Up to [cvs.NetBSD.org] / pkgsrc / mail / dkim-milter
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
mail/dkim-milter: Remove as ancient and abandoned by upstream Use opendkim instead. As proposed on pkgsrc-users (with direct email to MAINTAINER) on 9 January, with no objections or comments.
mail: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes The following distfiles were unfetchable (possibly fetched conditionally?): ./mail/qmail/distinfo netqmail-1.05-TAI-leapsecs.patch
mail: Remove SHA1 hashes for distfiles
Add SHA512 digests for distfiles for mail category Problems found locating distfiles: Package mutt: missing distfile patch-1.5.24.rr.compressed.gz Package p5-Email-Valid: missing distfile Email-Valid-1.198.tar.gz Package pine: missing distfile fancy.patch.gz Package postgrey: missing distfile targrey-0.31-postgrey-1.34.patch Package qmail: missing distfile badrcptto.patch Package qmail: missing distfile outgoingip.patch Package qmail: missing distfile qmail-1.03-realrcptto-2006.12.10.patch Package qmail: missing distfile qmail-smtpd-viruscan-1.3.patch Package thunderbird24: missing distfile enigmail-1.7.2.tar.gz Package thunderbird31: missing distfile enigmail-1.7.2.tar.gz Otherwise, existing SHA1 digests verified and found to be the same on the machine holding the existing distfiles (morden). All existing SHA1 digests retained for now as an audit trail.
- Add vbr option (FFR). See http://en.wikipedia.org/wiki/Vouch_by_Reference
2.8.3 2009/05/31 Close the configuration file after reading it, plugging a descriptor leak. Release memory associated with old configuration nodes (i.e. strings) as well as the nodes themselves. Connect the configuration handle to its allocated data so cleanup can actually be thorough. Fix an error message reported inside _FFR_REPLACE_RULES. Plug a memory leak in mlfi_header() tripped when errors occur. Since ADSP has not yet been registered by IANA, adjust its method label in Authentication-Results accordingly. Include selector, domain and other text if possible when logging key retrieval failures. Add _FFR_SENDER_HEADERS, allowing user control over which header fields are used to make the sign/verify decision and perform key selection. LIBDKIM: Initialize canon_lastchar in dkim_add_canon(). LIBDKIM: Clean up any compiled regular expressions in dkim_close(). LIBDKIM: Fix some type-related compiler warnings.
Update to dkim-milter 2.8.2, contributed from Fredrik Pettai <pettai@nordu.net> 2.8.2 2009/02/17 Request a signature with an "i=" tag if signing for subdomains and a keylist entry matches. Previously this only occurred when using an explicit domain list. Problem noted by S. Moonesamy of Eland Systems. Fixes in and around dkim_socket_cleanup(). Problem noted by S. Moonesamy of Eland Systems. LIBDKIM: When logging a d2i_PUBKEY_bio() or EVP_PKEY_get1_RSA() failure, also log the selector and domain involved so manual diagnostics are possible. LIBDKIM/LIBAR: Feature request #SF2380508: Add new test for WITHOUT_LIBSM which removes references to libsm's sm_strl*() functions, so that libdkim and libar can stand on their own on systems which provide the strl*() functions. Requested by Frederik Pettai. LIBDKIM: Report DKIM_STAT_NOSIG if the caller commands that all signatures should be ignored. LIBDKIM: Plug a memory leak caused when responding to a malloc() failure. LIBDKIM: New signature error code DKIM_SIGERROR_KEYDECODE, used if d2i_PUBKEY_BIO() or EVP_PKEY_get1_RSA fails in dkim_sig_process(). LIBAR: Make reference to the "_res" structure more thread-safe. BUILD: Make use of conf_dkim_filter_ENVDEF since site.config.m4.dist refers to it. Problem noted by S. Moonesamy of Eland Systems.
Update to 2.8.1 2.8.1 2009/01/16 LIBDKIM: Fix bug #SF2508602: Add a translation string for DKIM_SIGERROR_KEYREVOKED and fix dkim_eom_verify() so it returns DKIM_STAT_REVOKED when appropriate. Problem noted by Mike Markley of Bank of America. 2.8.0 2009/01/08 Add configuration option "EnableCoredumps" which makes an explicit kernel request for cores on crashes. Currently only meaningful on Linux. Add configuration option "AuthServID" which sets the "authserv-id" token to use when generating Authentication-Results header fields. Report "fail" instead of "hardfail" on authentication failures, in compliance with the Authentication-Results: draft. Add _FFR_REPORT_INTERVALS, experimental support for the "ri" tag extension to DKIM policy and key records for specifying reporting intervals. Feature request #SF1985886: Add _FFR_MULTIPLE_SIGNATURES, allowing one instance of the filter to add multiple signatures. Suggested by Dave Crocker. Add "TemporaryDirectory" configuration file option for requesting that libdkim use an alternate directory for creating temporary files, and "KeepTemporaryFiles" for requesting that libdkim not delete those files for debugging purposes. Add optional support for the "unbound" asynchronous resolver library as it is DNSSEC-aware. Adds four new configuration file items: "BogusKey", "BogusPolicy", "InsecureKey" and "InsecurePolicy". Also add dkim_sig_getdnssec() and dkim_policy_getdnssec() to libdkim so callers can tell what the DNSSEC evaluation result was for each query. Based on a patch from John Dickinson. Add "BaseDirectory" configuration file option for specifying the desired current directory of the process. Make use of the key and policy "rs" tag, if present, when doing SMTP rejections. Use MTA macro "$j" as the hostname in generated reports instead of the output of gethostname() since on some systems the latter may not be fully-qualified. Remove ANTICIPATE_SENDMAIL_MUNGE, replacing it with a runtime check for the milter v2 feature which suppresses the addition of spaces in headers. Add _FFR_COMMAIZE which attempts to predict the reformatting the MTA will do to certain header fields to reduce verification failures. Add _FFR_DKIM_REPUTATION enabling a function used to query an open DKIM reputation service regarding the signing user and signing domain. The service's URL is http://www.dkim-reputation.org. (EXPERIMENTAL) Fix preloading of configuration defaults. Fix bug #SF2236040: Quote all of the POSIX regular expression special characters, not just some of them. Reported by Mark Martinec. When possible, log the selector and domain of the signature evaluated along with any errors in the libcrypto stack. LIBDKIM: Add "smtpbuf", "smtplen" and "interval" parameters to dkim_sig_getreportinfo() and dkim_policy_getreportinfo(). Also, remove the assertion that "addr" be non-NULL. LIBDKIM: Add DKIM_LIBFLAGS_ACCEPTDK which enables compatibility with DomainKeys-formatted key records. LIBDKIM: Adjust signature formatting for legibility. LIBDKIM: Check return status from dkim_canon_getfinal() to avoid bad dereferences. Problem noted by Chris Behrens of Concentric Network Corporation. LIBDKIM: Render the DKIM handle unusable in dkim_eoh_sign() if a required header was absent. Activate _FFR_REQUIRED_HEADERS. 2.7.2 2008/09/02 Avoid memory leaks and infinite loops when releasing thread-specific memory. Reported by Jeff Earickson. 2.7.1 2008/08/27 Set up required callbacks for OpenSSL thread-safety. Problem noted by Zbigniew Szalbot. Disallow empty "t=" and "x=" tags. Return DKIM_STAT_KEYFAIL for various DNS key retrieval failures instead of DKIM_STAT_INTERNAL. 2.7.0 2008/07/23 Update to draft-ietf-dkim-ssp-04. In doing so, rename "ASPDiscard" to "ADSPDiscard", "ASPNoSuchDomain" to "ADSPNoSuchDomain" and "SendASPReports" to "SendADSPReports" in the configuration file. Feature request #29738: Add "TrustSignaturesFrom" configuration file item allowing fine-grained control over third-party signature handling. Feature request #SF2018848: Add "LocalADSP" feature allowing policy assertions from domains known to have specific policies but which don't publish ADSP records. Suggested by Bruno Kraychete da Costa. LIBDKIM: Fix an off-by-one overrun check in key and policy record decoding. Problem noted by John Dickinson. 2.6.0 2008/06/11 Remove "signaturemissing" as an old-style configuration action as it has been superseded by "ASPDiscard" and related functions. Add "SendASPReports" configuration option which generates ASP failure reports if requested by the sending domain. Update report generation for verification failures to use the new Abuse Reporting Format (ARF) and DKIM Reporting draft proposals. Add "MustBeSigned" configuration option, requiring signatures to cover specific headers if present. Rename "UseASPDiscard" to "ASPDiscard". Add "ASPNoSuchDomain" configuration option which rejects mail that appears to come from nonexistent domains as reported by the Author Signing Practises check. Add "ReportAddress" configuration option, used for defining the From: header of reports mailed out. Yet another compatibility fix with respect to Sleepycat DB. Fix processing of "LogWhy" configuration parameter. Problem noted by Erik Lotspeich. Add "-n" command line flag which parses the command line arguments and configuration file(s), then exits with an appropriate status code. Report DKIM and ASP results separately via the same Authentication-Results header field. Previous versions would alter the DKIM result based on ASP. Fix bug #SF1976931: Restore function of "nosignature" old-style action configuration, connected to "AlwaysAddARHeader". Problem noted by Lucas Brasilino. Feature request #SF1940233: Add "DontSignMailTo" configuration option, allowing a list of recipient patterns whose mail should not be signed. Requested by Don Hughes. LIBDKIM: Rename dkim_reportinfo() to dkim_sig_getreportinfo(), and add dkim_policy_getreportinfo(). LIBDKIM: Add several more signature error codes covering various key-related errors. LIBDKIM: Add dkim_sig_hdrsigned() utility, DKIM_OPTS_MUSTBESIGNED option, and DKIM_SIGERROR_MBSFAILED error code. LIBDKIM: Fix a bug in the computation of the result for dkim_canon_minbody(). LIBDKIM: Report corrupted base64 chunks instead of quietly tolerating them. LIBDKIM: Tidy up the cleanup code in dkim-canon.c. LIBDKIM: Properly handle "tag=" at the end of a data set (i.e. the tag exists and has an empty value). LIBDKIM: Use larger unsigned data types in dkim_sig_future() as was done elsewhere. LIBDKIM: Always populate a DKIM_SIGINFO with domain and selector before there's an opportunity for other parsing short-circuits. LIBDKIM: Fix bug #SF1984685: Remove the "margin" parameter from dkim_getsighdr(); make it controlled by a new function, dkim_set_margin(), so that the signed copy and the user-requested copy are identical. Activate _FFR_AUTHSERV_JOBID. 2.5.5 2008/04/25 Fix bug #SF1947301: Close up a logic problem in "UseASPDiscard" handling which could cause false rejections of mail from domains advertising "discardable" policies. Problem noted by Doug Kingston. LIBDKIM: Another compatibility fix with respect to Sleepycat DB.
Update to 2.5.4 - Add dkim-stats option to install dkim-stats(8) FFR - Only install dkim-stats(8) man page if dkim-stats option has been specified 2.5.4 2008/04/17 * Skip signatures with errors in dkimf_authorsigok(). * Avoid a NULL dereference in dkimf_config_reload() when starting without a configuration file. * Fix an alignment problem in dkimf_checkip(). Problem reported by Jeff A. Earickson. * LIBDKIM: Fix bug #SF1942387: Per RFC4871, disallow "l=" values that exceed the size of the canonicalized message body. 2.5.3 2008/04/14 * Add "AllowSHA1Only" configuration option which permits operation of verifiers that only know about SHA1. Without this, a filter compiled with only SHA1 support will refuse to start in verifier mode. * Add "LogWhy" configuration parameter and "-W" command line flag to request detailed logging about why a message was not signed by the filter. Intended for debugging; not intended for normal operation. * Another tweak to parameters passed to db->open(). Based on patches from Jukka Salmi and S. Moonesamy. * Fixes in ares_parse() to match the current syntax. In particular, deal with the fact that some of our tokens can legally appear in e-mail addresses. Problem noted by S. Moonesamy of Eland Systems. * LIBDKIM: Evaluate key granularity against the "i=" value rather than the value of the From: header per RFC4871. Problem noted by Jason Long. * LIBDKIM: Remove the chartable stuff from dkim-tables.c as it is not used anywhere. * LIBDKIM: Fix bug #SF1940302: Perform stronger validation of the value of the "h=" tag.
2.5.1 2008/03/20 Update for draft-kucherawy-sender-auth-header-14. Add "subject" to "should_signhdrs" per RFC4871 section 5.5. Fix bug #SF1911328: Restore proper behaviour of SignHeaders and OmitHeaders, broken in the prior release's configuration overhaul. Problem reported by Jason Molzen. Fix bug #SF1912332: Fix parameters passed to db->open(). Problem reported by Tony Earnshaw. Fix bug #SF1912569: Initialize mutexes before entering test mode. Patch from Kaspar Brand. LIBDKIM: More boundary checking fixes in dkim_canon_selecthdrs(). Problem noted by Warren Horvath. LIBDKIM: Fix bug #SF1820084: Return DKIM_STAT_MULTIDNSREPLY if a DNS query returns multiple records. 2.5.2 2008/03/28 Preserve the sender's domain name outside of mlfi_eoh() as it's now needed in mlfi_eom(). Problem noted by Andy Fiddaman. Fix bug #SF1921873: Pass "-K" command line switch into the new configuration handling code. Problem noted by Al Smith. TOOLS: Fix flags portion of the TXT record output by dkim-genkey. Problem noted by Michael Carland. BUILD: Fix bug #SF1922422: Fix linker problems when POPAUTH is defined.
Update to 2.5.0 Add "AutoRestartCount" and "AutoRestartRate" configuration parameters to limit runaway restart loops. Feature request #SF1735573: Add "AlwaysAddARHeader" option, which will add an Authentication-Results of "none" for unsigned messages from domains without a "strict" policy. Feature request #SF1807748: Reload the configuration file on receipt of SIGUSR1. Requested by Florian Sager. Feature request #SF1811969: Add _FFR_BODYLENGTH_DB which adds a "BodyLengthDBFile" feature, allowing a per-recipient decision on whether or not to use an "l=" tag when signing. Patch contributed by Daniel Black. Feature request #SF1841955: Add an "Include" facility to the configuration file. Feature request #SF1876941: Make the syslog facility selectable. Based on a patch from Jose-Marcio Martins da Cruz of Ecole des Mines de Paris. Feature request #SF1876943: Add _FFR_AUTHSERV_JOBID allowing the job ID to be included as part of the "authserv-id" in Authentication-Results: headers. Based on a patch from Jose-Marcio Martins da Cruz of Ecole des Mines de Paris. Feature request #SF1890581: Attempt to clean up a UNIX domain socket in the non-AutoRestart case as well. Requested by Daniel Black. Add "MilterDebug" configuration file option for requesting debugging output from the filter. Add "FixCRLF" configuration file option which activates the DKIM_LIBFLAGS_FIXCRLF flag (see below). Update to draft-ietf-dkim-ssp-03. In doing so, rename the "UseSSPDeny" configuration option to "UseASPDiscard". Handle an error from dkim_getsighdr() properly in mlfi_eom(). When VERIFY_DOMAINKEYS is active, don't short-circuit mlfi_eoh() between dk_verify() and dk_eoh() or a segmentation fault below dk_body() could result. LIBDKIM: Feature request #SF1823059: Export key, signature and policy syntax checking capability via the API. Based on a patch from Chris Behrens of Concentric Network Corporation. LIBDKIM: Assert defaults for "c" and "q" tags when parsing signature headers. Patch from Chris Behrens of Concentric Network Corporation. LIBDKIM: Better handling of truncated DNS replies; instead of just giving up if the "tc" (truncated) bit is set in the reply, see if there was enough of a reply returned to be able to complete the request. LIBDKIM: Fix recycling bug in header canonicalizations which was causing signatures other than the first one to fail in most cases. LIBDKIM: Add new dkim_chunk() interface. LIBDKIM: Enforce DKIM_OPTS_QUERYMETHOD library option even if there were no valid signatures. LIBDKIM: New DKIM_LIBFLAGS_FIXCRLF which requests that "naked" CRs and LFs be converted to CRLFs during canonicalization when signing. LIBDKIM: Fix bounds checking in dkim_canon_selecthdrs(). LIBAR: Eliminate a possible race condition in ar_dispatcher(). LIBAR: Timeouts passed to select() can't be bigger than 10^8. Problem noted by S. Moonesamy of Eland Systems. BUILD: Feature request #SF1876242: Install the filter in EBINDIR and everything else in UBINDIR.
Pull in improvements from wip (packaged by j+pkgsrc (at) salmi.ch): * Install documentation for the library * Install a static version of the dkim library * Move to external options.mk * Add support for ar(3) and debug
Update to 2.4.4 * LIBDKIM: Fix bug #SF1867839: 64-bit portability in rfc2822.c. Patch from Geoff Adams. * Update for latest Authentication-Results: header draft. * Take advantage of some more features that were introduced with milter v2 in sendmail 8.14.0: * Report "hardfail" instead of "fail" on authentication failures, in compliance with the Authentication-Results: draft. * Fix use of "UseSSPDeny" to include handling of unsigned messages. * Replace "gentxt.csh" with more robust "dkim-genkey" utility. And *lots* more (the package in pkgsrc was 2 years+ old) See RELEASE_NOTES for all the details
Use FreeBSD config for DragonFly and teach the host include header about it.
Import dkim-milter from pkgsrc. Packaged by iMil. dkim-milter consists of two parts: A milter-based application (dkim-filter) which plugs in to Sendmail to provide DomainKeys Identified Mail service, and a library (libdkim) which can be used to build DKIM-compliant applications or MTAs.
Initial revision