dkim test

2025-05-31 17:35:35 +01:00
parent 1d4a37922d
commit 06f75d704d
3 changed files with 138 additions and 78 deletions
--- a/email_server/dkim_manager.py
+++ b/email_server/dkim_manager.py
@@ -9,6 +9,8 @@ from datetime import datetime
 from email_server.models import Session, Domain, DKIMKey
 from email_server.settings_loader import load_settings
 from email_server.tool_box import get_logger
+import random
+import string

 settings = load_settings()
 DKIM_SELECTOR = settings['DKIM']['DKIM_SELECTOR']
@@ -19,11 +21,20 @@ logger = get_logger()
 class DKIMManager:
    """Manages DKIM keys and email signing."""
    
-    def __init__(self):
-        self.selector = DKIM_SELECTOR
+    def __init__(self, selector: str = None):
+        """Initialize DKIMManager with a selector. If not provided, use random."""
+        if selector:
+            self.selector = selector
+        else:
+            self.selector = self._generate_random_selector()
    
-    def generate_dkim_keypair(self, domain_name):
-        """Generate DKIM key pair for a domain."""
+    @staticmethod
+    def _generate_random_selector(length: int = 12) -> str:
+        """Generate a random DKIM selector name (8-12 chars)."""
+        return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))
+
+    def generate_dkim_keypair(self, domain_name, selector: str = None):
+        """Generate DKIM key pair for a domain, optionally with a custom selector."""
        session = Session()
        try:
            # Check if domain exists
@@ -32,10 +43,13 @@ class DKIMManager:
                logger.error(f"Domain {domain_name} not found")
                return False
            
-            # Check if DKIM key already exists
-            existing_key = session.query(DKIMKey).filter_by(domain_id=domain.id, is_active=True).first()
+            # Use provided selector or instance selector
+            use_selector = selector or self.selector
+            
+            # Check if DKIM key with this selector already exists
+            existing_key = session.query(DKIMKey).filter_by(domain_id=domain.id, selector=use_selector, is_active=True).first()
            if existing_key:
-                logger.debug(f"DKIM key already exists for domain {domain_name}")
+                logger.debug(f"DKIM key already exists for domain {domain_name} and selector {use_selector}")
                return True
            
            # Generate RSA key pair
@@ -61,7 +75,7 @@ class DKIMManager:
            # Store in database
            dkim_key = DKIMKey(
                domain_id=domain.id,
-                selector=self.selector,
+                selector=use_selector,
                private_key=private_pem,
                public_key=public_pem,
                created_at=datetime.now(),
@@ -70,7 +84,7 @@ class DKIMManager:
            session.add(dkim_key)
            session.commit()
            
-            logger.debug(f"Generated DKIM key for domain: {domain_name}")
+            logger.debug(f"Generated DKIM key for domain: {domain_name} selector: {use_selector}")
            return True
            
        except Exception as e:
@@ -80,94 +94,77 @@ class DKIMManager:
        finally:
            session.close()

+    def get_active_dkim_key(self, domain_name):
+        """Get the active DKIM key for a domain (only one active per selector)."""
+        session = Session()
+        try:
+            domain = session.query(Domain).filter_by(domain_name=domain_name).first()
+            if not domain:
+                return None
+            dkim_key = session.query(DKIMKey).filter_by(domain_id=domain.id, is_active=True).first()
+            return dkim_key
+        except Exception as e:
+            logger.error(f"Error getting DKIM key for {domain_name}: {e}")
+            return None
+        finally:
+            session.close()
+
    def get_dkim_private_key(self, domain_name):
        """Get DKIM private key for a domain."""
-        session = Session()
-        try:
-            domain = session.query(Domain).filter_by(domain_name=domain_name).first()
-            if not domain:
-                return None
-            
-            dkim_key = session.query(DKIMKey).filter_by(
-                domain_id=domain.id, 
-                is_active=True
-            ).first()
-            
-            if dkim_key:
-                return dkim_key.private_key
-            return None
-            
-        except Exception as e:
-            logger.error(f"Error getting DKIM private key for {domain_name}: {e}")
-            return None
-        finally:
-            session.close()
+        dkim_key = self.get_active_dkim_key(domain_name)
+        if dkim_key:
+            return dkim_key.private_key
+        return None
    
    def get_dkim_public_key_record(self, domain_name):
-        """Get DKIM public key DNS record for a domain."""
-        session = Session()
-        try:
-            domain = session.query(Domain).filter_by(domain_name=domain_name).first()
-            if not domain:
-                return None
-            
-            dkim_key = session.query(DKIMKey).filter_by(
-                domain_id=domain.id, 
-                is_active=True
-            ).first()
-            
-            if dkim_key:
-                # Extract public key from PEM format for DNS record
-                public_key_lines = dkim_key.public_key.strip().split('\n')
-                public_key_data = ''.join(public_key_lines[1:-1])  # Remove header/footer
-                
-                return {
-                    'name': f'{self.selector}._domainkey.{domain_name}',
-                    'type': 'TXT',
-                    'value': f'v=DKIM1; k=rsa; p={public_key_data}'
-                }
-            return None
-            
-        except Exception as e:
-            logger.error(f"Error getting DKIM public key record for {domain_name}: {e}")
-            return None
-        finally:
-            session.close()
+        """Get DKIM public key DNS record for a domain (active key only)."""
+        dkim_key = self.get_active_dkim_key(domain_name)
+        if dkim_key:
+            public_key_lines = dkim_key.public_key.strip().split('\n')
+            public_key_data = ''.join(public_key_lines[1:-1])  # Remove header/footer
+            return {
+                'name': f'{dkim_key.selector}._domainkey.{domain_name}',
+                'type': 'TXT',
+                'value': f'v=DKIM1; k=rsa; p={public_key_data}'
+            }
+        return None

    def sign_email(self, email_content, domain_name):
-        """Sign email content with DKIM."""
+        """Sign email content with DKIM. Only add one DKIM header, after all modifications."""
        try:
-            private_key = self.get_dkim_private_key(domain_name)
-            if not private_key:
+            dkim_key = self.get_active_dkim_key(domain_name)
+            if not dkim_key:
                logger.warning(f"No DKIM key found for domain: {domain_name}")
                return email_content
-            
+            private_key = dkim_key.private_key
+            selector = dkim_key.selector
            # Convert content to bytes if it's a string
            if isinstance(email_content, str):
                email_bytes = email_content.encode('utf-8')
            else:
                email_bytes = email_content
-            
-            # Sign the email
+            # Remove any existing DKIM-Signature header (robust multiline)
+            import re
+            email_bytes = re.sub(br'^DKIM-Signature:.*?(\r?\n[ \t].*?)*\r?\n', b'', email_bytes, flags=re.MULTILINE)
+            # Canonicalization: relaxed/relaxed, add more headers to h=
+            headers = [
+                b'from', b'to', b'subject', b'date', b'message-id',
+                b'mime-version', b'content-type', b'content-transfer-encoding'
+            ]
            signature = dkim.sign(
                email_bytes,
-                self.selector.encode('utf-8'),
+                selector.encode('utf-8'),
                domain_name.encode('utf-8'),
                private_key.encode('utf-8'),
-                include_headers=[b'from', b'to', b'subject', b'date', b'message-id']
+                include_headers=headers,
+                canonicalize=(b'relaxed', b'relaxed')
            )
-            
-            # Combine signature with original content
            signed_content = signature + email_bytes
-            
-            logger.debug(f"Successfully signed email for domain: {domain_name}")
-            
-            # Return as string if input was string
+            logger.debug(f"Successfully signed email for domain: {domain_name} selector: {selector}")
            if isinstance(email_content, str):
                return signed_content.decode('utf-8')
            else:
                return signed_content
-                
        except Exception as e:
            logger.error(f"Error signing email for domain {domain_name}: {e}")
            return email_content
--- a/email_server/smtp_handler.py
+++ b/email_server/smtp_handler.py
@@ -61,17 +61,16 @@ class CustomSMTPHandler:
            # Extract domain from sender for DKIM signing
            sender_domain = envelope.mail_from.split('@')[1] if '@' in envelope.mail_from else None
            
-            # Sign with DKIM if domain is configured
+            # Relay the email (all modifications done)
            signed_content = content
            dkim_signed = False
            if sender_domain:
+                # DKIM-sign the final version of the message
                signed_content = self.dkim_manager.sign_email(content, sender_domain)
-                # Check if signing was successful (content changed)
                dkim_signed = signed_content != content
                if dkim_signed:
                    logger.debug(f'Email {message_id} signed with DKIM for domain {sender_domain}')
            
-            # Relay the email
            success = self.email_relay.relay_email(
                envelope.mail_from, 
                envelope.rcpt_tos, 
--- a/tests/email_header_received.txt
+++ b/tests/email_header_received.txt
@@ -0,0 +1,64 @@
+Return-Path: <Georgio@freebede.com>
+Delivered-To: michal@freebede.com
+Received: from localhost (ip6-localhost [127.0.0.1])
+	by mail.freebede.com (Haraka/3.0.3) with ESMTP id C9334594-05C2-4C2F-9929-8BC2EDE64F7B.1
+	envelope-from <Georgio@freebede.com>;
+	Sat, 31 May 2025 17:16:15 +0100
+X-Sieve: Pigeonhole Sieve 2.4.1-4+debian12 (0a86619f)
+X-Sieve-Redirected-From: info@freebede.com
+Delivered-To: info@freebede.com
+Received-SPF: permerror (mail.freebede.com: permanent error in processing during lookup of Georgio@freebede.com: Unknown mechanism ipv4)
+ client-ip=217.154.124.184;
+X-Haraka-FCrDNS: pymta.freebede.com
+Received: from [217.154.124.184] (pymta.freebede.com [217.154.124.184])
+	by mail.freebede.com (Haraka/3.0.3) with ESMTPS id A7500626-F3FD-4765-AC22-B223F4EBE9AF.1
+	envelope-from <Georgio@freebede.com>
+	tls TLS_AES_256_GCM_SHA384;
+	Sat, 31 May 2025 17:16:14 +0100
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=freebede.com;
+ i=@freebede.com; q=dns/txt; s=default; t=1748708170; h=from : to :
+ subject : date : message-id;
+ bh=d7U3WnzgqTDLdPM2GSrSAqnZP37FNND4SjOTtcrPPa8=;
+ b=k7YkS92hHtDtkiQMwQMVydweX+aeBTkrUXwcZNDkWcId1bItfSvK2sWhRorOOvt08z/+m
+ zButdzQ3Ia/1XPXFf9Ehkb3Jl5IRFnmrI2wgzN5jsJ5SY70zyrd6XVzWr64BbGDDhpnI+D/
+ KXveMWeiJ66Ea++eEM8YG58StFGsMcVEyeiEL5WFaasPCsEPDaVTOWU+ietvpQg777tNDB2
+ hAuJGCnGFngbqeV+6R1jiJM+TZX4KRp8HLPCkX0S52GRTcpNbI8diDY9pDizndasKZNvEEj
+ /YYX+P/vL+4wdUqjx2ALDjG0Z1G/381Rbkn3gWOCRzFpTq/v4ekRwwJAu5fA==
+Date: Sat, 31 May 2025 17:16:09 +0100
+To: info@freebede.com
+From: Georgio@freebede.com
+Subject: TLS - Large body email
+Message-Id: <20250531171609.046279@Supanone-PC>
+X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_46279"
+X-Haraka-Karma: score: 4, good: 4, bad: 3, connections: 7, history: 1, asn_score: -77, asn_connections: 85, asn_good: 4, asn_bad: 81, awards: 132,281, fail:asn:history, rcpt_to
+X-p0f-Result: os="Linux 2.2.x-3.x" link_type="Ethernet or modem" distance=10 total_conn=8
+X-Rspamd-Bar: ++
+X-Rspamd-Report: DMARC_POLICY_ALLOW(-0.5) HFILTER_HELO_BAREIP(3) MID_RHS_NOT_FQDN(0.5) MIME_GOOD(-0.1) R_DKIM_ALLOW(-0.2) ONCE_RECEIVED(0.2) R_SPF_ALLOW(-0.2)
+X-Rspamd-Score: 2.699999
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebede.com;
+ h=Content-Type: MIME-Version: Message-Id: Subject: From: To: Date;
+ q=dns/txt; s=s20240310133; t=1748708175;
+ bh=d7U3WnzgqTDLdPM2GSrSAqnZP37FNND4SjOTtcrPPa8=;
+ b=I3qbjEWaV0amKMevlVUWA3tnoDLaZZCa5HX5YyFOwiFBpjhB2anvXnyE4U8864ER2bqN9VnRw
+ Gu5Ni4YjvNg4HVUABLTHNeTtEe7cik9N26mqjD2Xc6TUluzYtYjEpDGvxI6pfdRTAjFOE1KI0DT
+ OKqNppgzbGyChWFRZdd2PSe2d84OnLj9KXTtmwqNXFGz10EKvXsEQ+v/tX+JOkfE6HW/nAGmHrj
+ ZyZRMhzKPjm4SZHMy/T3MBGNeBwJHx8dg+9hNPKMvNMKFZp+ZzSbEKyD5bBBwWxVjxUlso0ZZZW
+ TzoOAVCqFJxLr4dK6qcpJJ9mjE/0mguJMdZ2J/ia0vBA==
+Original-Authentication-Results: mail.freebede.com;
+	iprev=pass;
+	spf=permerror (mail.freebede.com: permanent error in processing during lookup of Georgio@freebede.com: Unknown mechanism ipv4) smtp.mailfrom=Georgio@freebede.com smtp.helo="[217.154.124.184]";
+	dkim=pass header.i=@freebede.com header.s=default header.a=rsa-sha256 header.b=k7YkS92h;
+	dmarc=pass (p=REJECT arc=none) header.from=freebede.com header.d=freebede.com
+X-Haraka-GeoIP-Received: 217.154.124.184:DE,217.154.124.184:DE
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebede.com;
+ h=Content-Type: MIME-Version: Message-Id: Subject: From: To: Date;
+ q=dns/txt; s=s20240310133; t=1748708175;
+ bh=d7U3WnzgqTDLdPM2GSrSAqnZP37FNND4SjOTtcrPPa8=;
+ b=I3qbjEWaV0amKMevlVUWA3tnoDLaZZCa5HX5YyFOwiFBpjhB2anvXnyE4U8864ER2bqN9VnRw
+ Gu5Ni4YjvNg4HVUABLTHNeTtEe7cik9N26mqjD2Xc6TUluzYtYjEpDGvxI6pfdRTAjFOE1KI0DT
+ OKqNppgzbGyChWFRZdd2PSe2d84OnLj9KXTtmwqNXFGz10EKvXsEQ+v/tX+JOkfE6HW/nAGmHrj
+ ZyZRMhzKPjm4SZHMy/T3MBGNeBwJHx8dg+9hNPKMvNMKFZp+ZzSbEKyD5bBBwWxVjxUlso0ZZZW
+ TzoOAVCqFJxLr4dK6qcpJJ9mjE/0mguJMdZ2J/ia0vBA==
+