dkim: Implement minimal DKIM verfication

See emersion/go-msgauth#10
for improvements that *should be* made to this initial implementation.

Author: foxcpp

check/action.go

@@ -13,7 +13,7 @@ type FailAction struct {
 	ScoreAdjust int
 }
 
-func failActionDirective(m *config.Map, node *config.Node) (interface{}, error) {
+func FailActionDirective(m *config.Map, node *config.Node) (interface{}, error) {
 	if len(node.Args) == 0 {
 		return nil, m.MatchErr("expected at least 1 argument")
 	}

check/dkim/dkim.go

@@ -0,0 +1,154 @@
+package dkim
+
+import (
+	"bytes"
+	"context"
+	"io"
+
+	"github.com/emersion/go-message/textproto"
+	"github.com/emersion/go-msgauth/authres"
+	"github.com/emersion/go-msgauth/dkim"
+	"github.com/emersion/go-smtp"
+	"github.com/foxcpp/maddy/buffer"
+	"github.com/foxcpp/maddy/check"
+	"github.com/foxcpp/maddy/config"
+	"github.com/foxcpp/maddy/log"
+	"github.com/foxcpp/maddy/module"
+	"github.com/foxcpp/maddy/target"
+)
+
+type Check struct {
+	instName string
+	log      log.Logger
+
+	brokenSigAction check.FailAction
+	noSigAction     check.FailAction
+}
+
+func New(_, instName string, _ []string) (module.Module, error) {
+	return &Check{
+		instName: instName,
+		log:      log.Logger{Name: "verify_dkim"},
+	}, nil
+}
+
+func (c *Check) Init(cfg *config.Map) error {
+	cfg.Bool("debug", true, false, &c.log.Debug)
+	cfg.Custom("broken_sig_action", false, false,
+		func() (interface{}, error) {
+			return check.FailAction{}, nil
+		}, check.FailActionDirective, &c.brokenSigAction)
+	cfg.Custom("no_sig_action", false, false,
+		func() (interface{}, error) {
+			return check.FailAction{}, nil
+		}, check.FailActionDirective, &c.noSigAction)
+	_, err := cfg.Process()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *Check) Name() string {
+	return "verify_dkim"
+}
+
+func (c *Check) InstanceName() string {
+	return c.instName
+}
+
+type dkimCheckState struct {
+	c       *Check
+	msgMeta *module.MsgMetadata
+	log     log.Logger
+}
+
+func (d dkimCheckState) CheckConnection(ctx context.Context) module.CheckResult {
+	return module.CheckResult{}
+}
+
+func (d dkimCheckState) CheckSender(ctx context.Context, mailFrom string) module.CheckResult {
+	return module.CheckResult{}
+}
+
+func (d dkimCheckState) CheckRcpt(ctx context.Context, rcptTo string) module.CheckResult {
+	return module.CheckResult{}
+}
+
+func (d dkimCheckState) CheckBody(ctx context.Context, header textproto.Header, body buffer.Buffer) module.CheckResult {
+	if !header.Has("DKIM-Signature") {
+		return d.c.noSigAction.Apply(module.CheckResult{
+			RejectErr: &smtp.SMTPError{
+				Code:         550,
+				EnhancedCode: smtp.EnhancedCode{5, 7, 20},
+				Message:      "No DKIM signatures present",
+			},
+			AuthResult: []authres.Result{
+				&authres.DKIMResult{
+					Value: authres.ResultNone,
+				},
+			},
+		})
+	}
+
+	// TODO: Optimize that so we can avoid serializing header once more.
+	// https://github.com/emersion/go-msgauth/issues/10.
+	b := bytes.Buffer{}
+	textproto.WriteHeader(&b, header)
+	bodyRdr, err := body.Open()
+	if err != nil {
+		return module.CheckResult{RejectErr: err}
+	}
+
+	verifications, err := dkim.Verify(io.MultiReader(&b, bodyRdr))
+	if err != nil {
+		return module.CheckResult{RejectErr: err}
+	}
+
+	brokenSigs := false
+
+	res := module.CheckResult{AuthResult: make([]authres.Result, 0, len(verifications))}
+	for _, verif := range verifications {
+		var val authres.ResultValue
+		if verif.Err == nil {
+			val = authres.ResultPass
+		} else {
+			if dkim.IsPermFail(err) {
+				brokenSigs = true
+			}
+			val = authres.ResultFail
+		}
+
+		res.AuthResult = append(res.AuthResult, &authres.DKIMResult{
+			Value:      val,
+			Domain:     verif.Domain,
+			Identifier: verif.Identifier,
+		})
+	}
+
+	if brokenSigs {
+		d.log.Println("broken signatures present")
+		return d.c.brokenSigAction.Apply(res)
+	}
+	return res
+}
+
+func (d dkimCheckState) Close() error {
+	return nil
+}
+
+func (c *Check) CheckStateForMsg(msgMeta *module.MsgMetadata) (module.CheckState, error) {
+	return dkimCheckState{
+		c:       c,
+		msgMeta: msgMeta,
+		log:     target.DeliveryLogger(c.log, msgMeta),
+	}, nil
+}
+
+func init() {
+	module.Register("verify_dkim", New)
+	module.RegisterInstance(&Check{
+		instName: "verify_dkim",
+		log:      log.Logger{Name: "verify_dkim"},
+	}, &config.Map{Block: &config.Node{}})
+}

check/dkim/msgauth.go

@@ -130,7 +130,7 @@ func (c *statelessCheck) Init(cfg *config.Map) error {
 	cfg.Custom("fail_action", false, false,
 		func() (interface{}, error) {
 			return c.defaultFailAction, nil
-		}, failActionDirective, &c.failAction)
+		}, FailActionDirective, &c.failAction)
 	_, err := cfg.Process()
 	return err
 }

check/stateless_check.go

@@ -29,6 +29,9 @@ smtp smtp://0.0.0.0:25 {
 
         # Verify that domain in MAIL FROM does have a MX record.
         require_mx_record
+
+        # Verify DKIM signatures in incoming messages.
+        verify_dkim
     }
 
     # All messages for the recipients at example.org should be

maddy.conf

@@ -1048,6 +1048,41 @@ Check that domain in MAIL FROM command does have a MX record.
 Check that source server IP does have a PTR record point to the domain
 specified in EHLO/HELO command.
 
+# VERIFY_DKIM MODULE
+
+This is the check module that performs verification of the DKIM signatures
+present on the incoming messages.
+
+It got an implicit configuration block defined like CHECK MODULES above.
+
+
+```
+check {
+    ...
+    verify_dkim
+}
+```
+
+Valid directives:
+
+## debug [yes/no]
+
+Toggle debug logging only for this module.
+
+## no_sig_action ...
+
+Action to take when message without any signature is received.
+Default is 'ignore', as recommended by RFC 6376.
+
+Valid arguments are same as for CHECK MODULES above.
+
+## broken_sig_action ...
+
+Action to take when message with invalid signature is received.
+Default is 'ignore', as recommended by RFC 6376.
+
+Valid arguments are same as for CHECK MODULES above.
+
 # DUMMY MODULE
 
 No-op module. It doesn't need to be configured explicitly and can be referenced

maddy.conf.5.scd

@@ -15,6 +15,7 @@ import (
 	_ "github.com/foxcpp/maddy/auth/external"
 	_ "github.com/foxcpp/maddy/auth/pam"
 	_ "github.com/foxcpp/maddy/auth/shadow"
+	_ "github.com/foxcpp/maddy/check/dkim"
 	_ "github.com/foxcpp/maddy/check/dns"
 	_ "github.com/foxcpp/maddy/endpoint/imap"
 	_ "github.com/foxcpp/maddy/endpoint/smtp"