Use time in the Received header as the verification time (#336)

Author: lieser

CHANGELOG.md

@@ -6,6 +6,10 @@ All notable changes to this project will be documented in this file.
 
 ## Unreleased
 
+### Enhancements
+
+- Extract the received time from the last Received header and use it as the verification time (#336).
+
 ### Fixes
 
 - Fixed extension not working for attached or external messages (#216).

_locales/de/messages.json

@@ -185,7 +185,7 @@
 		"message": "Signatur-Zeitstempel-Tag hat falsches Format"
 	},
 	"DKIM_SIGERROR_TIMESTAMPS": {
-		"message": "Signatur abgelaufen"
+		"message": "Signatur-Ablaufdatum ist vor dem Signatur-Zeitstempel"
 	},
 	"DKIM_SIGERROR_ILLFORMED_X": {
 		"message": "Signatur-Ablaufdatum-Tag hat falsches Format"

modules/dkim/verifier.mjs.js

@@ -993,14 +993,24 @@ class DkimSignature {
 	 * @returns {void}
 	 */
 	_checkValidityPeriod() {
-		const time = Math.round(Date.now() / 1000);
+		let receivedTime = null;
+		const receivedHeaders = this._msg.headerFields.get("received") ?? [];
+		if (receivedHeaders[0]) {
+			receivedTime = MsgParser.tryExtractReceivedTime(receivedHeaders[0]);
+		}
+
+		const verifyTime = receivedTime ?? new Date();
+		const time = Math.round(verifyTime.getTime() / 1000);
 		// warning if signature expired
 		if (this._header.x !== null && this._header.x < time) {
 			this._header.warnings.push({ name: "DKIM_SIGWARNING_EXPIRED" });
 			log.debug("Warning: DKIM_SIGWARNING_EXPIRED");
 		}
 		// warning if signature in future
-		if (this._header.t !== null && this._header.t > time) {
+		// We allow a difference of 15 min so small clock differenzess between
+		// sender and receiver are not causing any issues
+		const allowedDifference = 15 * 60;
+		if (this._header.t !== null && this._header.t > time + allowedDifference) {
 			this._header.warnings.push({ name: "DKIM_SIGWARNING_FUTURE" });
 			log.debug("Warning: DKIM_SIGWARNING_FUTURE");
 		}

modules/msgParser.mjs.js

@@ -225,4 +225,25 @@ export default class MsgParser {
 		}
 		throw new Error("Cannot extract the list identifier from the List-Id header.");
 	}
+
+	/**
+	 * Tries to extract the date time information from a Received header (RFC 2919).
+	 *
+	 * @param {string} header
+	 * @returns {Date|null}
+	 */
+	static tryExtractReceivedTime(header) {
+		const dateTimeStart = header.lastIndexOf(";");
+		if (dateTimeStart === -1) {
+			log.warn("Could not find the date time in the Received header");
+			return null;
+		}
+		const dateTimeStr = header.substring(dateTimeStart + 1);
+		const dateTime = new Date(dateTimeStr);
+		if (dateTime.toString() === "Invalid Date") {
+			log.warn("Could not parse the date time in the Received header");
+			return null;
+		}
+		return dateTime;
+	}
 }

test/data/dkim/time-received_after_creation.eml

@@ -0,0 +1,24 @@
+Received: from client1.football.example.com  [192.0.2.1]
+      by submitserver.example.com with SUBMISSION;
+      Sun, 10 Jun 2018 15:00:00 +0000
+Received: from client1.football.example.com  [192.0.2.1]
+      by submitserver.example.com with SUBMISSION;
+      Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
+DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+ d=football.example.com; [email protected];
+ q=dns/txt; s=brisbane; t=1528637909; h=from : to :
+ subject : date : message-id : from : subject : date;
+ bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
+ b=/gCrinpcQOoIfuHNQIbq4pgh9kyIK3AQUdt9OdqQehSwhEIug4D11Bus
+ Fa3bT3FY5OsU7ZbnKELq+eXdp1Q1Dw==
+From: Joe SixPack <[email protected]>
+To: Suzie Q <[email protected]>
+Subject: Is dinner ready?
+Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
+Message-ID: <[email protected]>
+
+Hi.
+
+We lost the game.  Are you hungry yet?
+
+Joe.

test/data/dkim/time-received_briefly_before_creation.eml

@@ -0,0 +1,21 @@
+Received: from client1.football.example.com  [192.0.2.1]
+      by submitserver.example.com with SUBMISSION;
+      Sun, 10 Jun 2018 13:30:00 +0000
+DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+ d=football.example.com; [email protected];
+ q=dns/txt; s=brisbane; t=1528637909; h=from : to :
+ subject : date : message-id : from : subject : date;
+ bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
+ b=/gCrinpcQOoIfuHNQIbq4pgh9kyIK3AQUdt9OdqQehSwhEIug4D11Bus
+ Fa3bT3FY5OsU7ZbnKELq+eXdp1Q1Dw==
+From: Joe SixPack <[email protected]>
+To: Suzie Q <[email protected]>
+Subject: Is dinner ready?
+Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
+Message-ID: <[email protected]>
+
+Hi.
+
+We lost the game.  Are you hungry yet?
+
+Joe.

test/data/dkim/time-received_long_before_creation.eml

@@ -0,0 +1,21 @@
+Received: from client1.football.example.com  [192.0.2.1]
+      by submitserver.example.com with SUBMISSION;
+      Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
+DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
+ d=football.example.com; [email protected];
+ q=dns/txt; s=brisbane; t=1528637909; h=from : to :
+ subject : date : message-id : from : subject : date;
+ bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
+ b=/gCrinpcQOoIfuHNQIbq4pgh9kyIK3AQUdt9OdqQehSwhEIug4D11Bus
+ Fa3bT3FY5OsU7ZbnKELq+eXdp1Q1Dw==
+From: Joe SixPack <[email protected]>
+To: Suzie Q <[email protected]>
+Subject: Is dinner ready?
+Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
+Message-ID: <[email protected]>
+
+Hi.
+
+We lost the game.  Are you hungry yet?
+
+Joe.

test/unittest/msgParserSpec.mjs.js

@@ -361,6 +361,35 @@ describe("Message parser [unittest]", function () {
 			).to.throw();
 		});
 	});
+	describe("Extracting the date from a Received header", function () {
+		it("RFC 6376 Appendix A Example", function () {
+			const received = "Received: from client1.football.example.com  [192.0.2.1]\r\n" +
+				"      by submitserver.example.com with SUBMISSION;\r\n" +
+				"      Fri, 11 Jul 2003 21:01:54 -0700 (PDT)\r\n";
+			expect(MsgParser.tryExtractReceivedTime(received)).
+				to.be.deep.equal(new Date("2003-07-11T21:01:54.000-07:00"));
+		});
+		it("RFC 5322 Appendix A.4. Messages with Trace Fields", function () {
+			const received = "Received: from node.example by x.y.test; 21 Nov 1997 10:01:22 -0600\r\n";
+			expect(MsgParser.tryExtractReceivedTime(received)).
+				to.be.deep.equal(new Date("1997-11-21T10:01:22.000-06:00"));
+		});
+		it("Time without seconds", function () {
+			const received = "Received: from node.example by x.y.test; 21 Nov 1997 10:01 -0600\r\n";
+			expect(MsgParser.tryExtractReceivedTime(received)).
+				to.be.deep.equal(new Date("1997-11-21T10:01:00.000-06:00"));
+		});
+		it("Missing semicolon", function () {
+			const received = "Received: from node.example by x.y.test 21 Nov 1997 10:01:22 -0600\r\n";
+			expect(MsgParser.tryExtractReceivedTime(received)).
+				to.be.null;
+		});
+		it("Invalid date", function () {
+			const received = "Received: from node.example by x.y.test; 41 Nov 1997 10:01:22 -0600\r\n";
+			expect(MsgParser.tryExtractReceivedTime(received)).
+				to.be.null;
+		});
+	});
 	describe("Internationalized Email", function () {
 		it("Disabled by default", function () {
 			expect(() => MsgParser.parseFromHeader(toBinaryString(

test/unittest/verifierSpec.mjs.js

@@ -141,6 +141,19 @@ describe("DKIM Verifier [unittest]", function () {
 			expect(res.signatures[0]?.result).to.be.equal("SUCCESS");
 			expect(res.signatures[0]?.warnings).to.be.empty;
 		});
+		it("Received time is after Signature Timestamp", async function () {
+			const res = await verifyEmlFile("dkim/time-received_after_creation.eml");
+			expect(res.signatures.length).to.be.equal(1);
+			expect(res.signatures[0]?.result).to.be.equal("SUCCESS");
+			expect(res.signatures[0]?.warnings).to.be.empty;
+		});
+		it("Received time is briefly before Signature Timestamp", async function () {
+			// I.e. a small clock difference between sender and receiver should not result in an error
+			const res = await verifyEmlFile("dkim/time-received_briefly_before_creation.eml");
+			expect(res.signatures.length).to.be.equal(1);
+			expect(res.signatures[0]?.result).to.be.equal("SUCCESS");
+			expect(res.signatures[0]?.warnings).to.be.empty;
+		});
 	});
 	describe("Syntax errors", function () {
 		it("Missing v-tag in signature", async function () {
@@ -250,6 +263,13 @@ describe("DKIM Verifier [unittest]", function () {
 			expect(res.signatures[0]?.warnings).to.be.an('array').
 				that.deep.includes({ name: "DKIM_SIGWARNING_FROM_NOT_IN_SDID" });
 		});
+		it("Received time is before Signature Timestamp", async function () {
+			const res = await verifyEmlFile("dkim/time-received_long_before_creation.eml");
+			expect(res.signatures.length).to.be.equal(1);
+			expect(res.signatures[0]?.result).to.be.equal("SUCCESS");
+			expect(res.signatures[0]?.warnings).to.be.an('array').
+				that.deep.includes({ name: "DKIM_SIGWARNING_FUTURE" });
+		});
 	});
 	describe("Detect and prevent possible attacks", function () {
 		describe("Additional unsigned header was added", function () {