diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 68e6dfaf..7d1f3020 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,7 +9,7 @@ jobs: name: isolated chatmaild tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: run chatmaild tests working-directory: chatmaild @@ -19,7 +19,7 @@ jobs: name: deploy-chatmail tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: initenv run: scripts/initenv.sh diff --git a/.github/workflows/staging.testrun.org-default.zone b/.github/workflows/staging.testrun.org-default.zone index 0d8734f5..444e4d86 100644 --- a/.github/workflows/staging.testrun.org-default.zone +++ b/.github/workflows/staging.testrun.org-default.zone @@ -1,6 +1,6 @@ -;; Zone file for staging.testrun.org +;; Zone file for staging2.testrun.org -$ORIGIN staging.testrun.org. +$ORIGIN staging2.testrun.org. $TTL 300 @ IN SOA ns.testrun.org. root.nine.testrun.org ( @@ -15,6 +15,7 @@ $TTL 300 @ IN NS ns.testrun.org. ;; DNS records. -@ IN A 37.27.37.98 -mta-sts.staging.testrun.org. CNAME staging.testrun.org. -www.staging.testrun.org. CNAME staging.testrun.org. +@ IN A 37.27.24.139 +mta-sts.staging2.testrun.org. CNAME staging2.testrun.org. +www.staging2.testrun.org. CNAME staging2.testrun.org. + diff --git a/.github/workflows/test-and-deploy.yaml b/.github/workflows/test-and-deploy.yaml index 5ea6a9de..e11b537f 100644 --- a/.github/workflows/test-and-deploy.yaml +++ b/.github/workflows/test-and-deploy.yaml @@ -1,4 +1,4 @@ -name: deploy on staging.testrun.org, and run tests +name: deploy on staging2.testrun.org, and run tests on: push: @@ -13,28 +13,31 @@ on: jobs: deploy: - name: deploy on staging.testrun.org, and run tests + name: deploy on staging2.testrun.org, and run tests runs-on: ubuntu-latest concurrency: group: staging-deploy cancel-in-progress: true steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: prepare SSH run: | mkdir ~/.ssh echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 - ssh-keyscan staging.testrun.org > ~/.ssh/known_hosts + ssh-keyscan staging2.testrun.org > ~/.ssh/known_hosts # save previous acme & dkim state - rsync -avz root@staging.testrun.org:/var/lib/acme . || true - rsync -avz root@staging.testrun.org:/etc/dkimkeys . || true + rsync -avz root@staging2.testrun.org:/var/lib/acme . || true + rsync -avz root@staging2.testrun.org:/etc/dkimkeys . || true # store previous acme & dkim state on ns.testrun.org, if it contains useful certs if [ -f dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys root@ns.testrun.org:/tmp/ || true; fi - if [ -z "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi + if [ "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi + # make sure CAA record isn't set + ssh -o StrictHostKeyChecking=accept-new root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging2.testrun.org.zone + ssh root@ns.testrun.org systemctl reload nsd - - name: rebuild staging.testrun.org to have a clean VPS + - name: rebuild staging2.testrun.org to have a clean VPS run: | curl -X POST \ -H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \ @@ -49,17 +52,17 @@ jobs: - name: upload TLS cert after rebuilding run: | - echo " --- wait until staging.testrun.org VPS is rebuilt --- " + echo " --- wait until staging2.testrun.org VPS is rebuilt --- " rm ~/.ssh/known_hosts - while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u ; do sleep 1 ; done - ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u + while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org id -u ; do sleep 1 ; done + ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org id -u # download acme & dkim state from ns.testrun.org rsync -e "ssh -o StrictHostKeyChecking=accept-new" -avz root@ns.testrun.org:/tmp/acme acme-restore || true rsync -avz root@ns.testrun.org:/tmp/dkimkeys dkimkeys-restore || true - # restore acme & dkim state to staging.testrun.org - rsync -avz acme-restore/acme/ root@staging.testrun.org:/var/lib/acme || true - rsync -avz dkimkeys-restore/dkimkeys/ root@staging.testrun.org:/etc/dkimkeys || true - ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org chown root:root -R /var/lib/acme || true + # restore acme & dkim state to staging2.testrun.org + rsync -avz acme-restore/acme/ root@staging2.testrun.org:/var/lib/acme || true + rsync -avz dkimkeys-restore/dkimkeys/ root@staging2.testrun.org:/etc/dkimkeys || true + ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org chown root:root -R /var/lib/acme || true - name: run formatting checks run: cmdeploy fmt -v @@ -67,18 +70,18 @@ jobs: - name: run deploy-chatmail offline tests run: pytest --pyargs cmdeploy - - run: cmdeploy init staging.testrun.org + - run: cmdeploy init staging2.testrun.org - run: cmdeploy run - name: set DNS entries run: | - ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org chown opendkim:opendkim -R /etc/dkimkeys + ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org chown opendkim:opendkim -R /etc/dkimkeys cmdeploy dns --zonefile staging-generated.zone cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone cat .github/workflows/staging.testrun.org-default.zone - scp .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging.testrun.org.zone - ssh root@ns.testrun.org nsd-checkzone staging.testrun.org /etc/nsd/staging.testrun.org.zone + scp .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging2.testrun.org.zone + ssh root@ns.testrun.org nsd-checkzone staging2.testrun.org /etc/nsd/staging2.testrun.org.zone ssh root@ns.testrun.org systemctl reload nsd - name: cmdeploy test diff --git a/CHANGELOG.md b/CHANGELOG.md index 2423fd7f..2dfd2877 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## untagged +- Reject DKIM signatures that do not cover the whole message body. + ([#321](https://github.com/deltachat/chatmail/pull/321)) + - check that OpenPGP has only PKESK, SKESK and SEIPD packets ([#323](https://github.com/deltachat/chatmail/pull/323), [#324](https://github.com/deltachat/chatmail/pull/324)) diff --git a/cmdeploy/src/cmdeploy/acmetool/__init__.py b/cmdeploy/src/cmdeploy/acmetool/__init__.py index 48f8e095..4e47d46e 100644 --- a/cmdeploy/src/cmdeploy/acmetool/__init__.py +++ b/cmdeploy/src/cmdeploy/acmetool/__init__.py @@ -69,8 +69,7 @@ def deploy_acmetool(email="", domains=[]): restarted=service_file.changed, ) - if str(host) != "staging.testrun.org": - server.shell( - name=f"Request certificate for: { ', '.join(domains) }", - commands=[f"acmetool want --xlog.severity=debug { ' '.join(domains)}"], - ) + server.shell( + name=f"Request certificate for: { ', '.join(domains) }", + commands=[f"acmetool want --xlog.severity=debug { ' '.join(domains)}"], + ) diff --git a/cmdeploy/src/cmdeploy/opendkim/final.lua b/cmdeploy/src/cmdeploy/opendkim/final.lua index 133f7784..3b8858e5 100644 --- a/cmdeploy/src/cmdeploy/opendkim/final.lua +++ b/cmdeploy/src/cmdeploy/opendkim/final.lua @@ -19,7 +19,11 @@ for i = 1, nsigs do -- Any valid signature that was not ignored like this -- means the message is acceptable. if sigres == 0 then - return nil + -- Do not accept the signature if it does not cover the whole body + -- of the message by using `l=` tag. + if odkim.sig_canonlength(ctx, sig) < odkim.sig_bodylength(ctx, sig) then + return nil + end end end