diff --git a/email_server/dkim_manager.py b/email_server/dkim_manager.py index 46e17a7..46a9091 100644 --- a/email_server/dkim_manager.py +++ b/email_server/dkim_manager.py @@ -9,6 +9,8 @@ from datetime import datetime from email_server.models import Session, Domain, DKIMKey from email_server.settings_loader import load_settings from email_server.tool_box import get_logger +import random +import string settings = load_settings() DKIM_SELECTOR = settings['DKIM']['DKIM_SELECTOR'] @@ -19,11 +21,20 @@ logger = get_logger() class DKIMManager: """Manages DKIM keys and email signing.""" - def __init__(self): - self.selector = DKIM_SELECTOR + def __init__(self, selector: str = None): + """Initialize DKIMManager with a selector. If not provided, use random.""" + if selector: + self.selector = selector + else: + self.selector = self._generate_random_selector() - def generate_dkim_keypair(self, domain_name): - """Generate DKIM key pair for a domain.""" + @staticmethod + def _generate_random_selector(length: int = 12) -> str: + """Generate a random DKIM selector name (8-12 chars).""" + return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length)) + + def generate_dkim_keypair(self, domain_name, selector: str = None): + """Generate DKIM key pair for a domain, optionally with a custom selector.""" session = Session() try: # Check if domain exists @@ -32,10 +43,13 @@ class DKIMManager: logger.error(f"Domain {domain_name} not found") return False - # Check if DKIM key already exists - existing_key = session.query(DKIMKey).filter_by(domain_id=domain.id, is_active=True).first() + # Use provided selector or instance selector + use_selector = selector or self.selector + + # Check if DKIM key with this selector already exists + existing_key = session.query(DKIMKey).filter_by(domain_id=domain.id, selector=use_selector, is_active=True).first() if existing_key: - logger.debug(f"DKIM key already exists for domain {domain_name}") + logger.debug(f"DKIM key already exists for domain {domain_name} and selector {use_selector}") return True # Generate RSA key pair @@ -61,7 +75,7 @@ class DKIMManager: # Store in database dkim_key = DKIMKey( domain_id=domain.id, - selector=self.selector, + selector=use_selector, private_key=private_pem, public_key=public_pem, created_at=datetime.now(), @@ -70,7 +84,7 @@ class DKIMManager: session.add(dkim_key) session.commit() - logger.debug(f"Generated DKIM key for domain: {domain_name}") + logger.debug(f"Generated DKIM key for domain: {domain_name} selector: {use_selector}") return True except Exception as e: @@ -79,95 +93,78 @@ class DKIMManager: return False finally: session.close() - + + def get_active_dkim_key(self, domain_name): + """Get the active DKIM key for a domain (only one active per selector).""" + session = Session() + try: + domain = session.query(Domain).filter_by(domain_name=domain_name).first() + if not domain: + return None + dkim_key = session.query(DKIMKey).filter_by(domain_id=domain.id, is_active=True).first() + return dkim_key + except Exception as e: + logger.error(f"Error getting DKIM key for {domain_name}: {e}") + return None + finally: + session.close() + def get_dkim_private_key(self, domain_name): """Get DKIM private key for a domain.""" - session = Session() - try: - domain = session.query(Domain).filter_by(domain_name=domain_name).first() - if not domain: - return None - - dkim_key = session.query(DKIMKey).filter_by( - domain_id=domain.id, - is_active=True - ).first() - - if dkim_key: - return dkim_key.private_key - return None - - except Exception as e: - logger.error(f"Error getting DKIM private key for {domain_name}: {e}") - return None - finally: - session.close() + dkim_key = self.get_active_dkim_key(domain_name) + if dkim_key: + return dkim_key.private_key + return None def get_dkim_public_key_record(self, domain_name): - """Get DKIM public key DNS record for a domain.""" - session = Session() - try: - domain = session.query(Domain).filter_by(domain_name=domain_name).first() - if not domain: - return None - - dkim_key = session.query(DKIMKey).filter_by( - domain_id=domain.id, - is_active=True - ).first() - - if dkim_key: - # Extract public key from PEM format for DNS record - public_key_lines = dkim_key.public_key.strip().split('\n') - public_key_data = ''.join(public_key_lines[1:-1]) # Remove header/footer - - return { - 'name': f'{self.selector}._domainkey.{domain_name}', - 'type': 'TXT', - 'value': f'v=DKIM1; k=rsa; p={public_key_data}' - } - return None - - except Exception as e: - logger.error(f"Error getting DKIM public key record for {domain_name}: {e}") - return None - finally: - session.close() - + """Get DKIM public key DNS record for a domain (active key only).""" + dkim_key = self.get_active_dkim_key(domain_name) + if dkim_key: + public_key_lines = dkim_key.public_key.strip().split('\n') + public_key_data = ''.join(public_key_lines[1:-1]) # Remove header/footer + return { + 'name': f'{dkim_key.selector}._domainkey.{domain_name}', + 'type': 'TXT', + 'value': f'v=DKIM1; k=rsa; p={public_key_data}' + } + return None + def sign_email(self, email_content, domain_name): - """Sign email content with DKIM.""" + """Sign email content with DKIM. Only add one DKIM header, after all modifications.""" try: - private_key = self.get_dkim_private_key(domain_name) - if not private_key: + dkim_key = self.get_active_dkim_key(domain_name) + if not dkim_key: logger.warning(f"No DKIM key found for domain: {domain_name}") return email_content - + private_key = dkim_key.private_key + selector = dkim_key.selector # Convert content to bytes if it's a string if isinstance(email_content, str): email_bytes = email_content.encode('utf-8') else: email_bytes = email_content - - # Sign the email + # Remove any existing DKIM-Signature header (robust multiline) + import re + email_bytes = re.sub(br'^DKIM-Signature:.*?(\r?\n[ \t].*?)*\r?\n', b'', email_bytes, flags=re.MULTILINE) + # Canonicalization: relaxed/relaxed, add more headers to h= + headers = [ + b'from', b'to', b'subject', b'date', b'message-id', + b'mime-version', b'content-type', b'content-transfer-encoding' + ] signature = dkim.sign( email_bytes, - self.selector.encode('utf-8'), + selector.encode('utf-8'), domain_name.encode('utf-8'), private_key.encode('utf-8'), - include_headers=[b'from', b'to', b'subject', b'date', b'message-id'] + include_headers=headers, + canonicalize=(b'relaxed', b'relaxed') ) - - # Combine signature with original content signed_content = signature + email_bytes - - logger.debug(f"Successfully signed email for domain: {domain_name}") - - # Return as string if input was string + logger.debug(f"Successfully signed email for domain: {domain_name} selector: {selector}") if isinstance(email_content, str): return signed_content.decode('utf-8') else: return signed_content - except Exception as e: logger.error(f"Error signing email for domain {domain_name}: {e}") return email_content diff --git a/email_server/smtp_handler.py b/email_server/smtp_handler.py index 4fa2603..7a18612 100644 --- a/email_server/smtp_handler.py +++ b/email_server/smtp_handler.py @@ -61,17 +61,16 @@ class CustomSMTPHandler: # Extract domain from sender for DKIM signing sender_domain = envelope.mail_from.split('@')[1] if '@' in envelope.mail_from else None - # Sign with DKIM if domain is configured + # Relay the email (all modifications done) signed_content = content dkim_signed = False if sender_domain: + # DKIM-sign the final version of the message signed_content = self.dkim_manager.sign_email(content, sender_domain) - # Check if signing was successful (content changed) dkim_signed = signed_content != content if dkim_signed: logger.debug(f'Email {message_id} signed with DKIM for domain {sender_domain}') - # Relay the email success = self.email_relay.relay_email( envelope.mail_from, envelope.rcpt_tos, diff --git a/tests/email_header_received.txt b/tests/email_header_received.txt new file mode 100644 index 0000000..fea8d9c --- /dev/null +++ b/tests/email_header_received.txt @@ -0,0 +1,64 @@ +Return-Path: +Delivered-To: michal@freebede.com +Received: from localhost (ip6-localhost [127.0.0.1]) + by mail.freebede.com (Haraka/3.0.3) with ESMTP id C9334594-05C2-4C2F-9929-8BC2EDE64F7B.1 + envelope-from ; + Sat, 31 May 2025 17:16:15 +0100 +X-Sieve: Pigeonhole Sieve 2.4.1-4+debian12 (0a86619f) +X-Sieve-Redirected-From: info@freebede.com +Delivered-To: info@freebede.com +Received-SPF: permerror (mail.freebede.com: permanent error in processing during lookup of Georgio@freebede.com: Unknown mechanism ipv4) + client-ip=217.154.124.184; +X-Haraka-FCrDNS: pymta.freebede.com +Received: from [217.154.124.184] (pymta.freebede.com [217.154.124.184]) + by mail.freebede.com (Haraka/3.0.3) with ESMTPS id A7500626-F3FD-4765-AC22-B223F4EBE9AF.1 + envelope-from + tls TLS_AES_256_GCM_SHA384; + Sat, 31 May 2025 17:16:14 +0100 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=freebede.com; + i=@freebede.com; q=dns/txt; s=default; t=1748708170; h=from : to : + subject : date : message-id; + bh=d7U3WnzgqTDLdPM2GSrSAqnZP37FNND4SjOTtcrPPa8=; + b=k7YkS92hHtDtkiQMwQMVydweX+aeBTkrUXwcZNDkWcId1bItfSvK2sWhRorOOvt08z/+m + zButdzQ3Ia/1XPXFf9Ehkb3Jl5IRFnmrI2wgzN5jsJ5SY70zyrd6XVzWr64BbGDDhpnI+D/ + KXveMWeiJ66Ea++eEM8YG58StFGsMcVEyeiEL5WFaasPCsEPDaVTOWU+ietvpQg777tNDB2 + hAuJGCnGFngbqeV+6R1jiJM+TZX4KRp8HLPCkX0S52GRTcpNbI8diDY9pDizndasKZNvEEj + /YYX+P/vL+4wdUqjx2ALDjG0Z1G/381Rbkn3gWOCRzFpTq/v4ekRwwJAu5fA== +Date: Sat, 31 May 2025 17:16:09 +0100 +To: info@freebede.com +From: Georgio@freebede.com +Subject: TLS - Large body email +Message-Id: <20250531171609.046279@Supanone-PC> +X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/ +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_46279" +X-Haraka-Karma: score: 4, good: 4, bad: 3, connections: 7, history: 1, asn_score: -77, asn_connections: 85, asn_good: 4, asn_bad: 81, awards: 132,281, fail:asn:history, rcpt_to +X-p0f-Result: os="Linux 2.2.x-3.x" link_type="Ethernet or modem" distance=10 total_conn=8 +X-Rspamd-Bar: ++ +X-Rspamd-Report: DMARC_POLICY_ALLOW(-0.5) HFILTER_HELO_BAREIP(3) MID_RHS_NOT_FQDN(0.5) MIME_GOOD(-0.1) R_DKIM_ALLOW(-0.2) ONCE_RECEIVED(0.2) R_SPF_ALLOW(-0.2) +X-Rspamd-Score: 2.699999 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebede.com; + h=Content-Type: MIME-Version: Message-Id: Subject: From: To: Date; + q=dns/txt; s=s20240310133; t=1748708175; + bh=d7U3WnzgqTDLdPM2GSrSAqnZP37FNND4SjOTtcrPPa8=; + b=I3qbjEWaV0amKMevlVUWA3tnoDLaZZCa5HX5YyFOwiFBpjhB2anvXnyE4U8864ER2bqN9VnRw + Gu5Ni4YjvNg4HVUABLTHNeTtEe7cik9N26mqjD2Xc6TUluzYtYjEpDGvxI6pfdRTAjFOE1KI0DT + OKqNppgzbGyChWFRZdd2PSe2d84OnLj9KXTtmwqNXFGz10EKvXsEQ+v/tX+JOkfE6HW/nAGmHrj + ZyZRMhzKPjm4SZHMy/T3MBGNeBwJHx8dg+9hNPKMvNMKFZp+ZzSbEKyD5bBBwWxVjxUlso0ZZZW + TzoOAVCqFJxLr4dK6qcpJJ9mjE/0mguJMdZ2J/ia0vBA== +Original-Authentication-Results: mail.freebede.com; + iprev=pass; + spf=permerror (mail.freebede.com: permanent error in processing during lookup of Georgio@freebede.com: Unknown mechanism ipv4) smtp.mailfrom=Georgio@freebede.com smtp.helo="[217.154.124.184]"; + dkim=pass header.i=@freebede.com header.s=default header.a=rsa-sha256 header.b=k7YkS92h; + dmarc=pass (p=REJECT arc=none) header.from=freebede.com header.d=freebede.com +X-Haraka-GeoIP-Received: 217.154.124.184:DE,217.154.124.184:DE +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebede.com; + h=Content-Type: MIME-Version: Message-Id: Subject: From: To: Date; + q=dns/txt; s=s20240310133; t=1748708175; + bh=d7U3WnzgqTDLdPM2GSrSAqnZP37FNND4SjOTtcrPPa8=; + b=I3qbjEWaV0amKMevlVUWA3tnoDLaZZCa5HX5YyFOwiFBpjhB2anvXnyE4U8864ER2bqN9VnRw + Gu5Ni4YjvNg4HVUABLTHNeTtEe7cik9N26mqjD2Xc6TUluzYtYjEpDGvxI6pfdRTAjFOE1KI0DT + OKqNppgzbGyChWFRZdd2PSe2d84OnLj9KXTtmwqNXFGz10EKvXsEQ+v/tX+JOkfE6HW/nAGmHrj + ZyZRMhzKPjm4SZHMy/T3MBGNeBwJHx8dg+9hNPKMvNMKFZp+ZzSbEKyD5bBBwWxVjxUlso0ZZZW + TzoOAVCqFJxLr4dK6qcpJJ9mjE/0mguJMdZ2J/ia0vBA== +