From 57c29c14a40fa336687dc416b878c074c1119f53 Mon Sep 17 00:00:00 2001 From: link2xt Date: Tue, 11 Jun 2024 21:57:58 +0000 Subject: [PATCH 1/8] Reject DKIM signatures that do not cover the whole message body --- CHANGELOG.md | 3 +++ cmdeploy/src/cmdeploy/opendkim/final.lua | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2423fd7f..2dfd2877 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## untagged +- Reject DKIM signatures that do not cover the whole message body. + ([#321](https://github.com/deltachat/chatmail/pull/321)) + - check that OpenPGP has only PKESK, SKESK and SEIPD packets ([#323](https://github.com/deltachat/chatmail/pull/323), [#324](https://github.com/deltachat/chatmail/pull/324)) diff --git a/cmdeploy/src/cmdeploy/opendkim/final.lua b/cmdeploy/src/cmdeploy/opendkim/final.lua index 133f7784..3b8858e5 100644 --- a/cmdeploy/src/cmdeploy/opendkim/final.lua +++ b/cmdeploy/src/cmdeploy/opendkim/final.lua @@ -19,7 +19,11 @@ for i = 1, nsigs do -- Any valid signature that was not ignored like this -- means the message is acceptable. if sigres == 0 then - return nil + -- Do not accept the signature if it does not cover the whole body + -- of the message by using `l=` tag. + if odkim.sig_canonlength(ctx, sig) < odkim.sig_bodylength(ctx, sig) then + return nil + end end end From 3899f41c61d94a5e95e4c107ea930563924ef760 Mon Sep 17 00:00:00 2001 From: Christian Hagenest Date: Mon, 27 May 2024 14:05:23 +0200 Subject: [PATCH 2/8] switch to checkout@v4 #301 --- .github/workflows/ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 68e6dfaf..7d1f3020 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,7 +9,7 @@ jobs: name: isolated chatmaild tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: run chatmaild tests working-directory: chatmaild @@ -19,7 +19,7 @@ jobs: name: deploy-chatmail tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: initenv run: scripts/initenv.sh From dbe906a331fc71a72ad9af4486acea31f15fd780 Mon Sep 17 00:00:00 2001 From: Christian Hagenest Date: Mon, 27 May 2024 14:11:08 +0200 Subject: [PATCH 3/8] bump actions/checkout to v4 in test-and-deploy.yml --- .github/workflows/test-and-deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-and-deploy.yaml b/.github/workflows/test-and-deploy.yaml index 5ea6a9de..f1c89829 100644 --- a/.github/workflows/test-and-deploy.yaml +++ b/.github/workflows/test-and-deploy.yaml @@ -19,7 +19,7 @@ jobs: group: staging-deploy cancel-in-progress: true steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: prepare SSH run: | From f7ef236ac82552442157d1e341ef73b3ad6cbd65 Mon Sep 17 00:00:00 2001 From: Christian Hagenest Date: Tue, 28 May 2024 00:14:09 +0200 Subject: [PATCH 4/8] Revert "CI: disable requesting new certs for staging.testrun.org" This reverts commit 127d9d64606cde886ae6e1010c7f2ca79a98cc63. --- cmdeploy/src/cmdeploy/acmetool/__init__.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/cmdeploy/src/cmdeploy/acmetool/__init__.py b/cmdeploy/src/cmdeploy/acmetool/__init__.py index 48f8e095..4e47d46e 100644 --- a/cmdeploy/src/cmdeploy/acmetool/__init__.py +++ b/cmdeploy/src/cmdeploy/acmetool/__init__.py @@ -69,8 +69,7 @@ def deploy_acmetool(email="", domains=[]): restarted=service_file.changed, ) - if str(host) != "staging.testrun.org": - server.shell( - name=f"Request certificate for: { ', '.join(domains) }", - commands=[f"acmetool want --xlog.severity=debug { ' '.join(domains)}"], - ) + server.shell( + name=f"Request certificate for: { ', '.join(domains) }", + commands=[f"acmetool want --xlog.severity=debug { ' '.join(domains)}"], + ) From ef58f011fbbf23ce74aba9d5c12856aa7d6312f6 Mon Sep 17 00:00:00 2001 From: missytake Date: Mon, 3 Jun 2024 10:56:18 +0200 Subject: [PATCH 5/8] CI: disable CAA record for now --- .github/workflows/test-and-deploy.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test-and-deploy.yaml b/.github/workflows/test-and-deploy.yaml index f1c89829..9a6944be 100644 --- a/.github/workflows/test-and-deploy.yaml +++ b/.github/workflows/test-and-deploy.yaml @@ -33,6 +33,9 @@ jobs: # store previous acme & dkim state on ns.testrun.org, if it contains useful certs if [ -f dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys root@ns.testrun.org:/tmp/ || true; fi if [ -z "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi + # make sure CAA record isn't set + ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging.testrun.org.zone + ssh root@ns.testrun.org systemctl reload nsd - name: rebuild staging.testrun.org to have a clean VPS run: | From 4cb62df33f44284e0de3ce0f1bfedaee6a6b061c Mon Sep 17 00:00:00 2001 From: missytake Date: Thu, 13 Jun 2024 16:12:50 +0200 Subject: [PATCH 6/8] CI: change to staging2.testrun.org --- .../staging.testrun.org-default.zone | 11 +++--- .github/workflows/test-and-deploy.yaml | 36 +++++++++---------- 2 files changed, 24 insertions(+), 23 deletions(-) diff --git a/.github/workflows/staging.testrun.org-default.zone b/.github/workflows/staging.testrun.org-default.zone index 0d8734f5..444e4d86 100644 --- a/.github/workflows/staging.testrun.org-default.zone +++ b/.github/workflows/staging.testrun.org-default.zone @@ -1,6 +1,6 @@ -;; Zone file for staging.testrun.org +;; Zone file for staging2.testrun.org -$ORIGIN staging.testrun.org. +$ORIGIN staging2.testrun.org. $TTL 300 @ IN SOA ns.testrun.org. root.nine.testrun.org ( @@ -15,6 +15,7 @@ $TTL 300 @ IN NS ns.testrun.org. ;; DNS records. -@ IN A 37.27.37.98 -mta-sts.staging.testrun.org. CNAME staging.testrun.org. -www.staging.testrun.org. CNAME staging.testrun.org. +@ IN A 37.27.24.139 +mta-sts.staging2.testrun.org. CNAME staging2.testrun.org. +www.staging2.testrun.org. CNAME staging2.testrun.org. + diff --git a/.github/workflows/test-and-deploy.yaml b/.github/workflows/test-and-deploy.yaml index 9a6944be..ef2d1a3b 100644 --- a/.github/workflows/test-and-deploy.yaml +++ b/.github/workflows/test-and-deploy.yaml @@ -1,4 +1,4 @@ -name: deploy on staging.testrun.org, and run tests +name: deploy on staging2.testrun.org, and run tests on: push: @@ -13,7 +13,7 @@ on: jobs: deploy: - name: deploy on staging.testrun.org, and run tests + name: deploy on staging2.testrun.org, and run tests runs-on: ubuntu-latest concurrency: group: staging-deploy @@ -26,18 +26,18 @@ jobs: mkdir ~/.ssh echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 - ssh-keyscan staging.testrun.org > ~/.ssh/known_hosts + ssh-keyscan staging2.testrun.org > ~/.ssh/known_hosts # save previous acme & dkim state - rsync -avz root@staging.testrun.org:/var/lib/acme . || true - rsync -avz root@staging.testrun.org:/etc/dkimkeys . || true + rsync -avz root@staging2.testrun.org:/var/lib/acme . || true + rsync -avz root@staging2.testrun.org:/etc/dkimkeys . || true # store previous acme & dkim state on ns.testrun.org, if it contains useful certs if [ -f dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys root@ns.testrun.org:/tmp/ || true; fi if [ -z "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi # make sure CAA record isn't set - ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging.testrun.org.zone + ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging2.testrun.org.zone ssh root@ns.testrun.org systemctl reload nsd - - name: rebuild staging.testrun.org to have a clean VPS + - name: rebuild staging2.testrun.org to have a clean VPS run: | curl -X POST \ -H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \ @@ -52,17 +52,17 @@ jobs: - name: upload TLS cert after rebuilding run: | - echo " --- wait until staging.testrun.org VPS is rebuilt --- " + echo " --- wait until staging2.testrun.org VPS is rebuilt --- " rm ~/.ssh/known_hosts - while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u ; do sleep 1 ; done - ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u + while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org id -u ; do sleep 1 ; done + ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org id -u # download acme & dkim state from ns.testrun.org rsync -e "ssh -o StrictHostKeyChecking=accept-new" -avz root@ns.testrun.org:/tmp/acme acme-restore || true rsync -avz root@ns.testrun.org:/tmp/dkimkeys dkimkeys-restore || true - # restore acme & dkim state to staging.testrun.org - rsync -avz acme-restore/acme/ root@staging.testrun.org:/var/lib/acme || true - rsync -avz dkimkeys-restore/dkimkeys/ root@staging.testrun.org:/etc/dkimkeys || true - ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org chown root:root -R /var/lib/acme || true + # restore acme & dkim state to staging2.testrun.org + rsync -avz acme-restore/acme/ root@staging2.testrun.org:/var/lib/acme || true + rsync -avz dkimkeys-restore/dkimkeys/ root@staging2.testrun.org:/etc/dkimkeys || true + ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org chown root:root -R /var/lib/acme || true - name: run formatting checks run: cmdeploy fmt -v @@ -70,18 +70,18 @@ jobs: - name: run deploy-chatmail offline tests run: pytest --pyargs cmdeploy - - run: cmdeploy init staging.testrun.org + - run: cmdeploy init staging2.testrun.org - run: cmdeploy run - name: set DNS entries run: | - ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org chown opendkim:opendkim -R /etc/dkimkeys + ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org chown opendkim:opendkim -R /etc/dkimkeys cmdeploy dns --zonefile staging-generated.zone cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone cat .github/workflows/staging.testrun.org-default.zone - scp .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging.testrun.org.zone - ssh root@ns.testrun.org nsd-checkzone staging.testrun.org /etc/nsd/staging.testrun.org.zone + scp .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging2.testrun.org.zone + ssh root@ns.testrun.org nsd-checkzone staging2.testrun.org /etc/nsd/staging2.testrun.org.zone ssh root@ns.testrun.org systemctl reload nsd - name: cmdeploy test From 07ffc003e4f796216c3cc92cef61f7ec562c87e4 Mon Sep 17 00:00:00 2001 From: missytake Date: Sun, 16 Jun 2024 18:14:40 +0200 Subject: [PATCH 7/8] CI: fix check whether acme certs exist --- .github/workflows/test-and-deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-and-deploy.yaml b/.github/workflows/test-and-deploy.yaml index ef2d1a3b..882498ee 100644 --- a/.github/workflows/test-and-deploy.yaml +++ b/.github/workflows/test-and-deploy.yaml @@ -32,7 +32,7 @@ jobs: rsync -avz root@staging2.testrun.org:/etc/dkimkeys . || true # store previous acme & dkim state on ns.testrun.org, if it contains useful certs if [ -f dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys root@ns.testrun.org:/tmp/ || true; fi - if [ -z "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi + if [ "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi # make sure CAA record isn't set ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging2.testrun.org.zone ssh root@ns.testrun.org systemctl reload nsd From 6b59b8be44eaa09229e3be01c6ff0a85037fe09e Mon Sep 17 00:00:00 2001 From: missytake Date: Wed, 19 Jun 2024 14:24:17 +0200 Subject: [PATCH 8/8] CI: accept ns.testrun.org host key --- .github/workflows/test-and-deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-and-deploy.yaml b/.github/workflows/test-and-deploy.yaml index 882498ee..e11b537f 100644 --- a/.github/workflows/test-and-deploy.yaml +++ b/.github/workflows/test-and-deploy.yaml @@ -34,7 +34,7 @@ jobs: if [ -f dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys root@ns.testrun.org:/tmp/ || true; fi if [ "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi # make sure CAA record isn't set - ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging2.testrun.org.zone + ssh -o StrictHostKeyChecking=accept-new root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging2.testrun.org.zone ssh root@ns.testrun.org systemctl reload nsd - name: rebuild staging2.testrun.org to have a clean VPS