v1.4.2 always crashes when message contains ARC-Seal headers.

[ksuuk]

Hi,

OpenDmarc 1.3.2 versus 1.4.2 issue, both compiled with same options:
./configure --with-sql-backend --with-spf -with-spf2-include=%{_prefix}/include/spf2 --with-spf2-lib=%{_libdir}/libspf2.so

Conf is also same:

AutoRestart true
IgnoreAuthenticatedClients true
IgnoreHosts /etc/opendmarc/ignore.hosts
PidFile /var/run/opendmarc/opendmarc.pid
RejectFailures false
RequiredHeaders true
Socket local:/var/run/opendmarc/opendmarc.sock
SPFSelfValidate true
Syslog true
UMask 002
UserID opendmarc:opendmarc
AuthservID DMARC
TrustedAuthservIDs HOSTNAME
AutoRestartRate 10/1M

opendmarc: OpenDMARC Filter v1.4.2
	SMFI_VERSION 0x1000001
	libmilter version 1.0.1
	Active code options:
		WITH_SPF
		WITH_SPF2

Jun  9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5 ignoring Authentication-Results at 0 from DKIM
Jun  9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5 ignoring Authentication-Results at 1 from SPF
Jun  9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5 ignoring Authentication-Results at 3 from ARC
Jun  9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5: SPF(mailfrom): domain1.com pass
Jun  9 23:28:36 servu postfix/cleanup[55537]: warning: milter unix:/var/run/opendmarc/opendmarc.sock: can't read SMFIC_BODYEOB reply packet header: Success
Jun  9 23:28:36 servu opendmarc[55364]: terminated with signal 6, restarting
Jun  9 23:28:36 servu opendmarc[55574]: OpenDMARC Filter v1.4.2 starting (args: -c /etc/opendmarc.conf)
Jun  9 23:28:36 servu opendmarc[55574]: additional trusted authentication services: servu.domain2.com

Patch #183 doesn't help.

opendmarc: OpenDMARC Filter v1.3.2
	SMFI_VERSION 0x1000001
	libmilter version 1.0.1
	Active code options:
		WITH_SPF
		WITH_SPF2

Jun  9 23:36:45 servu opendmarc[2173]: A67738229B ignoring Authentication-Results at 0 from DKIM
Jun  9 23:36:45 servu opendmarc[2173]: A67738229B ignoring Authentication-Results at 1 from SPF
Jun  9 23:36:45 servu opendmarc[2173]: A67738229B ignoring Authentication-Results at 3 from ARC
Jun  9 23:36:45 servu opendmarc[2173]: A67738229B: SPF(mailfrom): [email protected] pass

BTW, is this bug or feature, that v1.4.2 SPF(mailfrom) shows only sender domain, not the full sender address?

[Swallowtail23]

----- Message from ksuuk ***@***.***> ---------     Date: Thu, 09 Jun 2022 14:16:16 -0700     From: ksuuk ***@***.***> Reply-To: trusteddomainproject/OpenDMARC ***@***.***> Subject: [trusteddomainproject/OpenDMARC] v1.4.2 always crashes when message contains ARC-Seal headers. (Issue #222)       To: trusteddomainproject/OpenDMARC ***@***.***>       Cc: Subscribed ***@***.***>

…

  Hi, OpenDmarc 1.3.2 versus 1.4.2 issue, both compiled with same options: ./configure --with-sql-backend --with-spf -with-spf2-include=%{_prefix}/include/spf2 --with-spf2-lib=%{_libdir}/libspf2.so Conf is also same: AutoRestart true IgnoreAuthenticatedClients true IgnoreHosts /etc/opendmarc/ignore.hosts PidFile /var/run/opendmarc/opendmarc.pid RejectFailures false RequiredHeaders true Socket local:/var/run/opendmarc/opendmarc.sock SPFSelfValidate true Syslog true UMask 002 UserID opendmarc:opendmarc AuthservID DMARC TrustedAuthservIDs rull.metroprint.ee AutoRestartRate 10/1M opendmarc: OpenDMARC Filter v1.4.2 SMFI_VERSION 0x1000001 libmilter version 1.0.1 Active code options: WITH_SPF WITH_SPF2 Jun 9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5 ignoring Authentication-Results at 0 from DKIM Jun 9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5 ignoring Authentication-Results at 1 from SPF Jun 9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5 ignoring Authentication-Results at 3 from ARC Jun 9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5: SPF(mailfrom): domain1.com pass Jun 9 23:28:36 servu postfix/cleanup[55537]: warning: milter unix:/var/run/opendmarc/opendmarc.sock: can't read SMFIC_BODYEOB reply packet header: Success Jun 9 23:28:36 servu opendmarc[55364]: terminated with signal 6, restarting Jun 9 23:28:36 servu opendmarc[55574]: OpenDMARC Filter v1.4.2 starting (args: -c /etc/opendmarc.conf) Jun 9 23:28:36 servu opendmarc[55574]: additional trusted authentication services: servu.domain2.com Patch #183[1] doesn't help. opendmarc: OpenDMARC Filter v1.3.2 SMFI_VERSION 0x1000001 libmilter version 1.0.1 Active code options: WITH_SPF WITH_SPF2 Jun 9 23:36:45 servu opendmarc[2173]: A67738229B ignoring Authentication-Results at 0 from DKIM Jun 9 23:36:45 servu opendmarc[2173]: A67738229B ignoring Authentication-Results at 1 from SPF Jun 9 23:36:45 servu opendmarc[2173]: A67738229B ignoring Authentication-Results at 3 from ARC Jun 9 23:36:45 servu opendmarc[2173]: A67738229B: SPF(mailfrom): ***@***.*** pass BTW, is this bug or feature, that v1.4.2 SPF(mailfrom) shows only sender domain, not the full sender address? — Reply to this email directly, view it on GitHub[2], or unsubscribe[3]. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

----- End message from ksuuk ***@***.***> ----- On your question on bug or feature, SPF only validates the domain...  RFC7489 3.1 on SPF: "while [SPF] can authenticate either the domain that appears in the    RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/    HELO domain, or both" Links: ------ [1] #183 [2] #222 [3] https://github.com/notifications/unsubscribe-auth/AB6VM4DOVFFZGFWBUD4GUU3VOJNKBANCNFSM5YLNMBEQ ___________ Simon Wilson M: 0400 12 11 16

[jel6]

I think I'm seeing something similar, but only when the ARC header is malformed in a specific way. From maillog:

4LPgLN3XLBz4f6Wy9: ignoring invalid ARC-Authentication-Results header "i=1;#012#011smtpd-out;#012#011none"

That consistently preceded OpenDMARC entering a failure state. When the ARC header was malformed differently, it was correctly ignored by OpenDMARC, potentially thanks to the previous patch. This is happening with a manual build of 1.4.2:

opendmarc -V
opendmarc: OpenDMARC Filter v1.4.2
        SMFI_VERSION 0x1000001
        libmilter version 1.0.1
        Active code options:
                WITH_SPF
                WITH_SPF2

[sfsumn]

We continue to run version 1.3.2-1 on RHEL 7 (EPEL 7) since all of the below versions have crashed for various reasons, the latest of which has to do with the parsing of the ARC-Seal: header:

opendmarc Version 1.4.1.1 Release 1.el7 (CRASHES, adds patch for rhbz#1972292)
libopendmarc Version 1.4.1.1 Release 1.el7 (CRASHES, adds patch for rhbz#1972292)

opendmarc Version 1.4.1.1 Release 2.el7 (CRASHES, adds patch for rhbz#1974707)
libopendmarc Version 1.4.1.1 Release 2.el7 (CRASHES, adds patch for rhbz#1974707)

opendmarc Version 1.4.1.1 Release 3.el7 (CRASHES, adds patch for rhbz#1915468)
libopendmarc Version 1.4.1.1 Release 3.el7 (CRASHES, adds patch for rhbz#1915468)

Version 1.4.2 is not yet available via the EPEL 7 repository, so we're still stuck at version 1.3.2-1 until this is fixed.

[sfsumn]

I have pinpointed where our opendmarc (1.4.1.1-3.el7) is crashing while running it in the foreground and feeding our MTA an email message with the malformed header "ARC-Seal: none":

opendmarc: opendmarc-arcseal.c:98: opendmarc_arcseal_strip_whitespace: Assertion `string != ((void *)0)' failed.
Aborted

It appears, perhaps, that the following commit may well have fixed this problem (in 1.4.2?) by checking for a null string prior to calling opendmarc_arcseal_strip_whitespace():

92c1875

So it would appear that we will have to wait until EPEL 7 carries opendmarc 1.4.2 -- can anyone confirm this? This particular issue's subject implies that we may still have issues with ARC-Seal headers even in 1.4.2.

Is there perhaps some way to disable all ARC header processing in the configuration file? If not, should there be?

[abokth]

Yes, 1.4.2 is also not stable, see #183 for some details.

[fbett]

#213, #231