Gitweb:
https://git.exim.org/exim.git/commitdiff/fe12ec888ef7b81ee0f5874ca6201ba11b0e9b19
Commit: fe12ec888ef7b81ee0f5874ca6201ba11b0e9b19
Parent: 7ab90dd415eac327c57c5ba755b2005a8c0b946f
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Feb 5 23:19:00 2019 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Mon Feb 11 00:17:22 2019 +0000
DKIM: ensure that dkim_domain elements are lowercased before use. Bug 2371
(cherry picked from commit f3c73adaa541ae54092467a29668ac32894ef1dc)
---
doc/doc-docbook/spec.xfpt | 16 ++++++++++++++--
doc/doc-txt/ChangeLog | 2 ++
src/src/dkim.c | 1 +
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 08a0a97..415c727 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -39534,7 +39534,7 @@ senders).
.cindex "DKIM" "signing"
For signing to be usable you must have published a DKIM record in DNS.
-Note that RFC 8301 says:
+Note that RFC 8301 (which does not cover EC keys) says:
.code
rsa-sha1 MUST NOT be used for signing or verifying.
@@ -39554,7 +39554,11 @@ These options take (expandable) strings as arguments.
.option dkim_domain smtp string list&!! unset
The domain(s) you want to sign with.
After expansion, this can be a list.
-Each element in turn is put into the &%$dkim_domain%& expansion variable
+Each element in turn,
+.new
+lowercased,
+.wen
+is put into the &%$dkim_domain%& expansion variable
while expanding the remaining signing options.
If it is empty after expansion, DKIM signing is not done,
and no error will result even if &%dkim_strict%& is set.
@@ -39755,6 +39759,14 @@ dkim_verify_signers = $sender_address_domain:$dkim_signers
If a domain or identity is listed several times in the (expanded) value of
&%dkim_verify_signers%&, the ACL is only called once for that domain or identity.
+.new
+Note that if the option is set using untrustworthy data
+(such as the From: header)
+care should be taken to force lowercase for domains
+and for the domain part if identities.
+The default setting can be regarded as trustworthy in this respect.
+.wen
+
If multiple signatures match a domain (or identity), the ACL is called once
for each matching signature.
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index bc739ae..9313c7b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -20,6 +20,8 @@ JH/03 Debug output for ACL now gives the config file name and line number for
JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
+JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
+
Exim version 4.92
-----------------
diff --git a/src/src/dkim.c b/src/src/dkim.c
index a0becd4..96d7eba 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -620,6 +620,7 @@ if (dkim_domain)
/* Only sign once for each domain, no matter how often it
appears in the expanded list. */
+ dkim_signing_domain = string_copylc(dkim_signing_domain);
if (match_isinlist(dkim_signing_domain, CUSS &seen_doms,
0, NULL, NULL, MCL_STRING, TRUE, NULL) == OK)
continue;