mirror of
https://blitiri.com.ar/repos/chasquid
synced 2025-12-17 14:37:02 +00:00
270a071c1e
This patch adds support in the default hook for using dkimpy for DKIM signing. Unfortunately, dkimpy binaries have the same name as driusan/dkim's, so we need to use --help to disambiguate. It's not pretty but it should work, and is quite self contained. Also, for the integration tests, we still need driusan/dkim because dkimpy lacks the features needed. Specifically, dkimpy's dkimverify can't be made to use custom DNS, or override the TXT values in any way, so we can't verify that the generated signature is reasonable. Thanks to ne9z@github for suggesting this change and providing an alternative patch in https://github.com/albertito/chasquid/pull/19.
65 lines
2.1 KiB
Bash
Executable File
65 lines
2.1 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Test integration with dkimpy.
|
|
|
|
set -e
|
|
. $(dirname ${0})/../util/lib.sh
|
|
|
|
init
|
|
check_hostaliases
|
|
|
|
# Check if dkimpy tools are installed in /usr/bin, and driusan/dkim is
|
|
# installed somewhere else in $PATH.
|
|
#
|
|
# Unfortunately we need both because dkimpy's dkimverify lacks the features
|
|
# needed to use it in integration testing.
|
|
#
|
|
# We need to run them and check the help because there are other binaries with
|
|
# the same name.
|
|
# This is really hacky but the most practical way to handle it, since they
|
|
# both have the same binary names.
|
|
if ! /usr/bin/dkimsign --help 2>&1 | grep -q -- --identity; then
|
|
skip "/usr/bin/dkimsign is not dkimpy's"
|
|
fi
|
|
if ! dkimverify --help 2>&1 < /dev/null | grep -q -- "-txt string"; then
|
|
skip "dkimverify is not driusan/dkim's"
|
|
fi
|
|
|
|
generate_certs_for testserver
|
|
( mkdir -p .dkimcerts; cd .dkimcerts; dknewkey private > log 2>&1 )
|
|
|
|
add_user user@testserver secretpassword
|
|
add_user someone@testserver secretpassword
|
|
|
|
mkdir -p .logs
|
|
chasquid -v=2 --logfile=.logs/chasquid.log --config_dir=config &
|
|
wait_until_ready 1025
|
|
|
|
# Authenticated: user@testserver -> someone@testserver
|
|
# Should be signed.
|
|
run_msmtp someone@testserver < content
|
|
wait_for_file .mail/someone@testserver
|
|
mail_diff content .mail/someone@testserver
|
|
grep -q "DKIM-Signature:" .mail/someone@testserver
|
|
|
|
# Verify the signature manually, just in case.
|
|
# NOTE: This is using driusan/dkim instead of dkimpy, because dkimpy can't be
|
|
# overriden to get the DNS information from anywhere else (text file or custom
|
|
# DNS server).
|
|
dkimverify -txt .dkimcerts/private.dns < .mail/someone@testserver
|
|
|
|
# Save the signed mail so we can verify it later.
|
|
# Drop the first line ("From blah") so it can be used as email contents.
|
|
tail -n +2 .mail/someone@testserver > .signed_content
|
|
|
|
# Not authenticated: someone@testserver -> someone@testserver
|
|
smtpc.py --server=localhost:1025 < .signed_content
|
|
|
|
# Check that the signature fails on modified content.
|
|
echo "Added content, invalid and not signed" >> .signed_content
|
|
if smtpc.py --server=localhost:1025 < .signed_content 2> /dev/null; then
|
|
fail "DKIM verification succeeded on modified content"
|
|
fi
|
|
|
|
success
|