DKIM CVE and Amavis behavior

Mark Martinec Mark.Martinec+amavis at ijs.si
Tue Oct 30 15:29:16 CET 2012


Quanah,

> There's been a lot of news recently about
> <http://www.kb.cert.org/vuls/id/268267>.

Yes, I've noticed.

> I am curious to know if Amavis with DKIM verification enabled "does the
> right thing" in relation to "test" DKIM keys and DKIM keys with a small bit
> size (less than 1024).  I know opendkim just rev'd to 2.7.0 to take care of
> the CVE.

Currently (2.8.0 and older) amavisd does not test for DKIM key size.

If a sender is using a short key, it's his decision and his risk.

If a recipient is accepting a valid signature for whitelisting
purposes, that was his own decision when he investigated reputation
of a signing domain and trustfulness of their key and explicitly
and intentionally decided to use it for whitelisting purposes.

> Among the major changes in OpenDKIM 2.7.0:
> 
> o SECURITY: The library will now decline to generate a signature, or pass
> even
>   a valid signature, if the signing key is comprised of too few bits, thus
>   being insecure.  The default is 1024.  This can be controlled through the
>   API, and the setting can also be adjusted in the filter via the new
>   "MinimumKeyBits" setting.

With 2.8.1 amavis will issue a warning if someone wants to generate
or use a key shorter than 1024 bits.

It will also ignore a valid signature with a key below a configurable
size (default 786) for purposes of loading a policy bank
(DKIM-based whitelisting - @author_to_policy_bank_maps).


> Also, there is this bit:
> 
> 1) CWE-347: Improper Verification of Cryptographic Signature: DKIM
> information is conveyed in an email header called a DKIM-Signature header
> field. A Signer can indicate that a domain is testing DKIM by setting the
> DKIM Selector Flag (t=) flag to t=y. Some verifiers accept DKIM messages in
> testing mode when the messages should be treated as if they were not DKIM
> signed. From RFC 6376:
> 
> t= Flags, represented as a colon-separated list of names (plain-
>    text; OPTIONAL, default is no flags set).  Unrecognized flags MUST
>    be ignored.  The defined flags are as follows:
> 
>    y  This domain is testing DKIM.  Verifiers MUST NOT treat messages
>       from Signers in testing mode differently from unsigned email,
>       even should the signature fail to verify.

If a signature fails to verify amavisd never treated it any differently
that unsigned mail, regardless of the testing flag.

If a signature is valid, it is silly to diregard it even when it has
a testing flag. It is all up to a signer's reputation / trustfulness
in the eye of a recipient when he decides to use (or not to use)
their valid signature for some whitelisting purpose.

  Mark


More information about the amavis-users mailing list