Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add CheckSigningTable config option #228

Open
wants to merge 18 commits into
base: develop
Choose a base branch
from

Conversation

r-a-z-v-a-n
Copy link

When CheckSigningTable is set to no, the keys in KeyTable are no longer verified when config is loaded.
This helps with large databases. This commit only adds support for USE_ODBX.

When CheckSigningTable is set to no, the keys in KeyTable are no
longer verified when config is loaded. This helps with large
databases. This commit only adds support for USE_ODBX.
when comparing if (conf->conf_checksigningtable == TRUE)
and CheckSigningTable no in the config, no acts as TRUE.
Therefore, it is better to use != FALSE.
@r-a-z-v-a-n
Copy link
Author

Simple test results:
If the private key is bad:

Sep 08 19:32:56 bookworm01 opendkim[759]: OpenDKIM Filter v2.11.0 starting
Sep 08 19:59:13 bookworm01 opendkim[759]: 349634048D: SSL error:0680008E:asn1 encoding routines::not enough data
Sep 08 19:59:13 bookworm01 opendkim[759]: 349634048D: dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed

451 4.7.1 Service unavailable - try again later

If selector is NULL (should be prevented by sql not null option):

451 4.7.1 Service unavailable - try again later
Sep 08 20:06:12 bookworm01 postfix/cleanup[1546]: BCE424048F: milter-reject: END-OF-MESSAGE from localhost[::1]: 4.7.1 Service unavailable - try again later; from=<xxxx@linux>

Sep 08 20:06:12 bookworm01 opendkim[759]: KeyTable entry for '1' corrupt
Sep 08 20:06:12 bookworm01 opendkim[759]: BCE424048F: error loading key '1'

If key is NULL

Sep 08 20:09:16 bookworm01 opendkim[759]: KeyTable entry for '1' corrupt
Sep 08 20:09:16 bookworm01 opendkim[759]: 527A24048D: error loading key '1'

Sep 08 20:09:16 bookworm01 postfix/cleanup[1573]: 527A24048D: milter-reject: END-OF-MESSAGE from localhost[::1]: 4.7.1 Service unavailable - try again later; from=<xxx@linux>

in neither case did opendkim crash. Furthermore, you can solve a lot of these issues with db table constraints.

@r-a-z-v-a-n
Copy link
Author

this is continued from #226

@r-a-z-v-a-n
Copy link
Author

r-a-z-v-a-n commented Sep 15, 2024

also should there be a command line option for it ? example,
opendkim/opendkim.c:15594: /* process command line options */
if yes, which letter may I use ?

As advised by futatuki, specify SigningTable instead of the
"database" in the description.
@futatuki
Copy link

in neither case did opendkim crash. Furthermore, you can solve a lot of these issues with db table constraints.

I'll take a look later, if it can avoid crash even if the key entry is corrupted. (But it is another issue)

@futatuki
Copy link

futatuki commented Sep 15, 2024

also should there be a command line option for it ? example, opendkim/opendkim.c:15594: /* process command line options */ if yes, which letter may I use ?

Currently 'C' is not in use, however it might be the time we shoud consider to use word options, although getopt_long() is not in POSIX...

@r-a-z-v-a-n
Copy link
Author

can we consider the long options issue as a separate issue?
one commit at a time so we dont get overloaded.

@futatuki
Copy link

can we consider the long options issue as a separate issue? one commit at a time so we dont get overloaded.

ya, sorry, I think it is a separate issue. It is not good that multiple issue in a PR.

@futatuki
Copy link

This feature may useful even if ODBX feature is not used, so I think it is not need to restrict it on USE_ODBX is true. No other things to say, it looks good to me, for the commits till 906a8b4.

You can freely determine the command line option letter for this feature, if you implement it (perhaps no one complains about it). However if I implement a command line option for checking SiginigTable consistency and exit, I'll select 'C' for it if it is still not in use :)

Allow the use of -C to disable CheckSigningTable (or set to no).
Allow disabling of CheckSigningTable for other databases such as
LDAP. This option disables the walking of SigningTable to look
for missing keys in KeyTable when the config gets loaded.
@r-a-z-v-a-n
Copy link
Author

see commit 898f6ec for args option -C
see commit 35f13b1 to allow for disabling CheckSigningTable for all databases.

@r-a-z-v-a-n
Copy link
Author

lhy is the develop branch so far ahead of master branch ?
There are 127 pending commits, last one 2 years ago.
The master branch has not been updated in 6 years.
When is the next planned release ?

As requested by futatuki, I will use -g for CheckSigningTable
and reserve -C for future option to check the database tables.
@r-a-z-v-a-n
Copy link
Author

You can freely determine the command line option letter for this feature, if you implement it (perhaps no one complains about it). However if I implement a command line option for checking SiginigTable consistency and exit, I'll select 'C' for it if it is still not in use :)

oops i just realized what you said.
I changed the option to -g in commit ee40b42

@futatuki
Copy link

futatuki commented Sep 16, 2024

As you added a new command line option, it should be described in opendkim(8) :)

lhy is the develop branch so far ahead of master branch ?
There are 127 pending commits, last one 2 years ago.
The master branch has not been updated in 6 years.
When is the next planned release ?

I think this project is not working any more. So I made my own branch, maintain it, and I use here as a collection center of issues and proposals of the changes.

@r-a-z-v-a-n
Copy link
Author

r-a-z-v-a-n commented Sep 16, 2024

Thank you @futatuki . I would like to commit these changes to your mirror as well.
I see your stable branch is 212 commits ahead : )

@futatuki
Copy link

It would be great if you could add a description about new "-g" option to opendkim/opendkim.8.in? I'd like to see your commit for it, not mine :)

@r-a-z-v-a-n
Copy link
Author

see commit 3fc8cb7 for -g in opendkim(8) man page.

.I \-g
Set CheckSigningTable to no. This means that when the config is loaded,
The SigningTable will not be checked for any missing keys in
the KeyTable.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • A typo " the SiningTable"
  • The mention to CheckSigingTable option is not so important for understanding what this commandline option does. So it is good to move it after the last sentence of the paragraph, with reference information to opendkim.conf(5).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see a typo, but in your comment, not the code.
Anyway I re-wrote it based on your suggestion.
See commit 3dabd5f

@futatuki
Copy link

see commit 3fc8cb7 for -g in opendkim(8) man page.

Thank you!

Although I 'm not good at writing English, I've reviewed it.

@r-a-z-v-a-n
Copy link
Author

thank you so much for all your help futatuki!

Copy link
Author

@r-a-z-v-a-n r-a-z-v-a-n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since we made it global, row doesnt always apply, example LDAP server.

@futatuki
Copy link

Looks good. Thank you!

futatuki added a commit to futatuki/OpenDKIM that referenced this pull request Sep 19, 2024
…ningTable

Add CheckSigningTable config option

When CheckSigningTable is set to no, the keys in KeyTable are no
longer verified when config is loaded. Also implement a command
line option -g for skipping SigningTable verification.

trusteddomainproject#228
Allow overriding CheckSigningTable config option by command line options
@@ -262,6 +263,14 @@ The value may include two different canonicalizations separated by a
slash ("/") character, in which case the first will be applied to the
headers and the second to the body.
.TP
.I \-G

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keep alphabetic order in the descriptions of command line options :) This should be below of -g option now.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New place of -G is still above of -g. It seems the order is lowercase first. (Other changs looks good to me, thank you!)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -179,6 +179,11 @@ requires superuser access. A warning will be generated if
.I UserID
is not also set.

.TP
.I CheckSigningTable (Boolean)
If set to yes, it walks the SigningTable on boot when it loads the config

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I commented other place, loading config (and the opportunity of the check) may occure other than on boot, by receiving SIGHUP signal.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

futatuki added a commit to futatuki/OpenDKIM that referenced this pull request Oct 11, 2024
…-a-n/CheckSigningTable

Add command line option to override CheckSigningTable setting on
config file.

trusteddomainproject#228
futatuki added a commit to futatuki/OpenDKIM that referenced this pull request Oct 11, 2024
futatuki added a commit to futatuki/OpenDKIM that referenced this pull request Dec 22, 2024
…-a-n/CheckSigningTable

reorder parameter list for brevity
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants