mlfi_eoh: emit dkim=permerror for malformed DKIM-Signature (fixes #194)#403
Merged
thegushi merged 1 commit intoJun 4, 2026
Merged
Conversation
…rusteddomainproject#194) When dkim_header() returns DKIM_STAT_SYNTAX (malformed DKIM-Signature), mlfi_eoh() was setting ms and returning early, bypassing mlfi_eom() entirely. With AlwaysAddARHeader or SoftwareHeader enabled this meant the message was accepted silently with no Authentication-Results header, making mail with a bad signature indistinguishable from mail that was never processed by OpenDKIM. RFC 8601 section 2.7.1 defines dkim=permerror for exactly this case. Fix: when dkim_header() returns DKIM_STAT_SYNTAX, call dkimf_libstatus() to determine the configured OnBadSignature action. If the action is accept (the common case), set mctx_headeronly, mctx_addheader, and mctx_status=DKIMF_STATUS_BADFORMAT so mlfi_eom() emits dkim=permerror via the existing mctx_headeronly path. If the action is reject, tempfail, or discard, set ms as before so the early-exit behaviour is preserved. Also guard the DKIM_STAT_NOSIG branch in the dkim_eoh() result switch so it does not overwrite a BADFORMAT status already set from the header loop (a handle with a bad DKIM-Signature yields NOSIG from dkim_eoh_verify() once the bad sig's set_bad flag is set). Add t-test208 to confirm the library behaviour the fix relies on: dkim_header() returns DKIM_STAT_SYNTAX for a malformed DKIM-Signature, the handle remains usable, and dkim_eoh() returns DKIM_STAT_NOSIG.
thegushi
force-pushed
the
fix-194-syntax-ar-header
branch
from
41cbf47 to
8b2644b
Compare
thegushi
added a commit
that referenced
this pull request
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dkim_header()returnsDKIM_STAT_SYNTAXfor a malformedDKIM-Signature,mlfi_eoh()was settingmsand returning early, bypassingmlfi_eom()entirely. WithAlwaysAddARHeaderorSoftwareHeaderenabled, the message was accepted with noAuthentication-Resultsheader — making it indistinguishable from mail that was never processed by OpenDKIM.dkim=permerrorfor exactly this case.mctx_headeronly/DKIMF_STATUS_BADFORMATpath thatmlfi_eom()already handles correctly, rather than short-circuiting past it.How it works
When
dkim_header()returnsDKIM_STAT_SYNTAX, instead of settingms(which causesmlfi_eoh()to return early), the fix setsmctx_headeronly,mctx_addheader, andmctx_status=DKIMF_STATUS_BADFORMAT.mlfi_eoh()returnsSMFIS_CONTINUE;mlfi_body()skips the body via the existingmctx_headeronlycheck;mlfi_eom()reaches its ownmctx_headeronlybranch which emitsdkim=permerrorand accepts.A guard is also added to the
DKIM_STAT_NOSIGbranch of thedkim_eoh()result switch so it does not overwrite aBADFORMATstatus already set from the header loop. (A handle with a badDKIM-SignatureproducesNOSIGfromdkim_eoh_verify()once the bad sig'sset_badflag is set.)Test
t-test208confirms the library behaviour the fix relies on:dkim_header()returnsDKIM_STAT_SYNTAXfor a malformedDKIM-Signature, the handle remains usable, anddkim_eoh()returnsDKIM_STAT_NOSIG. Verified on FreeBSD.Test plan
make check— t-test208 should passDKIM-Signature: eeeethrough a milter instance configured withAlwaysAddARHeader yes; confirmAuthentication-Resultsheader containsdkim=permerror