[exim-dev] [Bug 1649] rework SRS to avoid using dead librari…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 1649] New: rework SRS to avoid using dead libraries
Subject: [exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649

--- Comment #8 from Mike Brudenell <mike.brudenell@???> ---
Hi, unnamed person(!) -

I can't see a "Mark" in the chain of comments so I'm guessing you mean me
(Mike)...

To avoid using the base32 and base32d you basically just need to omit them, and
tweak pattern matches to check against the character set of the replacement
method you use. For example instead of using base32 I use decimal, as Jeremy
suggested in his original comment, so use a match pattern for "[0-9]+" instead.

I've extracted the relevant bits of my configuration file and include them
below, to be used with the code I posted in the comment dated 2016-08-02
16:12:53 BST. I hope I've not introduced any syntactic or logic errors whilst
doing so — my routers and transports are bit more complicated as they also
handle DKIM signing and might cause severe melting of the brain! 8-0

========================

To make the router and transport slightly clearer and configurable I define
some macros in the main part of the configuration file (and which use slightly
different values to the previous examples posted):

#  The SRS Secret that's been generated for signing SRS-rewritten addresses
SRS_SECRET      = ...


# The number of characters to extract from the computed hash and include within
the SRS-rewritten address.
SRS_HASH_LENGTH = 6

# The modulus at which the age (in days) wraps around. 0xfff = 4095 days = ~11
years
SRS_AGE_MODULUS = 0xfff

# The maximum age (in days) of a valid SRS-rewritten address. Messages arriving
for addresses older than this will be rejected.
SRS_MAX_AGE     = 31


========================

For the inbound_srs router the replacement "condition" line (simplified, to
remove some of the redundant true/false's) would be:

  condition = ${if match {$local_part}
{^(?i)SRS0=([^=]+)=([0-9]+)=([^=]*)=(.*)\$} \
                   {${if and { \
                                 {<= {${eval:$tod_epoch/86400 - $2 &
SRS_AGE_MODULUS}} {SRS_MAX_AGE} } \
                                 {eq {$1} {${length {SRS_HASH_LENGTH} {${hmac
{md5} {SRS_SECRET} {${lc:$4@$3}}}}}}} \
                             } \
                         }} \
                   {false}}


========================

For the remote_forwarded_smtp transport the "return_path" line becomes:

  return_path =         SRS0\
                        =${length {SRS_HASH_LENGTH}
{${hmac{md5}{SRS_SECRET}{${lc:$return_path}}}}}\
                        =${eval:$tod_epoch / 86400 & SRS_AGE_MODULUS}\
                        =${domain:$return_path}\
                        =${local_part:$return_path}\
                        @$original_domain


========================

Cheers,
Mike B-)

--
You are receiving this mail because:
You are on the CC list for the bug.