diff --git a/opendkim/opendkim-config.h b/opendkim/opendkim-config.h index 5caa8b36..7a83690a 100644 --- a/opendkim/opendkim-config.h +++ b/opendkim/opendkim-config.h @@ -44,6 +44,7 @@ struct configdef dkimf_config[] = { "Canonicalization", CONFIG_TYPE_STRING, FALSE }, { "CaptureUnknownErrors", CONFIG_TYPE_BOOLEAN, FALSE }, { "ChangeRootDirectory", CONFIG_TYPE_STRING, FALSE }, + { "CheckSigningTable", CONFIG_TYPE_BOOLEAN, FALSE }, { "ClockDrift", CONFIG_TYPE_INTEGER, FALSE }, #ifdef _FFR_CONDITIONAL { "ConditionalSignatures", CONFIG_TYPE_STRING, FALSE }, diff --git a/opendkim/opendkim.8.in b/opendkim/opendkim.8.in index e2b6cea7..e52ee7f7 100644 --- a/opendkim/opendkim.8.in +++ b/opendkim/opendkim.8.in @@ -7,6 +7,7 @@ [\-A] [\-b modes] [\-c canon] +[\-G|\-g] [\-d domain[,...]] [\-D] [\-e name] @@ -282,6 +283,19 @@ Normally forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. .TP +.I \-g +Skip walking the SigningTable for any missing keys in the KeyTable. +This overrides the config option CheckSigningTable in +.I opendkim.conf(5). +.TP +.I \-G +Walk the SigningTable for any missing keys in the KeyTable on +loading config file. This overrides config option CheckSigningTable in +.I opendkim.conf(5). +In conjunction with +.I \-n +option described below, you can perform the check only. +.TP .I \-F time Specifies a fixed time to use when generating signatures. Ignored unless also used in conjunction with diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c index 803f37b0..4358d096 100644 --- a/opendkim/opendkim.c +++ b/opendkim/opendkim.c @@ -137,7 +137,7 @@ #endif /* _FFR_REPUTATION */ /* macros */ -#define CMDLINEOPTS "Ab:c:d:De:fF:k:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" +#define CMDLINEOPTS "Ab:c:d:De:fF:Ggk:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?" #ifndef MIN # define MIN(x,y) ((x) < (y) ? (x) : (y)) @@ -248,6 +248,7 @@ struct dkimf_config _Bool conf_noheaderb; /* suppress "header.b" */ _Bool conf_singleauthres; /* single Auth-Results */ _Bool conf_safekeys; /* check key permissions */ + _Bool conf_checksigningtable; /* check keys on dkimf_config_load */ #ifdef _FFR_RESIGN _Bool conf_resignall; /* resign unverified mail */ #endif /* _FFR_RESIGN */ @@ -749,6 +750,8 @@ _Bool reload; /* reload requested */ _Bool no_i_whine; /* noted ${i} is undefined */ _Bool testmode; /* test mode */ _Bool allowdeprecated; /* allow deprecated config values */ +_Bool init_checksigningtable; /* initializing value for CheckSigningTable */ +_Bool use_cf_checksigningtable; /* use CheckSigningTable on config file? */ #ifdef QUERY_CACHE _Bool querycache; /* local query cache */ #endif /* QUERY_CACHE */ @@ -5882,6 +5885,7 @@ dkimf_config_new(void) new->conf_atpshash = dkimf_atpshash[0].str; #endif /* _FFR_ATPS */ new->conf_selectcanonhdr = SELECTCANONHDR; + new->conf_checksigningtable = init_checksigningtable; memcpy(&new->conf_handling, &defaults, sizeof new->conf_handling); @@ -6199,6 +6203,12 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, sizeof conf->conf_softstart); #endif /* (USE_LDAP || USE_ODBX) */ + if (use_cf_checksigningtable) + { + (void) config_get(data, "CheckSigningTable", + &conf->conf_checksigningtable, + sizeof conf->conf_checksigningtable); + } (void) config_get(data, "DNSConnect", &conf->conf_dnsconnect, sizeof conf->conf_dnsconnect); @@ -8323,7 +8333,7 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf, ** missing KeyTable entries. */ - if (conf->conf_signtabledb != NULL) + if (conf->conf_signtabledb != NULL && conf->conf_checksigningtable != FALSE) { _Bool first = TRUE; _Bool found; @@ -15469,6 +15479,8 @@ usage(void) "\t-e name \textract configuration value and exit\n" "\t-f \tdon't fork-and-exit\n" "\t-F time \tfixed timestamp to use when signing (test mode only)\n" + "\t-g \tdo not walk SigningTable when loading config\n" + "\t-G \tforce walk SigningTable when loading config\n" "\t-k keyfile \tlocation of secret key file\n" "\t-l \tlog activity to system log\n" "\t-L limit \tsignature limit requirements\n" @@ -15557,6 +15569,8 @@ main(int argc, char **argv) #endif /* POPAUTH */ no_i_whine = TRUE; conffile = NULL; + init_checksigningtable = TRUE; + use_cf_checksigningtable = TRUE; memset(myhostname, '\0', sizeof myhostname); (void) gethostname(myhostname, sizeof myhostname); @@ -15644,6 +15658,18 @@ main(int argc, char **argv) } break; + case 'g': + use_cf_checksigningtable = FALSE; + init_checksigningtable = FALSE; + curconf->conf_checksigningtable = FALSE; + break; + + case 'G': + use_cf_checksigningtable = FALSE; + init_checksigningtable = TRUE; + curconf->conf_checksigningtable = TRUE; + break; + case 'k': if (optarg == NULL || *optarg == '\0') return usage(); diff --git a/opendkim/opendkim.conf.5.in b/opendkim/opendkim.conf.5.in index 21da18f5..3cd5a76c 100644 --- a/opendkim/opendkim.conf.5.in +++ b/opendkim/opendkim.conf.5.in @@ -179,6 +179,11 @@ requires superuser access. A warning will be generated if .I UserID is not also set. +.TP +.I CheckSigningTable (Boolean) +If set to yes, it walks the SigningTable when loading the config file +to check for missing keys in KeyTable. The default is yes. + .TP .I ClockDrift (integer) Sets the tolerance in seconds to be applied when determining whether a diff --git a/opendkim/opendkim.conf.sample b/opendkim/opendkim.conf.sample index fa3559a3..5283528f 100644 --- a/opendkim/opendkim.conf.sample +++ b/opendkim/opendkim.conf.sample @@ -129,6 +129,15 @@ # Canonicalization simple/simple +## CheckSigningTable { yes | no } +## default "yes" +## +## If set, the SigningTable will be checked for missing keys in +## KeyTable when loading the config. This can take a longer time with +## larger databases. Requires opendbx. + +# CheckSigningTable yes + ## ClockDrift n ## default 300 ##