From 552aba766183808ffb6b3da939449808d6f0ea44 Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 14:57:40 -0400 Subject: [PATCH 01/17] add CheckSigningTable config option When CheckSigningTable is set to no, the keys in KeyTable are no longer verified when config is loaded. This helps with large databases. This commit only adds support for USE_ODBX. --- opendkim/opendkim-config.h | 3 +++ opendkim/opendkim.c | 16 ++++++++++++++++ opendkim/opendkim.conf.5.in | 5 +++++ opendkim/opendkim.conf.sample | 9 +++++++++ 4 files changed, 33 insertions(+) diff --git a/opendkim/opendkim-config.h b/opendkim/opendkim-config.h index 5caa8b36..6501ddd2 100644 --- a/opendkim/opendkim-config.h +++ b/opendkim/opendkim-config.h @@ -44,6 +44,9 @@ struct configdef dkimf_config[] = { "Canonicalization", CONFIG_TYPE_STRING, FALSE }, { "CaptureUnknownErrors", CONFIG_TYPE_BOOLEAN, FALSE }, { "ChangeRootDirectory", CONFIG_TYPE_STRING, FALSE }, +#ifdef USE_ODBX + { "CheckSigningTable", CONFIG_TYPE_BOOLEAN, FALSE }, +#endif /* USE_ODBX*/ { "ClockDrift", CONFIG_TYPE_INTEGER, FALSE }, #ifdef _FFR_CONDITIONAL { "ConditionalSignatures", CONFIG_TYPE_STRING, FALSE }, diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index 803f37b0..5fbc0662 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -254,6 +254,9 @@ struct dkimf_config #ifdef USE_LDAP _Bool conf_ldap_usetls; /* LDAP TLS */ #endif /* USE_LDAP */ +#ifdef USE_ODBX + _Bool conf_checksigningtable; /* skip checking keys on startup */ +#endif /* USE_ODBX */ #ifdef _FFR_VBR _Bool conf_vbr_purge; /* purge X-VBR-* fields */ _Bool conf_vbr_trustedonly; /* trusted certifiers only */ @@ -5882,6 +5885,9 @@ dkimf_config_new(void) new->conf_atpshash = dkimf_atpshash[0].str; #endif /* _FFR_ATPS */ new->conf_selectcanonhdr = SELECTCANONHDR; +#ifdef USE_ODBX + new->conf_checksigningtable = TRUE; +#endif /* USE_ODBX */ memcpy(&new->conf_handling, &defaults, sizeof new->conf_handling); @@ -6199,6 +6205,12 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, sizeof conf->conf_softstart); #endif /* (USE_LDAP || USE_ODBX) */ +#ifdef USE_ODBX + (void) config_get(data, "CheckSigningTable", + &conf->conf_checksigningtable, + sizeof conf->conf_checksigningtable); +#endif /* USE_ODBX */ + (void) config_get(data, "DNSConnect", &conf->conf_dnsconnect, sizeof conf->conf_dnsconnect); @@ -8323,7 +8335,11 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, ** missing KeyTable entries. */ +#ifdef USE_ODBX + if (conf->conf_signtabledb != NULL && conf->conf_checksigningtable == TRUE) +#else /* USE_ODBX */ if (conf->conf_signtabledb != NULL) +#endif /* USE_ODBX */ { _Bool first = TRUE; _Bool found; diff --git a/opendkim/opendkim.conf.5.in b/opendkim/opendkim.conf.5.in index 21da18f5..6277bd3f 100644 --- a/opendkim/opendkim.conf.5.in +++ b/opendkim/opendkim.conf.5.in @@ -179,6 +179,11 @@ requires superuser access. A warning will be generated if .I UserID is not also set. +.TP +.I CheckSigningTable (Boolean) +If set to yes, it walks the database on boot when it loads the config +file to check for missing keys in KeyTable. The default is yes. + .TP .I ClockDrift (integer) Sets the tolerance in seconds to be applied when determining whether a diff --git a/opendkim/opendkim.conf.sample b/opendkim/opendkim.conf.sample index fa3559a3..2609aa28 100644 --- a/opendkim/opendkim.conf.sample +++ b/opendkim/opendkim.conf.sample @@ -129,6 +129,15 @@ # Canonicalization simple/simple +## CheckSigningTable { yes | no } +## default "yes" +## +## If set, the database tables will be checked for missing keys in +## keytable when loading config. This can take a longer time with +## larger databases. Requires opendbx. + +# CheckSigningTable yes + ## ClockDrift n ## default 300 ## From cd0a7f42b01bd5cdcf5d22ca60775340571f243a Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 15:58:03 -0400 Subject: [PATCH 02/17] conf_checksigningtable changed ==TRUE with !=FALSE when comparing if (conf->conf_checksigningtable == TRUE) and CheckSigningTable no in the config, no acts as TRUE. Therefore, it is better to use != FALSE. --- opendkim/opendkim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index 5fbc0662..11ad0096 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -8336,7 +8336,7 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, */ #ifdef USE_ODBX - if (conf->conf_signtabledb != NULL && conf->conf_checksigningtable == TRUE) + if (conf->conf_signtabledb != NULL && conf->conf_checksigningtable != FALSE) #else /* USE_ODBX */ if (conf->conf_signtabledb != NULL) #endif /* USE_ODBX */ From 906a8b48453b1e1367e56c84ac3d5e008080c823 Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 16:27:15 -0400 Subject: [PATCH 03/17] CheckSigningTable improve documentation As advised by futatuki, specify SigningTable instead of the "database" in the description. --- opendkim/opendkim.conf.5.in | 2 +- opendkim/opendkim.conf.sample | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/opendkim/opendkim.conf.5.in b/opendkim/opendkim.conf.5.in index 6277bd3f..246e618c 100644 --- a/opendkim/opendkim.conf.5.in +++ b/opendkim/opendkim.conf.5.in @@ -181,7 +181,7 @@ is not also set. .TP .I CheckSigningTable (Boolean) -If set to yes, it walks the database on boot when it loads the config +If set to yes, it walks the SigningTable on boot when it loads the config file to check for missing keys in KeyTable. The default is yes. .TP diff --git a/opendkim/opendkim.conf.sample b/opendkim/opendkim.conf.sample index 2609aa28..5283528f 100644 --- a/opendkim/opendkim.conf.sample +++ b/opendkim/opendkim.conf.sample @@ -132,8 +132,8 @@ ## CheckSigningTable { yes | no } ## default "yes" ## -## If set, the database tables will be checked for missing keys in -## keytable when loading config. This can take a longer time with +## If set, the SigningTable will be checked for missing keys in +## KeyTable when loading the config. This can take a longer time with ## larger databases. Requires opendbx. # CheckSigningTable yes From 898f6ec9410b1dd5cd4f192d86cce3a8891c21dc Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 18:56:15 -0400 Subject: [PATCH 04/17] CheckSigningTable option as -C argument Allow the use of -C to disable CheckSigningTable (or set to no). --- opendkim/opendkim.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index 11ad0096..d7f822eb 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -137,7 +137,7 @@ #endif /* _FFR_REPUTATION */ /* macros */ -#define CMDLINEOPTS "Ab:c:d:De:fF:k:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" +#define CMDLINEOPTS "Ab:Cc:d:De:fF:k:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" #ifndef MIN # define MIN(x,y) ((x) < (y) ? (x) : (y)) @@ -15480,6 +15480,7 @@ usage(void) "\t-A \tauto-restart\n" "\t-b modes \tselect operating modes\n" "\t-c canon \tcanonicalization to use when signing\n" + "\t-C \tdo not walk SigningTable when loading config\n" "\t-d domlist \tdomains to sign\n" "\t-D \talso sign subdomains\n" "\t-e name \textract configuration value and exit\n" @@ -15612,6 +15613,10 @@ main(int argc, char **argv) curconf->conf_canonstr = optarg; break; + case 'C': + curconf->conf_checksigningtable = FALSE; + break; + case 'd': if (optarg == NULL || *optarg == '\0') return usage(); From 35f13b11770214e462ead7cb0551f6afa659b04e Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 18:59:42 -0400 Subject: [PATCH 05/17] CheckSigningTable make option always available Allow disabling of CheckSigningTable for other databases such as LDAP. This option disables the walking of SigningTable to look for missing keys in KeyTable when the config gets loaded. --- opendkim/opendkim-config.h | 2 -- opendkim/opendkim.c | 12 +----------- 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/opendkim/opendkim-config.h b/opendkim/opendkim-config.h index 6501ddd2..7a83690a 100644 --- a/opendkim/opendkim-config.h +++ b/opendkim/opendkim-config.h @@ -44,9 +44,7 @@ struct configdef dkimf_config[] = { "Canonicalization", CONFIG_TYPE_STRING, FALSE }, { "CaptureUnknownErrors", CONFIG_TYPE_BOOLEAN, FALSE }, { "ChangeRootDirectory", CONFIG_TYPE_STRING, FALSE }, -#ifdef USE_ODBX { "CheckSigningTable", CONFIG_TYPE_BOOLEAN, FALSE }, -#endif /* USE_ODBX*/ { "ClockDrift", CONFIG_TYPE_INTEGER, FALSE }, #ifdef _FFR_CONDITIONAL { "ConditionalSignatures", CONFIG_TYPE_STRING, FALSE }, diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index d7f822eb..f23291e2 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -248,15 +248,13 @@ struct dkimf_config _Bool conf_noheaderb; /* suppress "header.b" */ _Bool conf_singleauthres; /* single Auth-Results */ _Bool conf_safekeys; /* check key permissions */ + _Bool conf_checksigningtable; /* skip checking keys on startup */ #ifdef _FFR_RESIGN _Bool conf_resignall; /* resign unverified mail */ #endif /* _FFR_RESIGN */ #ifdef USE_LDAP _Bool conf_ldap_usetls; /* LDAP TLS */ #endif /* USE_LDAP */ -#ifdef USE_ODBX - _Bool conf_checksigningtable; /* skip checking keys on startup */ -#endif /* USE_ODBX */ #ifdef _FFR_VBR _Bool conf_vbr_purge; /* purge X-VBR-* fields */ _Bool conf_vbr_trustedonly; /* trusted certifiers only */ @@ -5885,9 +5883,7 @@ dkimf_config_new(void) new->conf_atpshash = dkimf_atpshash[0].str; #endif /* _FFR_ATPS */ new->conf_selectcanonhdr = SELECTCANONHDR; -#ifdef USE_ODBX new->conf_checksigningtable = TRUE; -#endif /* USE_ODBX */ memcpy(&new->conf_handling, &defaults, sizeof new->conf_handling); @@ -6205,11 +6201,9 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, sizeof conf->conf_softstart); #endif /* (USE_LDAP || USE_ODBX) */ -#ifdef USE_ODBX (void) config_get(data, "CheckSigningTable", &conf->conf_checksigningtable, sizeof conf->conf_checksigningtable); -#endif /* USE_ODBX */ (void) config_get(data, "DNSConnect", &conf->conf_dnsconnect, @@ -8335,11 +8329,7 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, ** missing KeyTable entries. */ -#ifdef USE_ODBX if (conf->conf_signtabledb != NULL && conf->conf_checksigningtable != FALSE) -#else /* USE_ODBX */ - if (conf->conf_signtabledb != NULL) -#endif /* USE_ODBX */ { _Bool first = TRUE; _Bool found; From ee40b42743857df4d23a2c602488d3deeb24ffb6 Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 20:29:12 -0400 Subject: [PATCH 06/17] CheckSigningTable use arg -g instead of -C As requested by futatuki, I will use -g for CheckSigningTable and reserve -C for future option to check the database tables. --- opendkim/opendkim.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index f23291e2..ef380572 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -137,7 +137,7 @@ #endif /* _FFR_REPUTATION */ /* macros */ -#define CMDLINEOPTS "Ab:Cc:d:De:fF:k:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" +#define CMDLINEOPTS "Ab:c:d:De:fF:gk:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" #ifndef MIN # define MIN(x,y) ((x) < (y) ? (x) : (y)) @@ -15470,12 +15470,12 @@ usage(void) "\t-A \tauto-restart\n" "\t-b modes \tselect operating modes\n" "\t-c canon \tcanonicalization to use when signing\n" - "\t-C \tdo not walk SigningTable when loading config\n" "\t-d domlist \tdomains to sign\n" "\t-D \talso sign subdomains\n" "\t-e name \textract configuration value and exit\n" "\t-f \tdon't fork-and-exit\n" "\t-F time \tfixed timestamp to use when signing (test mode only)\n" + "\t-g \tdo not walk SigningTable when loading config\n" "\t-k keyfile \tlocation of secret key file\n" "\t-l \tlog activity to system log\n" "\t-L limit \tsignature limit requirements\n" @@ -15603,10 +15603,6 @@ main(int argc, char **argv) curconf->conf_canonstr = optarg; break; - case 'C': - curconf->conf_checksigningtable = FALSE; - break; - case 'd': if (optarg == NULL || *optarg == '\0') return usage(); @@ -15655,6 +15651,11 @@ main(int argc, char **argv) } break; + case 'g': + curconf->conf_checksigningtable = FALSE; + break; + + case 'k': if (optarg == NULL || *optarg == '\0') return usage(); From 3fc8cb7232e7bacc79b5031d72664c9d7c1c6f56 Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Mon, 16 Sep 2024 15:07:43 -0400 Subject: [PATCH 07/17] CheckSigningTable add -g arg to opendkim(8) man page --- opendkim/opendkim.8.in | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/opendkim/opendkim.8.in b/opendkim/opendkim.8.in index e2b6cea7..55f5a319 100644 --- a/opendkim/opendkim.8.in +++ b/opendkim/opendkim.8.in @@ -282,6 +282,11 @@ Normally forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. .TP +.I \-g +Set CheckSigningTable to no. This means that when the config is loaded, +The SigningTable will not be checked for any missing keys in +the KeyTable. +.TP .I \-F time Specifies a fixed time to use when generating signatures. Ignored unless also used in conjunction with From 3dabd5fc7f5151ad0eed067661aeb6c33b38d8ca Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Wed, 18 Sep 2024 22:04:49 -0400 Subject: [PATCH 08/17] CheckSigningTable improve man page --- opendkim/opendkim.8.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/opendkim/opendkim.8.in b/opendkim/opendkim.8.in index 55f5a319..3c1f4e4f 100644 --- a/opendkim/opendkim.8.in +++ b/opendkim/opendkim.8.in @@ -283,9 +283,9 @@ forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. .TP .I \-g -Set CheckSigningTable to no. This means that when the config is loaded, -The SigningTable will not be checked for any missing keys in -the KeyTable. +Skip checking each row in the SigningTable for any missing keys in the +KeyTable. This is the same as setting CheckSigningTable=no in +opendkim.conf(5). .TP .I \-F time Specifies a fixed time to use when generating signatures. Ignored unless From c7d845bd7bf482107947f0c3799535d94172440c Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Wed, 18 Sep 2024 22:12:14 -0400 Subject: [PATCH 09/17] SigningTable improve man page --- opendkim/opendkim.8.in | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/opendkim/opendkim.8.in b/opendkim/opendkim.8.in index 3c1f4e4f..91f627fd 100644 --- a/opendkim/opendkim.8.in +++ b/opendkim/opendkim.8.in @@ -283,9 +283,8 @@ forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. .TP .I \-g -Skip checking each row in the SigningTable for any missing keys in the -KeyTable. This is the same as setting CheckSigningTable=no in -opendkim.conf(5). +Skip checking the SigningTable for any missing keys in the KeyTable. This +is the same as setting CheckSigningTable=no in opendkim.conf(5). .TP .I \-F time Specifies a fixed time to use when generating signatures. Ignored unless From 6bea2fa8a6a4c9be7739d35842bf02224fd6901e Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 22 Sep 2024 23:42:24 -0400 Subject: [PATCH 10/17] remove extra line --- opendkim/opendkim.c | 1 - 1 file changed, 1 deletion(-) diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index ef380572..be6e0227 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -15655,7 +15655,6 @@ main(int argc, char **argv) curconf->conf_checksigningtable = FALSE; break; - case 'k': if (optarg == NULL || *optarg == '\0') return usage(); From 9f996425be713ea6ca929327a639b20cac4518de Mon Sep 17 00:00:00 2001 From: FUTATSUKI Yasuhito Date: Sun, 6 Oct 2024 19:58:37 +0900 Subject: [PATCH 11/17] opendkim: The -g option overrides CheckSigningTable setting on config file. --- opendkim/opendkim.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index be6e0227..f4ae0157 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -248,7 +248,7 @@ struct dkimf_config _Bool conf_noheaderb; /* suppress "header.b" */ _Bool conf_singleauthres; /* single Auth-Results */ _Bool conf_safekeys; /* check key permissions */ - _Bool conf_checksigningtable; /* skip checking keys on startup */ + _Bool conf_checksigningtable; /* skip checking keys on dkimf_config_load */ #ifdef _FFR_RESIGN _Bool conf_resignall; /* resign unverified mail */ #endif /* _FFR_RESIGN */ @@ -750,6 +750,8 @@ _Bool reload; /* reload requested */ _Bool no_i_whine; /* noted ${i} is undefined */ _Bool testmode; /* test mode */ _Bool allowdeprecated; /* allow deprecated config values */ +_Bool init_checksigningtable; /* initializing value for CheckSigningTable */ +_Bool use_cf_checksigningtable; /* use CheckSigningTable on config file? */ #ifdef QUERY_CACHE _Bool querycache; /* local query cache */ #endif /* QUERY_CACHE */ @@ -5883,7 +5885,7 @@ dkimf_config_new(void) new->conf_atpshash = dkimf_atpshash[0].str; #endif /* _FFR_ATPS */ new->conf_selectcanonhdr = SELECTCANONHDR; - new->conf_checksigningtable = TRUE; + new->conf_checksigningtable = init_checksigningtable; memcpy(&new->conf_handling, &defaults, sizeof new->conf_handling); @@ -6201,10 +6203,12 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, sizeof conf->conf_softstart); #endif /* (USE_LDAP || USE_ODBX) */ - (void) config_get(data, "CheckSigningTable", - &conf->conf_checksigningtable, - sizeof conf->conf_checksigningtable); - + if (use_cf_checksigningtable) + { + (void) config_get(data, "CheckSigningTable", + &conf->conf_checksigningtable, + sizeof conf->conf_checksigningtable); + } (void) config_get(data, "DNSConnect", &conf->conf_dnsconnect, sizeof conf->conf_dnsconnect); @@ -15564,6 +15568,8 @@ main(int argc, char **argv) #endif /* POPAUTH */ no_i_whine = TRUE; conffile = NULL; + init_checksigningtable = TRUE; + use_cf_checksigningtable = TRUE; memset(myhostname, '\0', sizeof myhostname); (void) gethostname(myhostname, sizeof myhostname); @@ -15652,6 +15658,8 @@ main(int argc, char **argv) break; case 'g': + use_cf_checksigningtable = FALSE; + init_checksigningtable = FALSE; curconf->conf_checksigningtable = FALSE; break; From 78367709dbf586e335b869966da8ed0f77bdb44e Mon Sep 17 00:00:00 2001 From: FUTATSUKI Yasuhito Date: Sun, 6 Oct 2024 20:02:29 +0900 Subject: [PATCH 12/17] opendkim: Imprement -C option, just opposit of the -g option. --- opendkim/opendkim.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index f4ae0157..44664fa7 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -137,7 +137,7 @@ #endif /* _FFR_REPUTATION */ /* macros */ -#define CMDLINEOPTS "Ab:c:d:De:fF:gk:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" +#define CMDLINEOPTS "Ab:c:Cd:De:fF:gk:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" #ifndef MIN # define MIN(x,y) ((x) < (y) ? (x) : (y)) @@ -15474,6 +15474,7 @@ usage(void) "\t-A \tauto-restart\n" "\t-b modes \tselect operating modes\n" "\t-c canon \tcanonicalization to use when signing\n" + "\t-C \tdo walk SigningTable when loading config\n" "\t-d domlist \tdomains to sign\n" "\t-D \talso sign subdomains\n" "\t-e name \textract configuration value and exit\n" @@ -15609,6 +15610,12 @@ main(int argc, char **argv) curconf->conf_canonstr = optarg; break; + case 'C': + use_cf_checksigningtable = FALSE; + init_checksigningtable = TRUE; + curconf->conf_checksigningtable = TRUE; + break; + case 'd': if (optarg == NULL || *optarg == '\0') return usage(); From 5dcb091ba06ae6bf6e99a06ef346b0a11f090437 Mon Sep 17 00:00:00 2001 From: FUTATSUKI Yasuhito Date: Sun, 6 Oct 2024 20:03:41 +0900 Subject: [PATCH 13/17] opendkim/opendkim.8.in: Update descriptions for -C and -g options. --- opendkim/opendkim.8.in | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/opendkim/opendkim.8.in b/opendkim/opendkim.8.in index 91f627fd..0bd9cac4 100644 --- a/opendkim/opendkim.8.in +++ b/opendkim/opendkim.8.in @@ -7,6 +7,7 @@ [\-A] [\-b modes] [\-c canon] +[\-C|\-g] [\-d domain[,...]] [\-D] [\-e name] @@ -262,6 +263,14 @@ The value may include two different canonicalizations separated by a slash ("/") character, in which case the first will be applied to the headers and the second to the body. .TP +.I \-C +Do check of the SigningTable for any missing keys in the KeyTable on +loading config file. This overrides config option CheckSigningTable in +.I opendkim.conf(5). +In conjunction with +.I \-n +option described below, you can perform the check only. +.TP .I \-d dataset A set of domains whose mail should be signed by this filter. Mail from other domains will be verified rather than being signed. @@ -283,8 +292,9 @@ forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. .TP .I \-g -Skip checking the SigningTable for any missing keys in the KeyTable. This -is the same as setting CheckSigningTable=no in opendkim.conf(5). +Skip check of the SigningTable for any missing keys in the KeyTable. +This overrides the config option CheckSigningTable in +-I opendkim.conf(5). .TP .I \-F time Specifies a fixed time to use when generating signatures. Ignored unless From 745ebee7dfd5ebbcedb6bce805df932c2c9380d5 Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Thu, 10 Oct 2024 22:40:27 -0400 Subject: [PATCH 14/17] change -C to -G to match the opposite of -g --- opendkim/opendkim.8.in | 8 ++++---- opendkim/opendkim.c | 22 +++++++++++----------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/opendkim/opendkim.8.in b/opendkim/opendkim.8.in index 0bd9cac4..0020a153 100644 --- a/opendkim/opendkim.8.in +++ b/opendkim/opendkim.8.in @@ -7,7 +7,7 @@ [\-A] [\-b modes] [\-c canon] -[\-C|\-g] +[\-G|\-g] [\-d domain[,...]] [\-D] [\-e name] @@ -263,8 +263,8 @@ The value may include two different canonicalizations separated by a slash ("/") character, in which case the first will be applied to the headers and the second to the body. .TP -.I \-C -Do check of the SigningTable for any missing keys in the KeyTable on +.I \-G +Walk the SigningTable for any missing keys in the KeyTable on loading config file. This overrides config option CheckSigningTable in .I opendkim.conf(5). In conjunction with @@ -292,7 +292,7 @@ forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. .TP .I \-g -Skip check of the SigningTable for any missing keys in the KeyTable. +Skip walking the SigningTable for any missing keys in the KeyTable. This overrides the config option CheckSigningTable in -I opendkim.conf(5). .TP diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index 44664fa7..0d3d75fd 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -137,7 +137,7 @@ #endif /* _FFR_REPUTATION */ /* macros */ -#define CMDLINEOPTS "Ab:c:Cd:De:fF:gk:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" +#define CMDLINEOPTS "Ab:c:d:De:fF:Ggk:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" #ifndef MIN # define MIN(x,y) ((x) < (y) ? (x) : (y)) @@ -248,7 +248,7 @@ struct dkimf_config _Bool conf_noheaderb; /* suppress "header.b" */ _Bool conf_singleauthres; /* single Auth-Results */ _Bool conf_safekeys; /* check key permissions */ - _Bool conf_checksigningtable; /* skip checking keys on dkimf_config_load */ + _Bool conf_checksigningtable; /* check keys on dkimf_config_load */ #ifdef _FFR_RESIGN _Bool conf_resignall; /* resign unverified mail */ #endif /* _FFR_RESIGN */ @@ -750,8 +750,8 @@ _Bool reload; /* reload requested */ _Bool no_i_whine; /* noted ${i} is undefined */ _Bool testmode; /* test mode */ _Bool allowdeprecated; /* allow deprecated config values */ -_Bool init_checksigningtable; /* initializing value for CheckSigningTable */ -_Bool use_cf_checksigningtable; /* use CheckSigningTable on config file? */ +_Bool init_checksigningtable; /* initializing value for CheckSigningTable */ +_Bool use_cf_checksigningtable; /* use CheckSigningTable on config file? */ #ifdef QUERY_CACHE _Bool querycache; /* local query cache */ #endif /* QUERY_CACHE */ @@ -15474,7 +15474,7 @@ usage(void) "\t-A \tauto-restart\n" "\t-b modes \tselect operating modes\n" "\t-c canon \tcanonicalization to use when signing\n" - "\t-C \tdo walk SigningTable when loading config\n" + "\t-G \tforce walk SigningTable when loading config\n" "\t-d domlist \tdomains to sign\n" "\t-D \talso sign subdomains\n" "\t-e name \textract configuration value and exit\n" @@ -15610,12 +15610,6 @@ main(int argc, char **argv) curconf->conf_canonstr = optarg; break; - case 'C': - use_cf_checksigningtable = FALSE; - init_checksigningtable = TRUE; - curconf->conf_checksigningtable = TRUE; - break; - case 'd': if (optarg == NULL || *optarg == '\0') return usage(); @@ -15670,6 +15664,12 @@ main(int argc, char **argv) curconf->conf_checksigningtable = FALSE; break; + case 'G': + use_cf_checksigningtable = FALSE; + init_checksigningtable = TRUE; + curconf->conf_checksigningtable = TRUE; + break; + case 'k': if (optarg == NULL || *optarg == '\0') return usage(); From ac1d2c6503109460a9c5ab9b07efc7942b82ac2e Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Fri, 11 Oct 2024 00:18:30 -0400 Subject: [PATCH 15/17] improve documentation and fix typo --- opendkim/opendkim.8.in | 18 +++++++++--------- opendkim/opendkim.conf.5.in | 4 ++-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/opendkim/opendkim.8.in b/opendkim/opendkim.8.in index 0020a153..b62620c2 100644 --- a/opendkim/opendkim.8.in +++ b/opendkim/opendkim.8.in @@ -263,14 +263,6 @@ The value may include two different canonicalizations separated by a slash ("/") character, in which case the first will be applied to the headers and the second to the body. .TP -.I \-G -Walk the SigningTable for any missing keys in the KeyTable on -loading config file. This overrides config option CheckSigningTable in -.I opendkim.conf(5). -In conjunction with -.I \-n -option described below, you can perform the check only. -.TP .I \-d dataset A set of domains whose mail should be signed by this filter. Mail from other domains will be verified rather than being signed. @@ -291,10 +283,18 @@ Normally forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. .TP +.I \-G +Walk the SigningTable for any missing keys in the KeyTable on +loading config file. This overrides config option CheckSigningTable in +.I opendkim.conf(5). +In conjunction with +.I \-n +option described below, you can perform the check only. +.TP .I \-g Skip walking the SigningTable for any missing keys in the KeyTable. This overrides the config option CheckSigningTable in --I opendkim.conf(5). +.I opendkim.conf(5). .TP .I \-F time Specifies a fixed time to use when generating signatures. Ignored unless diff --git a/opendkim/opendkim.conf.5.in b/opendkim/opendkim.conf.5.in index 246e618c..3cd5a76c 100644 --- a/opendkim/opendkim.conf.5.in +++ b/opendkim/opendkim.conf.5.in @@ -181,8 +181,8 @@ is not also set. .TP .I CheckSigningTable (Boolean) -If set to yes, it walks the SigningTable on boot when it loads the config -file to check for missing keys in KeyTable. The default is yes. +If set to yes, it walks the SigningTable when loading the config file +to check for missing keys in KeyTable. The default is yes. .TP .I ClockDrift (integer) From dfa3dfef5d657a3452b6a5c56c282ec8060b8247 Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Fri, 11 Oct 2024 01:46:45 -0400 Subject: [PATCH 16/17] documentation place -G after -g --- opendkim/opendkim.8.in | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/opendkim/opendkim.8.in b/opendkim/opendkim.8.in index b62620c2..e52ee7f7 100644 --- a/opendkim/opendkim.8.in +++ b/opendkim/opendkim.8.in @@ -283,6 +283,11 @@ Normally forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. .TP +.I \-g +Skip walking the SigningTable for any missing keys in the KeyTable. +This overrides the config option CheckSigningTable in +.I opendkim.conf(5). +.TP .I \-G Walk the SigningTable for any missing keys in the KeyTable on loading config file. This overrides config option CheckSigningTable in @@ -291,11 +296,6 @@ In conjunction with .I \-n option described below, you can perform the check only. .TP -.I \-g -Skip walking the SigningTable for any missing keys in the KeyTable. -This overrides the config option CheckSigningTable in -.I opendkim.conf(5). -.TP .I \-F time Specifies a fixed time to use when generating signatures. Ignored unless also used in conjunction with From 5236d478501de7826386efa703e019566d31475c Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Wed, 16 Oct 2024 01:18:05 -0400 Subject: [PATCH 17/17] reorder parameter list for brevity --- opendkim/opendkim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index 0d3d75fd..4358d096 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -15474,13 +15474,13 @@ usage(void) "\t-A \tauto-restart\n" "\t-b modes \tselect operating modes\n" "\t-c canon \tcanonicalization to use when signing\n" - "\t-G \tforce walk SigningTable when loading config\n" "\t-d domlist \tdomains to sign\n" "\t-D \talso sign subdomains\n" "\t-e name \textract configuration value and exit\n" "\t-f \tdon't fork-and-exit\n" "\t-F time \tfixed timestamp to use when signing (test mode only)\n" "\t-g \tdo not walk SigningTable when loading config\n" + "\t-G \tforce walk SigningTable when loading config\n" "\t-k keyfile \tlocation of secret key file\n" "\t-l \tlog activity to system log\n" "\t-L limit \tsignature limit requirements\n"