_B.expected
@@ -0,0 +1,14 @@
+Authentication-Results: srv-b
+	;spf=none (no DNS record found)
+	;dkim=pass  header.b=JkROrF9he5gq  header.d=srv-a
+DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+	d=srv-a; s=s1; t=1709494311;
+	h=from:subject:to:from:subject:date:to:cc:message-id;
+	bh=0MIF2K4/fGA4bxV9yOwV0PQSZ3Glv67jLvQ8NwgjcKQ=;
+	b=JkROrF9he5gqMhWcU47h6koleiwkz0IWcRV467KuzsMdTeWPMUVB+JDu+6HElBofdzNsz5
+	  Ptug637opt4UaAAg==;
+From: user-a@srv-a
+To: user-b@srv-b
+Subject: Hola amigo pingüino!
+
+Que tal va la vida?
--- a/test/t-21-dkim/from_B_to_A
+++ b/test/t-21-dkim/from_B_to_A
@@ -0,0 +1,5 @@
+From: user-b@srv-b
+To: user-a@srv-a
+Subject: Feliz primavera!
+
+Espero que florezcas feliz!
--- a/test/t-21-dkim/from_B_to_A.expected
+++ b/test/t-21-dkim/from_B_to_A.expected
@@ -0,0 +1,15 @@
+From user-a@srv-a
+Authentication-Results: srv-a
+	;spf=none (no DNS record found)
+	;dkim=pass  header.b=*
+DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+	d=srv-b; s=sel77; *
+	h=from:subject:to:from:subject:date:to:cc:message-id;
+	bh=*
+	b=*
+	  *
+From: user-b@srv-b
+To: user-a@srv-a
+Subject: Feliz primavera!
+
+Espero que florezcas feliz!
--- a/test/t-21-dkim/run.sh
+++ b/test/t-21-dkim/run.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+set -e
+. "$(dirname "$0")/../util/lib.sh"
+
+init
+check_hostaliases
+
+rm -rf .data-A .data-B .mail
+
+skip_if_python_is_too_old
+
+# Build with the DNS override, so we can fake DNS records.
+export GOTAGS="dnsoverride"
+
+# srv-A has a pre-generated key, and the mail has a pre-generated header.
+# Generate a key for srv-B, and append it to our statically configured zones.
+# Use a fixed selector so we can be more thorough in from_B_to_A.expected.
+rm -f B/domains/srv-b/*.pem
+mkdir -p B/domains/srv-b/
+CONFDIR=B chasquid-util dkim-keygen srv-b sel77 --algo=ed25519 > /dev/null
+
+cp zones .zones
+CONFDIR=B chasquid-util dkim-dns srv-b | sed 's/"//g' >> .zones
+
+# Launch minidns in the background using our configuration.
+minidns_bg --addr=":9053" -zones=.zones >> .minidns.log 2>&1
+
+# Two servers:
+# A - listens on :1025, hosts srv-A
+# B - listens on :2015, hosts srv-B
+
+CONFDIR=A generate_certs_for srv-A
+CONFDIR=A add_user user-a@srv-a nadaA
+
+CONFDIR=B generate_certs_for srv-B
+CONFDIR=B add_user user-b@srv-b nadaB
+
+mkdir -p .logs-A .logs-B
+
+chasquid -v=2 --logfile=.logs-A/chasquid.log --config_dir=A \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__outgoing_smtp_port=2025 &
+chasquid -v=2 --logfile=.logs-B/chasquid.log --config_dir=B \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__outgoing_smtp_port=1025 &
+
+wait_until_ready 1025
+wait_until_ready 2025
+wait_until_ready 9053
+
+# Send from A to B.
+smtpc.py --server=localhost:1025 --user=user-a@srv-a --password=nadaA \
+	< from_A_to_B
+
+wait_for_file .mail/user-b@srv-b
+mail_diff from_A_to_B.expected .mail/user-b@srv-b
+
+# Send from B to A.
+smtpc.py --server=localhost:2025 --user=user-b@srv-b --password=nadaB \
+	< from_B_to_A
+
+wait_for_file .mail/user-a@srv-a
+mail_diff from_B_to_A.expected .mail/user-a@srv-a
+
+
+success
--- a/test/t-21-dkim/zones
+++ b/test/t-21-dkim/zones
@@ -0,0 +1,6 @@
+srv-a  A     127.0.0.1
+srv-a  AAAA  ::1
+srv-b  A     127.0.0.1
+srv-b  AAAA  ::1
+
+s1._domainkey.srv-a  TXT  v=DKIM1; k=ed25519; p=SvoPT692bVrQBT8UNxt6SF538O3snA4fE3/i/glCxwQ=