From 552aba766183808ffb6b3da939449808d6f0ea44 Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 14:57:40 -0400 Subject: [PATCH 1/9] add CheckSigningTable config option When CheckSigningTable is set to no, the keys in KeyTable are no longer verified when config is loaded. This helps with large databases. This commit only adds support for USE_ODBX. --- opendkim/opendkim-config.h | 3 +++ opendkim/opendkim.c | 16 ++++++++++++++++ opendkim/opendkim.conf.5.in | 5 +++++ opendkim/opendkim.conf.sample | 9 +++++++++ 4 files changed, 33 insertions(+) diff --git a/opendkim/opendkim-config.h b/opendkim/opendkim-config.h index 5caa8b36..6501ddd2 100644 --- a/opendkim/opendkim-config.h +++ b/opendkim/opendkim-config.h @@ -44,6 +44,9 @@ struct configdef dkimf_config[] = { "Canonicalization", CONFIG_TYPE_STRING, FALSE }, { "CaptureUnknownErrors", CONFIG_TYPE_BOOLEAN, FALSE }, { "ChangeRootDirectory", CONFIG_TYPE_STRING, FALSE }, +#ifdef USE_ODBX + { "CheckSigningTable", CONFIG_TYPE_BOOLEAN, FALSE }, +#endif /* USE_ODBX*/ { "ClockDrift", CONFIG_TYPE_INTEGER, FALSE }, #ifdef _FFR_CONDITIONAL { "ConditionalSignatures", CONFIG_TYPE_STRING, FALSE }, diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index 803f37b0..5fbc0662 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -254,6 +254,9 @@ struct dkimf_config #ifdef USE_LDAP _Bool conf_ldap_usetls; /* LDAP TLS */ #endif /* USE_LDAP */ +#ifdef USE_ODBX + _Bool conf_checksigningtable; /* skip checking keys on startup */ +#endif /* USE_ODBX */ #ifdef _FFR_VBR _Bool conf_vbr_purge; /* purge X-VBR-* fields */ _Bool conf_vbr_trustedonly; /* trusted certifiers only */ @@ -5882,6 +5885,9 @@ dkimf_config_new(void) new->conf_atpshash = dkimf_atpshash[0].str; #endif /* _FFR_ATPS */ new->conf_selectcanonhdr = SELECTCANONHDR; +#ifdef USE_ODBX + new->conf_checksigningtable = TRUE; +#endif /* USE_ODBX */ memcpy(&new->conf_handling, &defaults, sizeof new->conf_handling); @@ -6199,6 +6205,12 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, sizeof conf->conf_softstart); #endif /* (USE_LDAP || USE_ODBX) */ +#ifdef USE_ODBX + (void) config_get(data, "CheckSigningTable", + &conf->conf_checksigningtable, + sizeof conf->conf_checksigningtable); +#endif /* USE_ODBX */ + (void) config_get(data, "DNSConnect", &conf->conf_dnsconnect, sizeof conf->conf_dnsconnect); @@ -8323,7 +8335,11 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, ** missing KeyTable entries. */ +#ifdef USE_ODBX + if (conf->conf_signtabledb != NULL && conf->conf_checksigningtable == TRUE) +#else /* USE_ODBX */ if (conf->conf_signtabledb != NULL) +#endif /* USE_ODBX */ { _Bool first = TRUE; _Bool found; diff --git a/opendkim/opendkim.conf.5.in b/opendkim/opendkim.conf.5.in index 21da18f5..6277bd3f 100644 --- a/opendkim/opendkim.conf.5.in +++ b/opendkim/opendkim.conf.5.in @@ -179,6 +179,11 @@ requires superuser access. A warning will be generated if .I UserID is not also set. +.TP +.I CheckSigningTable (Boolean) +If set to yes, it walks the database on boot when it loads the config +file to check for missing keys in KeyTable. The default is yes. + .TP .I ClockDrift (integer) Sets the tolerance in seconds to be applied when determining whether a diff --git a/opendkim/opendkim.conf.sample b/opendkim/opendkim.conf.sample index fa3559a3..2609aa28 100644 --- a/opendkim/opendkim.conf.sample +++ b/opendkim/opendkim.conf.sample @@ -129,6 +129,15 @@ # Canonicalization simple/simple +## CheckSigningTable { yes | no } +## default "yes" +## +## If set, the database tables will be checked for missing keys in +## keytable when loading config. This can take a longer time with +## larger databases. Requires opendbx. + +# CheckSigningTable yes + ## ClockDrift n ## default 300 ## From cd0a7f42b01bd5cdcf5d22ca60775340571f243a Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 15:58:03 -0400 Subject: [PATCH 2/9] conf_checksigningtable changed ==TRUE with !=FALSE when comparing if (conf->conf_checksigningtable == TRUE) and CheckSigningTable no in the config, no acts as TRUE. Therefore, it is better to use != FALSE. --- opendkim/opendkim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index 5fbc0662..11ad0096 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -8336,7 +8336,7 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, */ #ifdef USE_ODBX - if (conf->conf_signtabledb != NULL && conf->conf_checksigningtable == TRUE) + if (conf->conf_signtabledb != NULL && conf->conf_checksigningtable != FALSE) #else /* USE_ODBX */ if (conf->conf_signtabledb != NULL) #endif /* USE_ODBX */ From 906a8b48453b1e1367e56c84ac3d5e008080c823 Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 16:27:15 -0400 Subject: [PATCH 3/9] CheckSigningTable improve documentation As advised by futatuki, specify SigningTable instead of the "database" in the description. --- opendkim/opendkim.conf.5.in | 2 +- opendkim/opendkim.conf.sample | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/opendkim/opendkim.conf.5.in b/opendkim/opendkim.conf.5.in index 6277bd3f..246e618c 100644 --- a/opendkim/opendkim.conf.5.in +++ b/opendkim/opendkim.conf.5.in @@ -181,7 +181,7 @@ is not also set. .TP .I CheckSigningTable (Boolean) -If set to yes, it walks the database on boot when it loads the config +If set to yes, it walks the SigningTable on boot when it loads the config file to check for missing keys in KeyTable. The default is yes. .TP diff --git a/opendkim/opendkim.conf.sample b/opendkim/opendkim.conf.sample index 2609aa28..5283528f 100644 --- a/opendkim/opendkim.conf.sample +++ b/opendkim/opendkim.conf.sample @@ -132,8 +132,8 @@ ## CheckSigningTable { yes | no } ## default "yes" ## -## If set, the database tables will be checked for missing keys in -## keytable when loading config. This can take a longer time with +## If set, the SigningTable will be checked for missing keys in +## KeyTable when loading the config. This can take a longer time with ## larger databases. Requires opendbx. # CheckSigningTable yes From 898f6ec9410b1dd5cd4f192d86cce3a8891c21dc Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 18:56:15 -0400 Subject: [PATCH 4/9] CheckSigningTable option as -C argument Allow the use of -C to disable CheckSigningTable (or set to no). --- opendkim/opendkim.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index 11ad0096..d7f822eb 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -137,7 +137,7 @@ #endif /* _FFR_REPUTATION */ /* macros */ -#define CMDLINEOPTS "Ab:c:d:De:fF:k:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" +#define CMDLINEOPTS "Ab:Cc:d:De:fF:k:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" #ifndef MIN # define MIN(x,y) ((x) < (y) ? (x) : (y)) @@ -15480,6 +15480,7 @@ usage(void) "\t-A \tauto-restart\n" "\t-b modes \tselect operating modes\n" "\t-c canon \tcanonicalization to use when signing\n" + "\t-C \tdo not walk SigningTable when loading config\n" "\t-d domlist \tdomains to sign\n" "\t-D \talso sign subdomains\n" "\t-e name \textract configuration value and exit\n" @@ -15612,6 +15613,10 @@ main(int argc, char **argv) curconf->conf_canonstr = optarg; break; + case 'C': + curconf->conf_checksigningtable = FALSE; + break; + case 'd': if (optarg == NULL || *optarg == '\0') return usage(); From 35f13b11770214e462ead7cb0551f6afa659b04e Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 18:59:42 -0400 Subject: [PATCH 5/9] CheckSigningTable make option always available Allow disabling of CheckSigningTable for other databases such as LDAP. This option disables the walking of SigningTable to look for missing keys in KeyTable when the config gets loaded. --- opendkim/opendkim-config.h | 2 -- opendkim/opendkim.c | 12 +----------- 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/opendkim/opendkim-config.h b/opendkim/opendkim-config.h index 6501ddd2..7a83690a 100644 --- a/opendkim/opendkim-config.h +++ b/opendkim/opendkim-config.h @@ -44,9 +44,7 @@ struct configdef dkimf_config[] = { "Canonicalization", CONFIG_TYPE_STRING, FALSE }, { "CaptureUnknownErrors", CONFIG_TYPE_BOOLEAN, FALSE }, { "ChangeRootDirectory", CONFIG_TYPE_STRING, FALSE }, -#ifdef USE_ODBX { "CheckSigningTable", CONFIG_TYPE_BOOLEAN, FALSE }, -#endif /* USE_ODBX*/ { "ClockDrift", CONFIG_TYPE_INTEGER, FALSE }, #ifdef _FFR_CONDITIONAL { "ConditionalSignatures", CONFIG_TYPE_STRING, FALSE }, diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index d7f822eb..f23291e2 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -248,15 +248,13 @@ struct dkimf_config _Bool conf_noheaderb; /* suppress "header.b" */ _Bool conf_singleauthres; /* single Auth-Results */ _Bool conf_safekeys; /* check key permissions */ + _Bool conf_checksigningtable; /* skip checking keys on startup */ #ifdef _FFR_RESIGN _Bool conf_resignall; /* resign unverified mail */ #endif /* _FFR_RESIGN */ #ifdef USE_LDAP _Bool conf_ldap_usetls; /* LDAP TLS */ #endif /* USE_LDAP */ -#ifdef USE_ODBX - _Bool conf_checksigningtable; /* skip checking keys on startup */ -#endif /* USE_ODBX */ #ifdef _FFR_VBR _Bool conf_vbr_purge; /* purge X-VBR-* fields */ _Bool conf_vbr_trustedonly; /* trusted certifiers only */ @@ -5885,9 +5883,7 @@ dkimf_config_new(void) new->conf_atpshash = dkimf_atpshash[0].str; #endif /* _FFR_ATPS */ new->conf_selectcanonhdr = SELECTCANONHDR; -#ifdef USE_ODBX new->conf_checksigningtable = TRUE; -#endif /* USE_ODBX */ memcpy(&new->conf_handling, &defaults, sizeof new->conf_handling); @@ -6205,11 +6201,9 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, sizeof conf->conf_softstart); #endif /* (USE_LDAP || USE_ODBX) */ -#ifdef USE_ODBX (void) config_get(data, "CheckSigningTable", &conf->conf_checksigningtable, sizeof conf->conf_checksigningtable); -#endif /* USE_ODBX */ (void) config_get(data, "DNSConnect", &conf->conf_dnsconnect, @@ -8335,11 +8329,7 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, ** missing KeyTable entries. */ -#ifdef USE_ODBX if (conf->conf_signtabledb != NULL && conf->conf_checksigningtable != FALSE) -#else /* USE_ODBX */ - if (conf->conf_signtabledb != NULL) -#endif /* USE_ODBX */ { _Bool first = TRUE; _Bool found; From ee40b42743857df4d23a2c602488d3deeb24ffb6 Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Sun, 15 Sep 2024 20:29:12 -0400 Subject: [PATCH 6/9] CheckSigningTable use arg -g instead of -C As requested by futatuki, I will use -g for CheckSigningTable and reserve -C for future option to check the database tables. --- opendkim/opendkim.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index f23291e2..ef380572 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -137,7 +137,7 @@ #endif /* _FFR_REPUTATION */ /* macros */ -#define CMDLINEOPTS "Ab:Cc:d:De:fF:k:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" +#define CMDLINEOPTS "Ab:c:d:De:fF:gk:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" #ifndef MIN # define MIN(x,y) ((x) < (y) ? (x) : (y)) @@ -15470,12 +15470,12 @@ usage(void) "\t-A \tauto-restart\n" "\t-b modes \tselect operating modes\n" "\t-c canon \tcanonicalization to use when signing\n" - "\t-C \tdo not walk SigningTable when loading config\n" "\t-d domlist \tdomains to sign\n" "\t-D \talso sign subdomains\n" "\t-e name \textract configuration value and exit\n" "\t-f \tdon't fork-and-exit\n" "\t-F time \tfixed timestamp to use when signing (test mode only)\n" + "\t-g \tdo not walk SigningTable when loading config\n" "\t-k keyfile \tlocation of secret key file\n" "\t-l \tlog activity to system log\n" "\t-L limit \tsignature limit requirements\n" @@ -15603,10 +15603,6 @@ main(int argc, char **argv) curconf->conf_canonstr = optarg; break; - case 'C': - curconf->conf_checksigningtable = FALSE; - break; - case 'd': if (optarg == NULL || *optarg == '\0') return usage(); @@ -15655,6 +15651,11 @@ main(int argc, char **argv) } break; + case 'g': + curconf->conf_checksigningtable = FALSE; + break; + + case 'k': if (optarg == NULL || *optarg == '\0') return usage(); From 3fc8cb7232e7bacc79b5031d72664c9d7c1c6f56 Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Mon, 16 Sep 2024 15:07:43 -0400 Subject: [PATCH 7/9] CheckSigningTable add -g arg to opendkim(8) man page --- opendkim/opendkim.8.in | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/opendkim/opendkim.8.in b/opendkim/opendkim.8.in index e2b6cea7..55f5a319 100644 --- a/opendkim/opendkim.8.in +++ b/opendkim/opendkim.8.in @@ -282,6 +282,11 @@ Normally forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. .TP +.I \-g +Set CheckSigningTable to no. This means that when the config is loaded, +The SigningTable will not be checked for any missing keys in +the KeyTable. +.TP .I \-F time Specifies a fixed time to use when generating signatures. Ignored unless also used in conjunction with From 3dabd5fc7f5151ad0eed067661aeb6c33b38d8ca Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Wed, 18 Sep 2024 22:04:49 -0400 Subject: [PATCH 8/9] CheckSigningTable improve man page --- opendkim/opendkim.8.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/opendkim/opendkim.8.in b/opendkim/opendkim.8.in index 55f5a319..3c1f4e4f 100644 --- a/opendkim/opendkim.8.in +++ b/opendkim/opendkim.8.in @@ -283,9 +283,9 @@ forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. .TP .I \-g -Set CheckSigningTable to no. This means that when the config is loaded, -The SigningTable will not be checked for any missing keys in -the KeyTable. +Skip checking each row in the SigningTable for any missing keys in the +KeyTable. This is the same as setting CheckSigningTable=no in +opendkim.conf(5). .TP .I \-F time Specifies a fixed time to use when generating signatures. Ignored unless From c7d845bd7bf482107947f0c3799535d94172440c Mon Sep 17 00:00:00 2001 From: r-a-z-v-a-n <35752225+r-a-z-v-a-n@users.noreply.github.com> Date: Wed, 18 Sep 2024 22:12:14 -0400 Subject: [PATCH 9/9] SigningTable improve man page --- opendkim/opendkim.8.in | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/opendkim/opendkim.8.in b/opendkim/opendkim.8.in index 3c1f4e4f..91f627fd 100644 --- a/opendkim/opendkim.8.in +++ b/opendkim/opendkim.8.in @@ -283,9 +283,8 @@ forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. .TP .I \-g -Skip checking each row in the SigningTable for any missing keys in the -KeyTable. This is the same as setting CheckSigningTable=no in -opendkim.conf(5). +Skip checking the SigningTable for any missing keys in the KeyTable. This +is the same as setting CheckSigningTable=no in opendkim.conf(5). .TP .I \-F time Specifies a fixed time to use when generating signatures. Ignored unless