-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add CheckSigningTable config option #228
base: develop
Are you sure you want to change the base?
add CheckSigningTable config option #228
Conversation
When CheckSigningTable is set to no, the keys in KeyTable are no longer verified when config is loaded. This helps with large databases. This commit only adds support for USE_ODBX.
when comparing if (conf->conf_checksigningtable == TRUE) and CheckSigningTable no in the config, no acts as TRUE. Therefore, it is better to use != FALSE.
Simple test results:
If selector is NULL (should be prevented by sql not null option):
If key is NULL
in neither case did opendkim crash. Furthermore, you can solve a lot of these issues with db table constraints. |
this is continued from #226 |
also should there be a command line option for it ? example, |
As advised by futatuki, specify SigningTable instead of the "database" in the description.
I'll take a look later, if it can avoid crash even if the key entry is corrupted. (But it is another issue) |
Currently 'C' is not in use, however it might be the time we shoud consider to use word options, although |
can we consider the long options issue as a separate issue? |
ya, sorry, I think it is a separate issue. It is not good that multiple issue in a PR. |
This feature may useful even if ODBX feature is not used, so I think it is not need to restrict it on USE_ODBX is true. No other things to say, it looks good to me, for the commits till 906a8b4. You can freely determine the command line option letter for this feature, if you implement it (perhaps no one complains about it). However if I implement a command line option for checking SiginigTable consistency and exit, I'll select 'C' for it if it is still not in use :) |
Allow the use of -C to disable CheckSigningTable (or set to no).
Allow disabling of CheckSigningTable for other databases such as LDAP. This option disables the walking of SigningTable to look for missing keys in KeyTable when the config gets loaded.
lhy is the develop branch so far ahead of master branch ? |
As requested by futatuki, I will use -g for CheckSigningTable and reserve -C for future option to check the database tables.
oops i just realized what you said. |
As you added a new command line option, it should be described in opendkim(8) :)
I think this project is not working any more. So I made my own branch, maintain it, and I use here as a collection center of issues and proposals of the changes. |
Thank you @futatuki . I would like to commit these changes to your mirror as well. |
It would be great if you could add a description about new "-g" option to opendkim/opendkim.8.in? I'd like to see your commit for it, not mine :) |
see commit 3fc8cb7 for -g in opendkim(8) man page. |
opendkim/opendkim.8.in
Outdated
.I \-g | ||
Set CheckSigningTable to no. This means that when the config is loaded, | ||
The SigningTable will not be checked for any missing keys in | ||
the KeyTable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- A typo " the SiningTable"
- The mention to
CheckSigingTable
option is not so important for understanding what this commandline option does. So it is good to move it after the last sentence of the paragraph, with reference information to opendkim.conf(5).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see a typo, but in your comment, not the code.
Anyway I re-wrote it based on your suggestion.
See commit 3dabd5f
Thank you! Although I 'm not good at writing English, I've reviewed it. |
thank you so much for all your help futatuki! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since we made it global, row doesnt always apply, example LDAP server.
Looks good. Thank you! |
…ningTable Add CheckSigningTable config option When CheckSigningTable is set to no, the keys in KeyTable are no longer verified when config is loaded. Also implement a command line option -g for skipping SigningTable verification. trusteddomainproject#228
Allow overriding CheckSigningTable config option by command line options
opendkim/opendkim.8.in
Outdated
@@ -262,6 +263,14 @@ The value may include two different canonicalizations separated by a | |||
slash ("/") character, in which case the first will be applied to the | |||
headers and the second to the body. | |||
.TP | |||
.I \-G |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keep alphabetic order in the descriptions of command line options :) This should be below of -g
option now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New place of -G
is still above of -g
. It seems the order is lowercase first. (Other changs looks good to me, thank you!)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opendkim/opendkim.conf.5.in
Outdated
@@ -179,6 +179,11 @@ requires superuser access. A warning will be generated if | |||
.I UserID | |||
is not also set. | |||
|
|||
.TP | |||
.I CheckSigningTable (Boolean) | |||
If set to yes, it walks the SigningTable on boot when it loads the config |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I commented other place, loading config (and the opportunity of the check) may occure other than on boot, by receiving SIGHUP signal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
…-a-n/CheckSigningTable Add command line option to override CheckSigningTable setting on config file. trusteddomainproject#228
…-a-n/CheckSigningTable reorder parameter list for brevity
When CheckSigningTable is set to no, the keys in KeyTable are no longer verified when config is loaded.
This helps with large databases. This commit only adds support for USE_ODBX.