Reject DKIM signatures that do not cover the whole message body

2026-05-16 15:38:57 +00:00 · 2024-06-11 21:57:58 +00:00
parent 2b5d903cc5
commit 57c29c14a4
2 changed files with 8 additions and 1 deletions
--- a/cmdeploy/src/cmdeploy/opendkim/final.lua
+++ b/cmdeploy/src/cmdeploy/opendkim/final.lua
@@ -19,7 +19,11 @@ for i = 1, nsigs do
 	-- Any valid signature that was not ignored like this
 	-- means the message is acceptable.
 	if sigres == 0 then
-		return nil
+		-- Do not accept the signature if it does not cover the whole body
+		-- of the message by using `l=` tag.
+		if odkim.sig_canonlength(ctx, sig) < odkim.sig_bodylength(ctx, sig) then
+			return nil
+		end
 	end	
 end