DKIM-MILTER RELEASE NOTES $Id: RELEASE_NOTES,v 1.375 2007/12/20 17:59:01 msk Exp $ This listing shows the versions of the dkim-milter package, the date of release, and a summary of the changes in that release. Bug and feature request (RFE) numbers that start with "SF" were logged via Sourceforge (http://www.sourceforge.net) trackers. Those not so labeled were logged internally at Sendmail, Inc. 2.4.1 2007/12/20 Update for latest Authentication-Results: header draft. Avoid a NULL dereference in dkim_get_key(). Problem noted by Chris Behrens of Concentric Network Corporation. Fix bug #SF1842970: Make the overall header byte count check configurable, and increase the default. Also, add "On-Security" (configuration file) and "security" (command line) options for controlling the default reaction to such conditions. While we're at it, add an "On-Default" and "default" option for making a global action setting. Requested by Mark Martinec. Feature request #SF1841974: Numerous performance enhancements from Chris Behrens of Concentric Network Corporation. LIBAR: Fix bug #SF1852618: Handle default case of no "nameserver" lines in /etc/resolv.conf. Problem noted by Mike Markley of Bank of America. LIBDKIM: Fix bug #SF1824876: Add "dkim_pstate" and make dkim_policy() re-entrant. Requested by Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1843733, SF1843782: Tighten up header name matching in dkim_get_header() and dkim_get_sender(). Patches from Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1843788: Fix an off-by-one length bug in dkim_header(). Patch from Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1850973: Remove MAXHDRCNT; make the arrays it previously defined dynamic. Reported by Mike Markley of Bank of America. 2.4.0 2007/11/30 Take advantage of some more features that were introduced with milter v2 in sendmail 8.14.0: o If all canonicalizations are satisfied in terms of length limits, advise the MTA to stop sending the message body to reduce unneeded I/O. o Turn off as many unnecessary SMTP protocol steps as possible. o Fail option negotiation if any of the milter features required are not available. o If specific MTA macros are to be used for making the sign vs. verify decision, explicitly request them. Prevent corruption in Authentication-Results: headers caused by signatures that have explicit "i=" values. Report "hardfail" instead of "fail" on authentication failures, in compliance with the Authentication-Results: draft. Amend the "-M" command line option and "MacroList" configuration options to allow a list of possible values for each macro. Add _FFR_SELECTOR_HEADER, adding the means to choose which selector (and thus which key) is used to sign based on the value found in a particular header. Requested by Steve Jones of Bank of America. Add dkimf_dstring*() (dynamic string) functions and clean up some code by making use of it. Skip all the userid and group changes when either "-u" or "UserID" is in use if the requested user is the same as the executing user. Fix use of "UseSSPDeny" to include handling of unsigned messages. Fix bug #SF1834701: Log a warning and temp-fail the message if a key list is in use that didn't match the sender for a message which should be signed. Problem noted by Jim Hermann. Patch #SF1796697: Add _FFR_REPLACE_RULES, adding the facility to do substring replacement before signing to anticipate things like the MTA "masquerade" and "genericstable" functions. Requires further development. Replace "gentxt.csh" with more robust "dkim-genkey" utility. Feature request #SF1811962: Add new utilities "dkim-testkey" which verifies that a public key is readable and properly formatted and matches the locally-provided private key, and "dkim-testssp" which retrieves a domain's sender signing practises record and prints it in a human-readable form. Based on code contributed by Daniel Black. Feature request #SF1817253: Add "UMask" configuration file option. Suggested by Daniel Black. Feature request #SF1818863: Add a section to site.config.m4.dist to request a build of the shared object version of libdkim. Requested by Chris Behrens of Concentric Network Corporation. Feature request #SF1834748: Use a more meaningful SMTP reply when rejecting a message at the SMTP level due to SSP. Suggested by S. Moonesamy of Eland Systems. LIBDKIM: Return DKIM_STAT_NOKEY from dkim_get_key_dns() if the answer count comes back zero, rather than DKIM_STAT_CANTVRFY. Problem noted by Chris Behrens of Concentric Network Corporation. LIBDKIM: Plug a memory leak in dkim_get_key(). Problem noted by Chris Behrens of Concentric Network Corporation. LIBDKIM: Replace a dicey memcpy() call with memmove(). Problem noted by Chris Behrens of Concentric Network Corporation. LIBDKIM: Add DKIM_CBSTAT_NOTFOUND and DKIM_CBSTAT_ERROR callback return codes, and DKIM_STAT_CBERROR return code. Suggested by Chris Behrens of Concentric Network Corporation. LIBDKIM: Add dkim_minbody() to determine how much more body text is required to satisfy canonicalizations. LIBDKIM: Add dkim_gethandlingstr() and dkim_getpolicystr() for translation of SSP handling and policy codes into printable strings. LIBDKIM: Add _FFR_PARSE_TIME, adding a utility function that can be used to detect that the timestamp on a signature and the value of the Date: header wildly differ. Incomplete. LIBDKIM: If a message comes in with no properly-formed sender headers, dkim_eoh() now renders the DKIM handle unusable by later data processing calls. LIBDKIM: Fix arithmetic in dkim_sig_expired(). LIBDKIM: In dkim_eoh_verify(), check for a NULL user pointer return from rfc2822_mailbox_split() (was previously only checking for an error code or NULL domain). Problem noted by Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1819489: Fix signature header name check in dkim_header(). Patch from Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1819559: Fix key granularity processing. LIBDKIM: Fix bug #SF1819571: More robust processing of "s=" in keys. LIBDKIM: Fix bug #SF1819607: Allow "t=" and "x=" values up to 64 bits since RFC4871 requires at least 40. LIBDKIM: Fix bug #SF1820017: Don't accept signatures with no "v=" tag. LIBDKIM: Fix bug #SF1820060: The value of "q=" may be a colon-separated list of values to parse. LIBDKIM: Fix bug #SF1820080: The value of "i=" may be quoted-printable so do appropriate decoding. LIBDKIM: Fix bug #SF1820123: "simple" body canonicalization must contain at least CRLF. LIBDKIM: Fix bug #SF1820370: More graceful handling of grossly malformed signature headers. Problem noted by Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1822287 and SF1822295: Update policy check code to use the draft-ietf-dkim-ssp-01 algorithm. Problem noted by Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1822329: In dkim_get_policy(), check for and handle error returns from the subordinate lookup functions. Problem noted by Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1822331: Use consistent return codes in dkim_get_policy_dns(). Problem noted by Chris Behrens of Concentric Network Corporation. LIBDKIM: Fix bug #SF1832703: When looking for headers to canonicalize during verification, disregard spaces between the header name and the colon (":") character. Problem noted by James Sargent of AOL. LIBDKIM: Fix bug #SF1838826: Several fixes with respect to processing key and policy flags. Problems noted by Marc Martinec. LIBDKIM: Feature request #SF1821005: Add dkim_getdomain(), an accessor function for dkim_domain. Requested by Chris Behrens of Concentric Network Corporation. Activate _FFR_QUERY_CACHE (Feature request #SF1675359) and _FFR_SELECT_SIGN_HEADERS. 2.3.2 2007/10/19 Fix bug #25896: Fix a bug in parsing of "RemoveARFrom". LIBDKIM: Fix a bug in the key reuse block of dkim_get_key() which assumed that a domain and selector match guaranteed a copied key and key tag list. LIBDKIM: Fix bug #SF1812687: Fix handling check in dkim_get_policy(). Patch from Daniel Black. 2.3.1 2007/10/12 Fix header loss problem in test mode. Fix bug #SF1808886: Handle missing or empty test inputs more gracefully. Based on a patch from Kaspar Brand. Fix bug #SF1808881: Check various integer conversions for negative, overflow or inappropriate values. Suggested by Kaspar Brand. Feature request #SF1809239: Restore performance of test mode on large messages. Requested by Kaspar Brand. Patch #SF1811132: Include in test.c for malloc() prototype. Patch from Daniel Black. BUILD: Patch #SF1810712: Correct default location for the Tre regular expression library. Suggested by Daniel Black. 2.3.0 2007/10/06 Add "UseSSPDeny" configuration option which causes the filter to reject messages which are determined to be suspicious according to the new draft-ietf-dkim-ssp-01, and whose sending domains advertise a recommended handling of "deny", and whose SSP records are not in "test" mode. Add "MaximumSignedBytes" configuration option limiting the number of bytes of the message body to be signed. Add "-t" command line option for reading an RFC2822-formatted message from a named file and attempting to evaluate it, "-F" command line option for using a fixed signing time, and "-v" command line option for requesting verbose output. Finally, new configuration option "StrictTestMode" asserts that all lines of input must be CRLF-terminated. Based on patches from Kaspar Brand. Add "TestPublicKeys" setting for instructing libdkim to read public keys from a file, for use during automated testing. Based on a patch from Jeff Barry. When using _FFR_QUERY_CACHE, periodically report cache activity statistics. Don't arbitrarily suppress signing of already-signed messages. Fix bug #25728: When "AutoRestart" is in use, try to remove the socket (if it's a UNIX domain socket) prior to trying to start the child. LIBDKIM: Add dkim_getmode() function. LIBDKIM: Fixes to policy evaluation in dkim_policy(). Based on a patch from Jeff Barry. LIBDKIM: Patch #SF1796687: Add DKIM_LIBFLAGS_ACCEPTV05 which causes the library to accept signatures with version strings of "0.5", i.e. those based on later versions of the DKIM draft specification. This does not change any other part of signature validation or canonicalization, only the version string test. Suggested by Jim Fenton of Cisco. LIBDKIM: When closing canonicalizations, flush the temporary files rather than closing them so that things like dkim_reportinfo() return useful descriptors. Close the temporary files in dkim_canon_free() only. Problem noted by Jeff Barry. LIBDKIM: Fix variable argument processing by merging dkim_error() and dkim_verror(). The previous code was causing segmentation faults on selected operating systems. Activate the following FFRs: _FFR_KEY_REUSE _FFR_SET_REPLY 2.2.1 2007/09/07 Insert VBR headers at the top rather than appending them to be sensitive to legacy DomainKeys operations. Patch from S. Moonesamy of Eland Systems. Discontinue use of MAXHOSTNAMELEN as the maximum size of a hostname since some vendors set it to 64 (maximum size of a DNS label) and some to 256 (maximum size of an FQDN). Instead, define and use DKIM_MAXHOSTNAMELEN (256). Problem noted by Jeff Barry. LIBDKIM: Rename and update the default_signhdrs and default_skiphdrs arrays to match what's in RFC4871 section 5.5 SHOULD and SHOULD NOT lists. LIBDKIM: Apply DKIM_OPTS_SKIPHDRS only when signing. LIBDKIM: Add missing entries to prv_results, and add a dkim_getresultstr() function for translating DKIM_STAT result codes. Patch from Kaspar Brand. Fix bug #SF1785624: Resolve build problem introduced in previous version when NETINET6 is in use. Reported by Andrew Benham. Fix bug #SF1786033: Resolve build problem introduced in previous version affecting later versions of Solaris. Reported by Andy Fiddaman. Fix bug #SF1787473: Initialize the default "-i" list properly (given changes made in the previous version) so that mail from localhost still gets signed. Reported by Graham Murray. 2.2.0 2007/08/30 Change format of the peerfile, internal and external host lists, etc. to allow exclusion entries. See the man page for additional details. Amend "-u" to include the ability to name a group into which the filter process should be placed. Feature request #SF1783155: Make keylist pattern matching case-insensitive. LIBDKIM: Handle CNAMEs properly when using the standard resolver. Problem noted by Jim Fenton of Cisco. LIBDKIM: Fix bug #SF1782076: Adjust signature header wrapping logic so that a "b=" against the margin gets wrapped consistently when signing and verifying. Reported by Kaspar Brand. 2.1.2 2007/08/22 LIBDKIM: At the end of dkim_eoh_verify(), don't overwrite any existing descriptive error text before returning on verification errors. Problem noted by Andy Fiddaman. LIBDKIM: Remove redundant assertion of length limits in dkim_canon_bodychunk(). The code in dkim_canon_write() has it correct, so use that instead. Problem noted by Mark Martinec. LIBDKIM: Fix bug #SF1777332: Fix "relaxed" body canonicalization. Some code from the older implementation was still present conflicting with the newer code. Reported by Andrey Chernov. 2.1.1 2007/08/13 Fix bug #SF1743896 (reopened): Don't crash if a From: header with no domain is found. Patch from Andy Fiddaman. LIBDKIM: Fix type mismatches regarding restricted lengths. Problems noted by Jukka Salmi. LIBDKIM: Fix bug #SF1771520: Return an error from dkim_policy() if the sender's domain name could not be determined. Patch from Andy Fiddaman. 2.1.0 2007/08/10 Update to new (draft version 06) Authentication-Results: header format. Do an SSP query for any message that didn't either succeed verification or cause some kind of internal error, not just those that failed to verify. Tighten up the logic used when checking header space allocation. LIBDKIM: Heavy cleanup of dkim_eoh() and dkim_eom() via patches from Chris Behrens of Concentric Network Corporation. LIBDKIM: Add more fine-grained state control enforcing the order in which the message processing functions are called. There was previously a hole which would allow, for example, more headers to be submitted after a call to dkim_eoh() if a prescreen callback returned a "tryagain" result. LIBDKIM: Add dkim_sig_getidentity(). LIBDKIM: Fix bug #SF1769270: Use the default query type to retrieve signing policy for unsigned messages. LIBDKIM: Fix bug #SF1769445: Return the correct policy result from dkim_get_policy_dns() rather than always returning an empty string. Patch by Andy Fiddaman. LIBDKIM: Amend dkim_sig_getcanonlen() to include a parameter which receives the signature length limit, if any. LIBDKIM: Restore proper value to dkim_bodylen. Problem noted by Jukka Salmi. LIBDKIM: Don't inexplicably clear sig_signalg. Problem noted by Jukka Salmi. Feature request #SF1761475: Add "ClockDrift" configuration option for tolerating out-of-synch clocks. Suggested by Kaspar Brand. Feature request #SF1761481: Add "SyslogSuccess" configuration option for logging successful operations rather than just errors or other informational messages. Suggested by Kaspar Brand. Feature request #SF1769888: Amend dkim_policy() to be able to return the policy type retrieved from the sending domain. Also add dkim_getpresult() and associated other code to get additional policy evaluation information. Requested by Andy Fiddaman. 2.0.2 2007/08/03 Fix bug #SF1766313: Make configuration handling 64-bit friendly. Other 64-bit portability issues also addressed. Problems noted by Chris Box. Add _FFR_DNS_UPGRADE which establishes a second libar instance in TCP mode for handling truncated UDP replies. Also make some minor fixes in the key and policy DNS lookup functions to provide more consistent handling of such responses. Problems noted by Kaspar Brand; code is still experimental. 2.0.1 2007/08/02 Fix bug #SF1760481: Make header space allocations fully dynamic rather that establishing compile-time per-header limits. There is still an overall cap, however. Suggested by Ralf Hildebrandt. LIBDKIM: Fixes inside _FFR_KEY_REUSE. 2.0.0 2007/07/27 Remove all support for versions older than RFC4871. Older statistics databases will not be incompatible with the new code since version information is no longer included in the record format. Add "Resent-Sender" and "Resent-From" to the list of headers checked to determine whether or not the message should be signed or verified. Report an authentication result of "permerror" when the message can't be verified for syntax or other non-crypto reasons. New configuration file item "RemoveARFrom" allows specification of hostnames/domains whose existing Authentication-Results: headers should be removed. Also add "RemoveARAll" which allows selection of whether all such headers should be removed or only those containing a DKIM result. New configuration file item "RemoveOldSignatures" deletes existing signatures when signing. Fix bug #SF1743896: Don't crash if a From: header with no domain is found. Patch from Andy Fiddaman. Fix bug #SF1743964: Remove the pid file on shutdown or startup failure. Patch from Mike Markley. LIBAR: Plug descriptor and memory leaks in ar_shutdown(). LIBDKIM: Rework _FFR_VBR code to prepare it for extraction into an independent library. LIBDKIM: The key and policy lookup callbacks must now return a DKIM_CBSTAT constant so that they can have their corresponding libdkim functions return DKIM_STAT_CBTRYAGAIN if desired. Suggested by Chris Behrens of Concentric Network Corporation. LIBDKIM: Add _FFR_DIFFHEADERS which adds dkim_diffheaders() to enable the caller to search for headers that may have been munged in transit thus causing a verification failure. LIBDKIM: Feature request #SF1473131: Overhaul data structures, functions and documentation to allow fine-grained handling of messages bearing multiple signatures. This included the following changes: o Extend draft-ietf-dkim-ssp-00 support to cover multiply-signed messags. o Introduce DKIM_SIGERROR type/constants for associating an error code with each individual signature. o New libary flag DKIM_LIBFLAG_DELAYSIGPROC delays all signature processing until dkim_eom(). o New libary flag DKIM_LIBFLAG_EOHCHECK causes dkim_eoh() to return an error if it was unable to find any valid signatures when verifying. o Add new DKIM_CANON data type, referring to a parallel canonicalization required for signature generation or verification. o New function dkim_getsiglist() retrieves an array of DKIM_SIGINFO handles referring to all of the signatures discovered on a message. o New function dkim_getsignature() retrieves a single DKIM_SIGINFO handle which is the one libdkim will use to return its final result. o New function dkim_sig_getflags() to retrieve flags attached to a signature handle after processing. o New function dkim_sig_geterror() to retrieve the error code associated with a signature handle after processing. o New function dkim_sig_getbh() to retrieve the body hash test result on a signature after processing. o New function dkim_set_final() sets a user-provided callback called by dkim_eom() to do any final processing the caller may desire. o New function dkim_sig_process() manually executes verification of a signature, for use from within the prescreen or final callbacks. o Rename dkim_getcanonlen() to dkim_sig_getcanonlen(), dkim_getsigntime() to dkim_sig_getsigntime(), dkim_getselector() to dkim_sig_getselector(), dkim_getsigndomain() to dkim_sig_getdomain(), dkim_getsignalg() to dkim_sig_getsignalg() and dkim_getkeysize() to dkim_sig_getkeysize() as they now act on a specific signature rather than on an entire message. o The user-provided key and policy lookup functions must now accept a DKIM_SIGINFO handle as an additional parameter. o dkim_reportinfo() and dkim_ohdrs() now also require a DKIM_SIGINFO handle as an additional parameter. LIBDKIM: Fix signal logic in dkim_cache_read_unlock(). Patch from Chris Behrens of Concentric Network Corporation. LIBDKIM: Add _FFR_KEY_REUSE which avoids doing duplicate key lookups if the same key is used on two signatures in the same message. Suggested by Chris Behrens of Concentric Network Corporation. LIBDKIM: Changed prototype for dkim_policy() to reflect the new code. Remove _FFR_FLUSH_HEADERS. The functionality it provided is now accessed via the new configuration options described above. Activate _FFR_HASH_BUFFERING. BUILD: More unit tests. 1.2.0 2007/06/26 Update sender signing policy (SSP) code to match the new draft-ietf-dkim-ssp-00 specification syntax. In doing so, remove _FFR_ALLMAN_SSP_02. If "-u" is specified, call initgroups() and setgid() as well. Reported by Mike Markley; based on a patch from S. Moonesamy of Eland Systems. Fix bug #SF1738354: Add "L" data to CMDLINEOPTS. Reported by Andrey Chernov. 1.1.0 2007/06/15 Add a new option to "-L" and "Minimum" allowing a specific maximum number of bytes of appended, unsigned text. Suggested by Philip Guenther. Documentation and build patches from Gregory Shapiro, and documentation patches from Steve Jones of Bank of America. Under _FFR_VBR, if dkim_vbr_query() returns an error, report the error and then don't add the header. Reported by S. Moonesamy of Eland Systems. Fix bug #24586: Allow "-?" just to get the usage message; also hint at such if the filter is invoked with no arguments. LIBDKIM: Define DKIM_STAT_CBTRYAGAIN and DKIM_CBSTAT_TRYAGAIN. BUILD: More unit tests. 1.0.0 2007/05/23 First release after DKIM issued as a standard (RFC4871). Remove the "-v" command line option and "Version" configuration file item, which permitted selection of the signing version. Remove "nowsp" canonicalization option. LIBDKIM: Define DKIM_VERSION_RFC4871 and make it the default signing version. LIBDKIM: Remove DKIM_CANON_NOWSP and DKIM_VERSION_ALLMAN_BASE_00 which defined it. Gradually, support for old versions will be phased out. 0.8.1 2007/05/22 Portability fixes for Solaris. LIBDKIM: Define DKIM_CBSTAT_* constants which are to be used as return values from callbacks. Also define new status values DKIM_STAT_CBREJECT and DKIM_STAT_CBINVALID indicating results from callbacks back to the calling applications. Suggested by James Sargent of AOL. LIBDKIM: Slightly nicer wrapping of "b=", "bh=" and "z=" in dkim_getsighdr(). LIBDKIM: Define callbacks with respect to the DKIM library handle rather than each signing/verifying instance. Suggested by James Sargent of AOL. BUILD: Reference libssl and libcrypto in dkim-filter/Makefile.m4 rather than in the template site.config.m4 file since it's always required anyway. BUILD: Fix man page entry in dkim-filter/Makefile.m4. 0.8.0 2007/05/17 Add a dkim-stats(8) man page. Contributed by Mike Markley. Add "SignatureTTL", "Diagnostics" and "AlwaysSignHeaders" options to the configuration file and man page. Add _FFR_ZTAGS for optionally saving diagonstic information when a signature fails if the signature contained a "z=" tag. Still more minor fixes in _FFR_STATS related to DB versions. Feature request #SF1473129: Split configuration file details into their own man page. LIBDKIM: Still more minor fixes in _FFR_QUERY_CACHE related to DB versions. Reported by Ben Lentz. LIBDKIM: Remove dkim_getidentity(), as the function it provides isn't part of DKIM. Instead, provide that functionality in dkim-filter. LIBDKIM: Add a new option DKIM_OPTS_ALWAYSHDRS which allows specification of a list of header names which should always be included in signature header lists whether or not the headers were actually present, preventing them from being added downstream before verification. LIBDKIM: Add a new option DKIM_OPTS_SIGNATURETTL which allows the caller to assert a time-to-live on signatures generated. This causes the "x=" tag to appear in signatures. LIBDKIM: Add a new library flag DKIM_LIBFLAGS_ZTAGS which causes signatures generated to include the original header set encoded for transport so the verifier can use it to diagnose verification failures. This causes the "z=" tag to appear in signatures. LIBDKIM: Add dkim_ohdrs() which extracts the sender's set of headers if a "z=" tag was present in the signature. This can then be used by the caller to diagnose verification failures for signatures which contain them. LIBDKIM: Add the first large (and yet not the smallest) change to support multiple signatures. There's now a method via a few callbacks to give the caller access to the signatures discovered by the end-of-headers callback. The caller can analyze the signatures, reorder them, or flag some to be ignored. After reordering, the library still simply runs with the first that appears to be syntactically valid; actual processing of multiple signatures after the re-ordering will be in an upcoming release. LIBDKIM: _FFR_QUERY_CACHE now only covers DNS key lookups, not all key lookups. LIBDKIM: Move the method-specific policy lookup functions into their own new files, dkim-policy.c and dkim-policy.h. LIBDKIM: Slightly nicer wrapping of "h=" in dkim_getsighdr(). LIBDKIM: Add dkim_set_signer() for specifying the message's signer for signature generation. BUILD: More unit tests. Activate the following FFRs: _FFR_QUARANTINE _FFR_REPORTINFO 0.7.1 2007/05/09 More minor fixes in _FFR_STATS related to DB versions. Based on a patch by Graham Murray. LIBDKIM: More minor fixes in _FFR_QUERY_CACHE related to DB versions. LIBDKIM: Use read-write locks instead of a mutex in _FFR_QUERY_CACHE when appropriate. LIBDKIM: When using _FFR_QUERY_CACHE with recent enough versions of the DB library, tell the library to use the same temporary directory as libdkim is using. BUILD: Fix bug #SF1715265: Correct a typo which caused libdkim to fail to build against the asynchronous resolver library. Reported by Andy Fiddaman. 0.7.0 2007/05/03 Several more fixes in _FFR_STATS related to DB versions. LIBDKIM: Add support for optional callbacks to do key and policy lookups using an API provided by the caller rather than using DNS directly. New functions dkim_set_key_lookup() and dkim_set_policy_lookup() set these callbacks. Also add dkim_getdomain() and dkim_getselector() utility functions so those callbacks can extract the data required to make the queries. Note that these will probably change slightly when support for multiple signatures is finally added. Suggested by James Sargent of AOL. LIBDKIM: Fix bug #SF1708756: Set dkim_partial earlier during signing so that the "l=" portion is included in the canonicalized signature header. Reported by Andrey Chernov. LIBDKIM: Algorithm and initialization fixes in policy retrieval found by the new unit tests. LIBDKIM: Several more fixes in _FFR_QUERY_CACHE related to DB versions. LIBDKIM: Fix bug #SF1706248: Rewrite dkim_getidentity() so it returns a more sane value for the sender in all cases. Another utility function will be added later for obtaining the signer's identity. Reported by Andrey Chernov. BUILD: Overhaul the build scripts so that all the user editing is done in devtools/Site/site.config.m4 rather than in each individual directory's Makefile.m4. Include a template for this purpose. BUILD: Begin a collection of automated unit tests. Activate the following FFRs: _FFR_LOG_SSL_ERRORS _FFR_MULTIPLE_KEYS _FFR_OMIT_HEADERS _FFR_QUERY_FILE _FFR_SET_DNS_CALLBACK (Feature request #SF1473171) 0.6.6 2007/04/25 Update _FFR_SELECT_CANONICALIZATION for split canonicalization methods. Add _FFR_STATS, creating an optional database for storing pass/fail statistics per domain over time, and a command-line tool for querying the database contents. Requires Sleepycat DB. LIBDKIM: Patch #SF1705155: Fixes in "relaxed" header canonicalization code. Problem noted by Ben Lentz. LIBDKIM: Add _FFR_HASH_BUFFERING, experimental code that adds a layer of buffering in front of dkim_canonwrite() so the SHA hashing functions are called less often. LIBDKIM: Only call dkim_flush_blanks() when it will actually do something. LIBDKIM: Fix bug #SF1706530: Call EVP_cleanup() in dkim_close(). Suggested by Andy Fiddaman. LIBDKIM: Inside _FFR_QUERY_CACHE, fix cursor operations when compiled against very old versions of Berkeley DB. LIBDKIM: When opening the database with _FFR_QUERY_CACHE, make sure the library is allowed to create the database. 0.6.5 2007/04/20 Further fixes in POPAUTH code for backward-compatibility with older versions of Sleepycat DB. Memory corruption fixes inside _FFR_MULTIPLE_KEYS. Reported by S. Moonesamy of Eland Systems. Re-implement _FFR_OMIT_HEADERS using the new libdkim option (see below). Return DKIM_STAT_SYNTAX from dkim_eoh() if an empty "d", "s" or "b" tag is discovered on a signature. Export most internal header lists so callers can use them. Fix bug #SF1702708: Don't start in signing mode without at least one key and selector specified. Reported by Andrey Chernov. Feature request #SF1675359: Add _FFR_QUERY_CACHE, allowing optional caching on-disk of key and policy records retrieved via DNS to reduce the number of round trips to the nameserver. Requires Sleepycat DB. Requested by Jim Popovitch. Portability fixes for Solaris. LIBDKIM: Enforce mandatory headers in dkim_eoh(). LIBDKIM: Add dkim_close() for library shutdown. LIBDKIM: Add option DKIM_OPTS_SKIPHDRS to skip headers that should not be signed or verified. LIBDKIM: Initialize dkiml_fixedtime. 0.6.4 2007/04/16 Further fixes in POPAUTH code. Based on patches from John Merriam. Modify the output of "-V" further so it also includes active code options (as opposed to just FFRs). When linked against libdk, get additional forensic data from dk_geterror() whenever possible. Changes to _FFR_MULTIPLE_KEYS: Add a domain field in the file, and try a couple of filename extensions before giving up when reading private keys. Add more calls to dkim_error() for additional diagnostic information around the DNS queries. Fix bug #SF1700333: Remove the dkim_sig_signerok() check as it actually detects (and rejects) third-party signatures. The code is still there, just disabled, in case we want to use it after SSP addresses that question. Reported by James Sargent of AOL. Add _FFR_CAPTURE_UNKNOWN_ERRORS which quarantines jobs that cause unexpected results from dkim_eom() to allow more detailed analysis. LIBAR: Fix bug #SF1537476: Update to support IPv6 nameservers. 0.6.3 2007/04/06 Avoid deadlock errors in the POPAUTH code by protecting that code with a mutex as well. Also, "l_end" should be "l_len". Problems noted by John Merriam. Fix bug #SF1693248: Add support for sendmail 8.14.x and its "preserve leading spaces" option. Based on a patch from Andy Fiddaman. Fix bug #SF1693249: If dkim_eoh() returns DKIM_STAT_NOSIG and then the caller calls dkim_eom() to get policy (which the documentation says is acceptable), assertion failures were tripped because the SHA hash(es) weren't initialized and dkim_domain wasn't set. Reported by Andy Fiddaman. LIBDKIM: Add _FFR_QUERY_FILE for getting keys and policies from a flat text file rather than DNS for offline or automated testing. Based on a patch from Jeff Barry. LIBDKIM: New option DKIM_OPTS_FIXEDTIME to use a specific time when generating signatures, to be used for offline or automated testing. Based on a patch from Jeff Barry. LIBDKIM: Fix bug #SF1691659: Fix a type mismatch so that RSA_sign() returns reasonable results on 64-bit platforms. Reported by Andy Fiddaman. LIBAR: Fix bug #SF1694130: Block signals that should be caught and handled elsewhere, such as in libmilter. Patch by Andy Fiddaman. 0.6.2 2007/03/30 Don't start if you're in signing mode and no selector was chosen on the command line or in the configuration file. Don't start if the version of OpenSSL used to compile libdkim is not the same as the one used to compile the filter. Print the version of OpenSSL in use when "-V" is used on the command line. Add _FFR_VBR, enabling optional support for the Vouch By Reference domain reputation proposal. Add "BodyLengths" configuration file option which adds the "l=" parameter when signing messages so re-mailers (e.g. MLMs) which append text to the message won't interfere with successful verification. Fix bug #SF1689101: Fix a minor error in argv processing when _FFR_OMIT_HEADERS was in use. LIBDKIM: Change DKIM_SIGN_DEFAULT to point to "rsa-sha256" if it's available. LIBDKIM: Add dkim_ssl_version(). LIBDKIM: Fix bug #SF1681632: Fix a bug in header selection when signing. Messages verified just fine, but some headers could accidentally be omitted during signing. From a patch for bug #SF1541490 for dk-milter, reported by Mark Martinec; essentially the same bug existed in libdkim. 0.6.1 2007/03/07 Load the -C values from the configuration file if -C wasn't present on the command line. Previously, they were ignored. Fix bug #SF1477211: Add an appropriate Authentication-Results: header when a signature uses a hash which the matching key does not authorize. Feature request #SF1497802: Add _FFR_QUARANTINE, allowing optional quarantining of messages which fail verification or policy checks. Feature request #SF1605766: To reduce spurious logging, don't set mctx_status to DKIMF_STATUS_NOSIGNATURE unless the signature was missing on a message from a domain that claims it signs everything. LIBDKIM: Fix a verification version auto-detection bug that was causing some false negatives. LIBDKIM: Fix bug #SF1672787: Fix an additional corruption bug in dkim_getsighdr(). LIBDKIM: Select the correct signature to replay into canonicalization, rather than always using the first one. Problem noted by James Sargent of AOL. 0.6.0 2007/03/01 Bring up to currency with "ietf-base-10" which is probably the version that the IETF will issue as an RFC. This includes: - signature "q=" option delimiter is now "/", and the default value is now "dns/txt" - if both "t=" and "x=" are present in a signature, make sure the former is less than the latter - disregard signatures that appear to have been generated in the future - support for draft and final versions of "v=" tags in both keys and signatures Activate _FFR_VERIFY_DOMAINKEYS. Complete support for DKIM_QUERY_FILE for use in debugging and testing. Fix a number of minor bugs in signature header generation which could cause corruption and thus validation and/or syntax errors. Fix bug #SF1507535: Fix an FFR-related build issue. Reported by Frederik Pettai. Patch #SF1505401: Add _FFR_OMIT_HEADERS, copied from dk-milter. This will probably be replaced later by an extension to dkim_options(). Patch provided by Ben Lentz. LIBDKIM: Fix bug #SF1512860: Before returning DKIM_STAT_NOSIG from dkim_eom(), try to retrieve the sending domain's policy. LIBDKIM: Fix bug #SF1608314: Fix processing of config file items "Userid" and "Mode". Patch from John Villalovos. LIBDKIM: Add dkim_geterror() to retrieve additional diagnostic data from the API when a function call returns DKIM_STAT_INTERNAL or something else whose cause isn't readily apparent. LIBDKIM: Remove an extraneous pointer type in the parameter list for dkim_sign(). Reported by Jeff Barry. 0.5.2 2006/09/18 Fix bug #SF1537905: If necessary, try again to get the job ID in mlfi_eom() in case it came down later than expected (e.g. postfix). Suggested by Mark Martinec. Fix a couple of minor build problems. Fix bug #SF1559406: Change MAXHEADER to 4096. LIBDKIM: Fix bug #SF1544301: Fix an issue with processing a message which has trailing spaces on its last line. Reported by Mark Martinec. LIBDKIM: Fix bug #SF1558014: Confirm the body hash in the signature matches the actual body hash when verifying. Reported by Mark Martinec. LIBDKIM: Add preliminary support for the draft-allman-dkim-ssp-02 specification as _FFR_ALLMAN_SSP_02. LIBAR: Adapt to the post-bind4 resolver API. Problem reported by S. Moonesamy of Eland Systems. 0.5.1 2006/06/14 Add compile-time option _FFR_ANTICIPATE_SENDMAIL_MUNGE which attempts to replicate some header rewriting the sendmail MTA will do, which otherwise prevents signature validation from succeeding. Problem noted by Ken Jones. Add support for "ietf-base-02" signing mode (which is really synonymous with "ietf-base-01"). LIBDKIM: Report a syntax error when a signature header arrives with any required fields missing. 0.5.0 2006/05/19 Fix an assertion failure under _FFR_SELECT_SIGN_HEADERS. Reported by S. Moonesamy of Eland Systems. Under _FFR_REPORTINFO, only send reports when verification failed. There are other failure modes, but that's the only one for which reports are useful. Problem noted by Michael Thomas of Cisco. RFC2822 doesn't require any recipient headers, so remove those checks inside _FFR_REQUIRED_HEADERS. Fix bug #SF1481303: Don't verify DomainKeys signatures while in signing mode. Reported by S. Moonesamy of Eland Systems. Activate _FFR_MACRO_LIST (adds the "-M" command line option) and _FFR_EXTERNAL_IGNORE_LIST (adds the "-I" command line option). 0.4.1 2006/05/02 Include the list of supported DKIM versions in the output of "-V". Feature request #SF1238442: Add _FFR_VERIFY_DOMAINKEYS which will verify DomainKey signatures, if present. Requires libdk, which is available in the dk-milter package. Feature request #SF1453565: Add _FFR_SELECT_SIGN_HEADERS which permits specification of which headers to sign. Add _FFR_SET_DNS_CALLBACK which allows registration of a callback per-handle which is called periodically while waiting for DNS responses. LIBDKIM: Return an error if the signing function returned success but also reported a zero-length signature. Reported by S. Moonesamy of Eland Systems. 0.4.0 2006/04/18 Add preliminary support for IETF DKIM draft 01. "rsa-sha256" support was already added, but this also adds support for the "bh" (body hash) tag in signatures. Add "-v" command line switch to select DKIM version to use when signing. Add "-x" command line switch to specify a configuration file to read and parse. LIBAR: Fixes regarding retransmissions. 0.3.2 2006/04/05 Don't remove the wrong "b=" when canonicalizing the signature header during verification. Problem noted by Michael Thomas of Cisco. Properly process empty values in parameter sets. Problem noted by Michael Thomas of Cisco. 0.3.1 2006/03/19 Report the size of the key on successful verifications in the Authentication-Results: header. Fix bug #SF1453591: Tolerate empty strings in dkim_process_set(), and just apply defaults. LIBDKIM: Add dkim_getkeysize(), dkim_getsignalg(), dkim_getsigntime(). 0.3.0 2006/03/15 Add preliminary support for "rsa-sha256" signatures. Rearrange command line arguments somewhat. Include the list of supported canonicalization and signing algorithms in the output when "-V" is specified. Fix an intermittent crash condition caused by an uninitialized variable. Add _FFR_LOG_SSL_ERRORS to log any queued SSL error messages before releasing a message from the filter. 0.2.3 2006/03/03 Add a "testing" comment when the key or policy used to verify a message is marked with a test flag. Flush the base64 output stream before sending the reports under _FFR_REPORTINFO so that the reports don't contain truncated data. Discovered by Tony Hansen of AT&T. Fixes in processing of signature headers that contained extraneous spaces. Reported by Tony Hansen of AT&T. Fix bug #SF1442606: Clone the configuration string before parsing it so that "ps" doesn't show weird output. 0.2.2 2006/01/24 Evaluate the key granularity honouring "*" as a wildcard. Add _FFR_SET_REPLY which requests a more useful SMTP reply code when instructing the MTA to temp-fail or reject messages. 0.2.1 2005/12/09 Further fixes to dkim_getsighdr(). Problem reported by Sung-hoon Choi of Dreamwiz. Plug a few small but definite memory leaks. Fix bug #SF1373746: Repair a _FFR_SELECT_CANONICALIZATION build problem introduced in the previous release. Reported by S. Moonesamy of Eland Systems. 0.2.0 2005/12/02 Update for revised ESTG draft. Mainly this involved changing the "nowsp" canonicalization to "relaxed", and allowing specification of different canonicalizations for header and body. Don't allow the header to end with "\n\t" in dkim_getsighdr(). Problem reported by Sung-hoon Choi of Dreamwiz. Report "neutral" instead of "fail" for failed verifications when they key was marked as being in test mode. Patch from Sung-hoon Choi of Dreamwiz. Allow "-d" to specify a file from which domain names should be read, and allow domain names to contain wildcards. Fix bug #SF1243980: An empty key granularity matches nobody. Reported by Jim Fenton of Cisco. LIBAR: Fix bug #SF1282755: Fix a build issue introduced in the last release. Reported by Fredrik Pettai. 0.1.1 2005/07/21 Prevent a garbage pointer free() in dkim_free(). Reported by S. Moonesamy of Eland Systems. Fix bug #SF1241118: Don't add an Authentication-Results: header for messages which are unsigned and come from a domain that doesn't advertise a signs-all policy. Reported by S. Moonesamy of Eland Systems. Report "neutral" instead of "fail" for domains advertising test mode in their policies. Feature request #SF1238617: Add a compile-time option to map smfi_insheader() to smfi_addheader() on machines with older MTA and libmilter versions. 0.1.0 2005/07/13 Initial open source release.