Re: Only signing when listed in TrustedHosts AND authenticated

From: Aaron Paetznick <aaronp_at_critd.com>
Date: Mon, 20 Jul 2015 17:51:14 -0500

Another update. I think I've found a bug.

When I remove auth_type from the MILTER macros by defining this in my
sendmail.mc file:

define(`confMILTER_MACROS_ENVFROM',`i, {auth_authen}, {auth_ssf},
{auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')


..., and I do not have a MacroList definition in my opendkim.conf file,
it will not sign. This makes sense, as it doesn't have access to the
auth_type macro it uses to tell if it's authenticated or not. But if I
then define ANYTHING for MacroList, e.g.:

MacroList lkasjflsajfsdaljfsdalkfj


...and make no other changes, opendkim will complain that "no macros
match", but then it signs the email anyways. In other words, it will
(correctly) not sign with MacroList commented out, but adding junk in
MacroList /will/ make it sign. I don't think this is desired behavior.

My intention is to pass OpenDKIM a new macro, e.g. {should_sign}, and
have OpenDKIM only sign if it sees that macro, but it seems to want to
sign if ANYTHING is defined in MacroList so I will not be able to do
this. I'm using OpenDKIM 2.10.3.

Any thoughts?


--Aaron


On 7/20/2015 2:22 PM, Aaron Paetznick wrote:
> Ok after further testing, I don't think this is going to work.
> OpenDKIM is always signing if authenticated for some reason, and I
> can't get it to stop. This happens whether it matches any or all
> macros, or none.
>
> I'm still trying to create a new macro and expose it to the MILTER
> interface. Here's my current sendmail.mc:
>
> dnl OpenDKIM signing?
> LOCAL_RULE_3
> DX${auth_authen}$?{should_sign} (true)$.
> define(`confMILTER_MACROS_ENVFROM',`[i, {auth_type}, {auth_authen},
> {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr},
> {should_sign}]')
>
>
> And then in my opendkim.conf, I have:
>
> MacroList should_sign
>
>
> My syslog still says "no macros match". This is moot though, as it
> will still always sign the email if I'm authenticated, no matter if it
> matches this additional macro or not. I'm starting to think this isn't
> going to be possible.
>
> Any other ideas?
>
>
> --Aaron
>
>
> On 7/20/2015 2:18 PM, Aaron Paetznick wrote:
>> Ok after further testing, I don't think this is going to work.
>> OpenDKIM is always signing if authenticated for some reason, and I
>> can't get it to stop. This happens whether it matches any or all
>> macros, or none.
>>
>> I'm still trying to create a new macro and expose it to the MILTER
>> interface. Here's my current sendmail.mc:
>>
>> dnl OpenDKIM signing?
>> LOCAL_RULE_3
>> DX${auth_authen}$?{should_sign} (true)$.
>> define(`confMILTER_MACROS_ENVFROM',`[i, {auth_type}, {auth_authen},
>> {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr},
>> {should_sign}]')
>>
>>
>> And then in my opendkim.conf, I have:
>>
>> MacroList should_sign
>>
>>
>> My syslog still says "no macros match". This is moot though, as it
>> will still always sign the email if I'm authenticated, no matter if
>> it matches this additional macro or not. I'm starting to think this
>> isn't going to be possible.
>>
>> Any other ideas?
>>
>>
>> --Aaron
>>
>>
>> On 7/16/2015 2:22 PM, Aaron Paetznick wrote:
>>> Thanks for this! I can look into defining a new macro and exposing
>>> it through the MILTER interface (which seems to be fairly
>>> complicated), or can I just use MacroList to have OpenDKIM check for
>>> both {auth_authen} and {cipher}? The problem is that I need to have
>>> OpenDKIM check for TrustedHosts AND {auth_authen} AND {cipher}, not
>>> TrustedHosts OR {auth_authen} OR {cipher}. The latter seems to be
>>> the case right now.
>>>
>>> As for the syntax, I'm currently having some luck with this:
>>>
>>> MacroList auth_authen, cipher
>>>
>>>
>>> If I define MacroList as above, am I saying BOTH auth_authen AND
>>> cipher must exist, or EITHER auth_authen OR cipher must exist?
>>>
>>> Also, is there a macro for whether TrustedHosts was matched?
>>>
>>>
>>> --Aaron
>>>
>>>
>>> On 7/15/2015 2:31 PM, Claus Assmann wrote:
>>>> On Tue, Jul 14, 2015, Aaron Paetznick wrote:
>>>>
>>>>> I would like to be able to configure OpenDKIM to only sign email
>>>>> that is
>>>>> listed in the TrustedHosts AND authenticated AND encrypted, or at
>>>>> least just
>>>> Take a look at the option MacroList: write a local sendmail rule
>>>> that sets a specific macro under the conditions you listed/want and
>>>> tell opendkim to check it.
>>>>
>>>>
>>>
>>
>
Received on Mon Jul 20 2015 - 22:51:39 PST

This archive was generated by hypermail 2.3.0 : Tue Jul 21 2015 - 06:09:01 PST