Bug 485303 - No messages are filtered
No messages are filtered
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: dkim-milter (Show other bugs)
9
All Linux
low Severity medium
: ---
: ---
Assigned To: Jim Radford
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-12 14:06 EST by Marek Greško
Modified: 2009-02-19 21:31 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-19 21:31:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marek Greško 2009-02-12 14:06:44 EST
Description of problem:
Messages without signature are correctly detected as invalid but it is not reported to milter.

Version-Release number of selected component (if applicable):
2.5.1

How reproducible:
Always.

Steps to Reproduce:
1. Setup dkim-milter to block messages without valid signatures.
2. Setup sendmail to use dkim-milter.
3. Send mail through telnet from the outside.
  
Actual results:
Mail is detected as mail with invalid signature, but it is delivered like correct mail.

Expected results:
Mail is blocked.

Additional info:
I tried to create rpm of 2.8.1 version. In that version messages are blocked. Except the situation when no headers identifying sender are filled. In that situation there is: no sender header found
; accepting. I think this should not happen also.
Comment 1 Jim Radford 2009-02-12 14:31:24 EST
Three questions:

1) How did you set the blocking of messages without valid signatures?

    ADSPDiscard true?

   If so, then according to dkim-filter.conf(5) for 2.7.2 they will only be discarded if the domain's ADSP record says they should be.  What was the domain?  What does its ADSP say?

2) If it doesn't say to discard, do you have a local override
 
     LocalADSP /etc/mail/dkim-milter/local-adsp

   with a line that says for example

     example.com:discardable

3) You say that 2.8.1 blocks messages, does 2.7.2 (the version in Fedora 10) also?  It might be easier to push 2.7.2 than the lastest 2.8.1.
Comment 2 Marek Greško 2009-02-12 14:53:23 EST
Ad 1) I am currently not familiar with adsp. Now I tried ADSPDiscard yes - no luck.

My ADSP record looks like this:
_adsp._domainkey        IN      TXT     "dkim=CLOSED"

I did not know it has something to do with that.

Ad 2) I tried also dkim=discardable in DNS. No luck.

Ad 3) There is no 2.7.2 in the fc10 repository. There is also 2.5.1.
Comment 3 Jim Radford 2009-02-12 15:17:05 EST
You can try 2.8.1 built for fc10 here.

  http://koji.fedoraproject.org/koji/packageinfo?packageID=5993

Let me know if that works for you.  You can find 2.7.2 there as well (I had forgotten to push as an update).
Comment 4 Marek Greško 2009-02-12 16:57:19 EST
I tried 2.7.2 and 2.8.1. They have the same behaviour.

When TXT record is dkim=all, forged mail is delivered.

When TXT record is dkim=discardable, forged mail with From: filled in is rejected but mail without header (only envelope) is delivered. The previous behavior when message was silently dropped I cannot repeat now. Probably when I disable ADSP in dkim-milter.conf.
Comment 5 Jim Radford 2009-02-12 18:34:19 EST
So does it ignore a forged envelope sender when the headers are empty?  If so, that seems like a bug that should be filed upstream (and referenced here).

Does the behavior of 2.7.2/2.8.1 differ from 2.5.1 when ADSP is enabled?  If so, I'll push the update.
Comment 6 Marek Greško 2009-02-13 04:51:36 EST
It seems the 2.5.1 has no support for ADSP at all.

It is a question whether it is bug of dkim-milter that it lets forged envelope senders to pass or should there be a mechanism to fulfill these data from envelope by sendmail if they are empty.
Comment 7 Jim Radford 2009-02-17 15:13:59 EST
Ok, then it looks like the envelope sender / no other headers bug should be filed upstream.  Please add a comment to this bug if you do so.

I'll push the update to 2.8.1 as an enhancement and we'll see if it makes it in.  The current 2.5.1 version quite out of date, so support for ADSP is enough of a reason for me.
Comment 8 Jim Radford 2009-02-19 21:31:11 EST
Version 2.8.1 is now available (in fc10), so I'm going to close this bug.

If you file the envelope sender / no header filtering bug upstream then please re-open this bug so we can track it.

Note You need to log in before you can comment on or make changes to this bug.