mailauth 2.2.3 → 2.3.2

package/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2020-2021 Postal Systems OÜ
+Copyright (c) 2020-2022 Postal Systems OÜ
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -13,7 +13,7 @@
 -   **BIMI** resolving
 -   **MTA-STS** helpers
 
-Pure JavaScript implementation, no external applications or compilation needed. Runs on any server/device that has Node 14+ installed.
+Pure JavaScript implementation, no external applications or compilation needed. It runs on any server/device that has Node 14+ installed.
 
 ## Command line usage
 
@@ -23,7 +23,7 @@ See [command line documentation](cli.md) for the `mailauth` command.
 
 ## Authentication
 
-Validate DKIM signatures, SPF, DMARC, ARC and BIMI for an email.
+Validate DKIM signatures, SPF, DMARC, ARC, and BIMI for an email.
 
 ```js
 await authenticate(message [,options]) ->
@@ -32,23 +32,23 @@ await authenticate(message [,options]) ->
 
 Where
 
--   **message** is either a String, a Buffer or a Readable stream that represents an email message
+-   **message** is either a String, a Buffer, or a Readable stream that represents an email message
 -   **options** (_object_) is an optional options object
-    -   **sender** (_string_) is the email address from MAIL FROM command. If not set then it is parsed from the `Return-Path` header
-    -   **ip** (_string_) is the IP of remote client that sent this message
+    -   **sender** (_string_) is the email address from MAIL FROM command. If not set, then it is parsed from the `Return-Path` header
+    -   **ip** (_string_) is the IP of the remote client that sent this message
     -   **helo** (_string_) is the hostname value from HELO/EHLO command
-    -   **trustReceived** (_boolean_) if true then parses values for `ip` and `helo` from the latest `Received` header if you have not set these values yourself. Defaults to `false`
+    -   **trustReceived** (_boolean_) if true, then parses values for `ip` and `helo` from the latest `Received` header if you have not set these values yourself. Defaults to `false`.
     -   **mta** (_string_) is the hostname of the server performing the authentication (defaults to `os.hostname()`)
-    -   **minBitLength** (_number_) is the minimum allowed bits of RSA public keys (defaults to 1024). If a DKIM or ARC key has less bits, then validation is considered as failed
+    -   **minBitLength** (_number_) is the minimum allowed bits of RSA public keys (defaults to 1024). If a DKIM or ARC key has fewer bits, then validation is considered as failed
     -   **disableArc** (_boolean_) if true then skip ARC checks
-    -   **disableDmarc** (_boolean_) if true then skip DMARC checks. This also disables checks that are dependent on DMARC (eg. BIMI)
-    -   **disableBimi** (_boolean_) if true then skip BIMI checks
+    -   **disableDmarc** (_boolean_) if true then skip DMARC checks. It also disables checks that are dependent on DMARC (e.g., BIMI)
+    -   **disableBimi** (_boolean_) if true, then skip BIMI checks
     -   **seal** (_object_) if set and message does not have a broken ARC chain, then seals the message using these values
         -   **signingDomain** (_string_) ARC key domain name
         -   **selector** (_string_) ARC key selector
-        -   **privateKey** (_string_ or _buffer_) Private key for signing. Can be a RSA or an Ed25519 key
+        -   **privateKey** (_string_ or _buffer_) Private key for signing. Either an RSA or an Ed25519 key
     -   **resolver** (_async function_) is an optional async function for DNS requests. Defaults to [dns.promises.resolve](https://nodejs.org/api/dns.html#dns_dnspromises_resolve_hostname_rrtype)
-    -   **maxResolveCount** (_number_ defaults to _50_) is the DNS lookup limit for SPF. [RFC7208](https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4) requires this limit to be 10, mailauth is less strict and defaults to 50.
+    -   **maxResolveCount** (_number_ defaults to _50_) is the DNS lookup limit for SPF. [RFC7208](https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4) requires this limit to be 10. Mailauth is less strict and defaults to 50.
 
 **Example**
 
@@ -90,11 +90,11 @@ Authentication-Results: mx.ethereal.email;
 From: ...
 ```
 
-You can see full output (structured data for DKIM, SPF, DMARC and ARC) from [this example](https://gist.github.com/andris9/6514b5e7c59154a5b08636f99052ce37).
+You can see the full output (structured data for DKIM, SPF, DMARC, and ARC) from [this example](https://gist.github.com/andris9/6514b5e7c59154a5b08636f99052ce37).
 
 ### receivedChain
 
-`receivedChain` property is an array of parsed representations of the `Received:` headers
+`receivedChain` property is an array of parsed representations of the `Received:` headers.
 
 ## DKIM
 
@@ -132,7 +132,7 @@ const signResult = await dkimSign(
                 // Optional signature specifc canonicalization, overrides whatever was set in parent object
                 canonicalization: 'relaxed/relaxed' // c=
 
-                // Maximum number of canonicalizated body bytes to sign (eg. the "l=" tag).
+                // Maximum number of canonicalized body bytes to sign (eg. the "l=" tag).
                 // Do not use though. This is available only for compatibility testing.
                 // maxBodyLength: 12345
             }
@@ -216,7 +216,7 @@ const { arc } = await authenticate(
 console.log(arc);
 ```
 
-Output being something like this:
+The output is something like this:
 
 ```
 {
@@ -233,7 +233,7 @@ Output being something like this:
 
 #### During authentication
 
-You can seal messages with ARC automatically in the authentication step by providing the sealing key. In this case you can not modify the message anymore as this would break the seal.
+You can seal messages with ARC automatically in the authentication step by providing the sealing key. In this case, you can not modify the message any more as this would break the seal.
 
 ```js
 const { authenticate } = require('mailauth');
@@ -258,7 +258,7 @@ process.stdout.write(message);
 
 #### After modifications
 
-If you want to modify the message before sealing then you have to authenticate the message first and then use authentication results as input for the sealing step.
+If you want to modify the message before sealing, you have to authenticate the message first and then use authentication results as input for the sealing step.
 
 ```js
 const { authenticate, sealMessage } = require('@postalsys/mailauth');
@@ -297,7 +297,7 @@ process.stdout.write(message);
 
 Brand Indicators for Message Identification (BIMI) support is based on [draft-blank-ietf-bimi-01](https://tools.ietf.org/html/draft-blank-ietf-bimi-01).
 
-BIMI information is resolved in the authentication step and the results can be found from the `bimi` property. Message must pass DMARC validation in order to be processed for BIMI. DMARC policy can not be "none" for BIMI to pass.
+BIMI information is resolved in the authentication step, and the results can be found from the `bimi` property. The message must pass DMARC validation to be processed for BIMI. DMARC policy can not be "none" for BIMI to pass.
 
 ```js
 const { bimi } = await authenticate(
@@ -314,7 +314,7 @@ if (bimi?.location) {
 }
 ```
 
-`BIMI-Location` header is ignored by `mailauth`, it is not checked for and it is not modified in any way if it is present. `BIMI-Selector` is used for selector selection (if available).
+`BIMI-Location` header is ignored by `mailauth`, it is not checked for, and it is not modified in any way if it is present. `BIMI-Selector` is used for selector selection (if available).
 
 ### Verified Mark Certificate
 
@@ -327,14 +327,14 @@ Some example authority evidence documents:
 -   [from default.\_bimi.cnn.com](https://amplify.valimail.com/bimi/time-warner/LysAFUdG-Hw-cnn_vmc.pem)
 -   [from default.\_bimi.entrustdatacard.com](https://www.entrustdatacard.com/-/media/certificate/Entrust%20VMC%20July%2014%202020.pem)
 
-You can parse logos from these certificate files by using the `parseLogoFromX509` function
+You can parse logos from these certificate files using the `parseLogoFromX509` function.
 
 ```js
 const { parseLogoFromX509 } = require('mailauth/lib/tools');
 let { altnNames, svg } = await parseLogoFromX509(fs.readFileSync('vmc.pem'));
 ```
 
-> **NB!** `parseLogoFromX509` does not verify the validity of the VMC certificate. It could be self signed or expired and still be processed.
+> **NB!** `parseLogoFromX509` does not verify the validity of the VMC certificate. It could be self-signed or expired and still be processed.
 
 ## MTA-STS
 
@@ -372,10 +372,10 @@ async getPolicy(domain [,knownPolicy]) -> {policy, status}
 
 Where
 
--   **domain** is the domain to check for (eg. "gmail.com")
--   **knownPolicy** (optional) is the policy object from last check for this domain. This is used to check if the policy is still valid or it was updated.
+-   **domain** is the domain to check for (e.g. "gmail.com")
+-   **knownPolicy** (optional) is the policy object from the last check for this domain. This is used to check if the policy is still valid or it was updated.
 
-Function returns an object with the following properties:
+The function returns an object with the following properties:
 
 -   **policy** (object)
     -   **id** (string or `false`) ID of the policy
@@ -387,11 +387,11 @@ Function returns an object with the following properties:
     -   _"cached"_ no changes detected, current policy is still valid and can be used
     -   _"found"_ new or updated policy was found. Cache this in your system until _policy.expires_
     -   _"renew"_ existing policy is still valid, renew cached version until _policy.expires_
-    -   _"errored"_ policy discovery failed for some temporary error (eg. failing DNS queries). See _policy.error_ for details
+    -   _"errored"_ policy discovery failed for some temporary error (e.g., failing DNS queries). See _policy.error_ for details
 
 ### Validate MX hostname
 
-Check if a resolved MX hostname is valid by MTA-STS policy or not
+Check if a resolved MX hostname is valid by MTA-STS policy or not.
 
 ```
 validateMx(mx, policy) -> Boolean
@@ -402,7 +402,7 @@ Where
 -   **mx** is the resolved MX hostname (eg. "gmail-smtp-in.l.google.com")
 -   **policy** is the policy object returned by `getPolicy()`
 
-Function returns a boolean. If it is `true` then MX hostname is allowed to use.
+The function returns a boolean. If it is `true`, then MX hostname is allowed to use.
 
 ## Testing
 
@@ -412,23 +412,23 @@ Function returns a boolean. If it is `true` then MX hostname is allowed to use.
 
 [OpenSPF test suite](http://www.openspf.org/Test_Suite) ([archive.org mirror](https://web.archive.org/web/20190130131432/http://www.openspf.org/Test_Suite)) with the following differences:
 
--   No PTR support in `mailauth`, all PTR related tests are ignored
--   Less strict whitespace checks (`mailauth` accepts multiple spaces between tags etc)
+-   No PTR support in `mailauth`. All PTR related tests are ignored
+-   Less strict whitespace checks (`mailauth` accepts multiple spaces between tags etc.)
 -   Some macro tests are skipped (macro expansion is supported _in most parts_)
--   Some tests where invalid component is listed after a matching part (mailauth processes from left to right and returns on first match found)
--   Other than that all tests pass
+-   Some tests where the invalid component is listed after a matching part (mailauth processes from left to right and returns on the first match found)
+-   Other than that, all tests pass
 
 ### ARC test suite from ValiMail
 
 ValiMail [arc_test_suite](https://github.com/ValiMail/arc_test_suite)
 
--   `mailauth` is less strict on header tags and casing, for example uppercase `S=` for a selector passes in `mailauth` but fails in ValiMail.
--   Signing test suite is used for input only. All listed messages are signed using provided keys but signatures are not matched against reference. Instead `mailauth` validates the signatures itself and looks for the same cv= output that the ARC-Seal header in the test suite has
--   Other than that all tests pass
+-   `mailauth` is less strict on header tags and casing. For example, uppercase `S=` for a selector passes in `mailauth` but fails in ValiMail.
+-   Signing test suite is used for input only. All listed messages are signed using provided keys, but signatures are not matched against the reference. Instead, `mailauth` validates the signatures itself and looks for the same cv= output that the ARC-Seal header in the test suite has
+-   Other than that, all tests pass
 
 ## Setup
 
-First install the module from npm:
+First, install the module from npm:
 
 ```
 $ npm install mailauth
@@ -442,6 +442,6 @@ const { authenticate } = require('mailauth');
 
 ## License
 
-© 2020-2021 Postal Systems OÜ
+© 2020-2022 Postal Systems OÜ
 
 Licensed under MIT license

package/cli.md

@@ -17,10 +17,18 @@
 Download `mailauth` for your platform:
 
 -   [MacOS](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.pkg)
--   [Linux](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.gz)
+-   [Linux](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.tar.gz)
 -   [Windows](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.exe)
 -   Or install from the NPM registry: `npm install -g mailauth`
 
+> **NB!** Downloadable files are quite large because these are packaged Node.js applications
+
+Alternatively you can install `mailauth` from [npm](https://npmjs.com/package/mailauth).
+
+```
+npm install -g mailauth
+```
+
 ## Help
 
 ```

package/lib/dkim/dkim-verifier.js

@@ -172,7 +172,12 @@ class DkimVerifier extends MessageParser {
                     instance: ['ARC', 'AS'].includes(signatureHeader.type) ? signatureHeader.parsed?.i?.value : false
                 });
 
-                let publicKey, rr;
+                let signingHeaders = {
+                    keys: signingHeaderLines.keys,
+                    headers: signingHeaderLines.headers.map(l => l.line.toString())
+                };
+
+                let publicKey, rr, modulusLength;
                 let status = {
                     result: 'neutral',
                     comment: false,
@@ -208,6 +213,7 @@ class DkimVerifier extends MessageParser {
 
                         publicKey = res?.publicKey;
                         rr = res?.rr;
+                        modulusLength = res?.modulusLength;
 
                         try {
                             status.result = crypto.verify(
@@ -283,6 +289,7 @@ class DkimVerifier extends MessageParser {
                     format: signatureHeader.parsed?.c?.value,
                     bodyHash,
                     bodyHashExpecting: signatureHeader.parsed?.bh?.value,
+                    signingHeaders,
                     status
                 };
 
@@ -298,6 +305,10 @@ class DkimVerifier extends MessageParser {
                     result.publicKey = publicKey.toString();
                 }
 
+                if (modulusLength) {
+                    result.modulusLength = modulusLength;
+                }
+
                 if (rr) {
                     result.rr = rr;
                 }

package/lib/spf/spf-verify.js

@@ -15,7 +15,7 @@ const matchIp = (addr, range) => {
     }
 };
 
-const parseCidrValue = (val, defaultValue) => {
+const parseCidrValue = (val, defaultValue, type) => {
     val = val || '';
     let domain = '';
     let cidr4 = '';
@@ -29,8 +29,15 @@ const parseCidrValue = (val, defaultValue) => {
             throw err;
         }
         domain = cidrMatch[1] || '';
+
         cidr4 = cidrMatch[2] ? Number(cidrMatch[2].substr(1)) : '';
         cidr6 = cidrMatch[3] ? Number(cidrMatch[3].substr(2)) : '';
+
+        if (type === 'ip6' && cidr4 && !cidr6) {
+            // there is no dual cidr for IP addresses
+            cidr6 = cidr4;
+            cidr4 = '';
+        }
     }
 
     domain = domain.toLowerCase().trim() || defaultValue;
@@ -270,7 +277,7 @@ const spfVerify = async (domain, opts) => {
                 case 'ip4':
                 case 'ip6':
                     {
-                        let { domain: range, cidr4, cidr6 } = parseCidrValue(val);
+                        let { domain: range, cidr4, cidr6 } = parseCidrValue(val, false, type);
                         if (!range) {
                             let err = new Error('SPF failure');
                             err.spfResult = { error: 'permerror', text: `bare IP address` };
@@ -315,7 +322,7 @@ const spfVerify = async (domain, opts) => {
 
                 case 'a':
                     {
-                        let { domain: a, cidr4, cidr6 } = parseCidrValue(val, domain);
+                        let { domain: a, cidr4, cidr6 } = parseCidrValue(val, domain, type);
                         let cidr = net.isIPv6(opts.ip) ? cidr6 : cidr4;
 
                         a = macro(a, opts);
@@ -339,7 +346,7 @@ const spfVerify = async (domain, opts) => {
 
                 case 'mx':
                     {
-                        let { domain: mxDomain, cidr4, cidr6 } = parseCidrValue(val, domain);
+                        let { domain: mxDomain, cidr4, cidr6 } = parseCidrValue(val, domain, type);
                         let cidr = net.isIPv6(opts.ip) ? cidr6 : cidr4;
 
                         try {

package/lib/tools.js

@@ -6,7 +6,6 @@ const punycode = require('punycode/');
 const libmime = require('libmime');
 const dns = require('dns').promises;
 const crypto = require('crypto');
-const pki = require('node-forge').pki;
 const https = require('https');
 const packageData = require('../package');
 const parseDkimHeaders = require('./parse-dkim-headers');
@@ -15,6 +14,9 @@ const { Certificate } = require('@fidm/x509');
 const zlib = require('zlib');
 const util = require('util');
 const gunzip = util.promisify(zlib.gunzip);
+const pki = require('node-forge').pki;
+const Joi = require('joi');
+const base64Schema = Joi.string().base64({ paddingRequired: false });
 
 const defaultDKIMFieldNames =
     'From:Sender:Reply-To:Subject:Date:Message-ID:To:' +
@@ -247,14 +249,23 @@ const getPublicKey = async (type, name, minBitLength, resolver) => {
         // prefix value for parsing as there is no default value
         let entry = parseDkimHeaders(`DNS: TXT;${rr}`);
 
-        let publicKey = entry?.parsed?.p?.value;
-        if (!publicKey) {
+        const publicKeyValue = entry?.parsed?.p?.value;
+        if (!publicKeyValue) {
             let err = new Error('Missing key value');
             err.code = 'EINVALIDVAL';
             err.rr = rr;
             throw err;
         }
 
+        let validation = base64Schema.validate(publicKeyValue);
+        if (validation.error) {
+            let err = new Error('Invalid base64 format for public key');
+            err.code = 'EINVALIDVAL';
+            err.rr = rr;
+            err.details = validation.error;
+            throw err;
+        }
+
         if (type === 'DKIM' && entry?.parsed?.v && (entry?.parsed?.v?.value || '').toString().toLowerCase().trim() !== 'dkim1') {
             let err = new Error('Unknown key version');
             err.code = 'EINVALIDVER';
@@ -262,28 +273,46 @@ const getPublicKey = async (type, name, minBitLength, resolver) => {
             throw err;
         }
 
-        publicKey = Buffer.from(`-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`);
-        let keyType = crypto.createPublicKey({ key: publicKey, format: 'pem' }).asymmetricKeyType;
+        let paddingNeeded = publicKeyValue.length % 4 ? 4 - (publicKeyValue.length % 4) : 0;
+
+        const publicKeyPem = Buffer.from(
+            `-----BEGIN PUBLIC KEY-----\n${(publicKeyValue + '='.repeat(paddingNeeded)).replace(/.{64}/g, '$&\n')}\n-----END PUBLIC KEY-----`
+        );
+        const publicKeyObj = crypto.createPublicKey({
+            key: publicKeyPem,
+            format: 'pem'
+        });
+
+        let keyType = publicKeyObj.asymmetricKeyType;
 
         if (!['rsa', 'ed25519'].includes(keyType) || (entry?.parsed?.k && entry?.parsed?.k?.value?.toLowerCase() !== keyType)) {
-            let err = new Error('Unknown key type');
+            let err = new Error('Unknown key type (${keyType})');
             err.code = 'EINVALIDTYPE';
             err.rr = rr;
             throw err;
         }
 
-        if (keyType === 'rsa') {
-            // check key length
-            const pubKeyData = pki.publicKeyFromPem(publicKey.toString());
-            if (pubKeyData.n.bitLength() < 1024) {
-                let err = new Error('Key too short');
-                err.code = 'ESHORTKEY';
-                err.rr = rr;
-                throw err;
-            }
+        let modulusLength;
+        if (publicKeyObj.asymmetricKeyDetails) {
+            modulusLength = publicKeyObj.asymmetricKeyDetails.modulusLength;
+        } else {
+            // fall back to node-forge
+            const pubKeyData = pki.publicKeyFromPem(publicKeyPem.toString());
+            modulusLength = pubKeyData.n.bitLength();
+        }
+
+        if (keyType === 'rsa' && modulusLength < 1024) {
+            let err = new Error('RSA key too short');
+            err.code = 'ESHORTKEY';
+            err.rr = rr;
+            throw err;
         }
 
-        return { publicKey, rr };
+        return {
+            publicKey: publicKeyPem,
+            rr,
+            modulusLength
+        };
     }
 
     let err = new Error('Missing key value');

package/man/mailauth.1

@@ -1,4 +1,4 @@
-.TH "MAILAUTH" "1" "October 2021" "v2.2.3" "Mailauth Help"
+.TH "MAILAUTH" "1" "April 2022" "v2.3.1" "Mailauth Help"
 .SH "NAME"
 \fBmailauth\fR
 .QP
@@ -15,7 +15,7 @@ mailauth \- authenticate, sign and seal emails
 \fBmailauth\fP \fIcommand\fR \fBhelp\fP
 .SH DESCRIPTION
 .P
-Mailauth is an email authentication application to validate SPF, DKIM, DMARC and ARC\. You can also sign emails with DKIM digital signatures and seal messages with ARC\.
+Mailauth is an email authentication application to validate SPF, DKIM, DMARC, and ARC\. You can also sign emails with DKIM digital signatures and seal messages with ARC\.
 .SH COMMANDS
 .P
 \fBreport\fR
@@ -33,9 +33,13 @@ Authenticates an email and seals it with an ARC digital signature
 \fBspf\fR
 .br
 Authenticates SPF for an IP address and email address
+.P
+\fBlicense\fR
+.br
+Display licenses for mailauth and included modules
 .SH Website
 .P
-\fIhttps://github\.com/andris9/mailauth\fR
+\fIhttps://github\.com/postalsys/mailauth\fR
 .SH EXAMPLES
 .P
 \fBnpm install mailauth \-g\fP
@@ -49,7 +53,7 @@ Authenticates SPF for an IP address and email address
 \fBmailauth spf \-f andris@wildduck\.email \-i 217\.146\.76\.20\fP
 .SH EMAIL ARGUMENT
 .P
-Email argument defines path to the email message file in EML format\. If not specified then
+Email argument defines the path to the email message file in EML format\. If not specified, then
 content is read from standard input\.
 .SH OPTIONS
 .RS 0
@@ -61,19 +65,19 @@ Enable silly verbose mode
 Print application version
 .IP \(bu 2
 \fB\-\-client\-ip\fP, \fB\-i <ip>\fP
-Client IP used for SPF checks\. If not set then parsed from the latest Received header\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
+Client IP used for SPF checks\. If not set, then parsed from the latest Received header\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
 .IP \(bu 2
 \fB\-\-mta\fP, \fB\-m <hostname>\fP
-Hostname of this machine, used in the Authentication\-Results header\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
+The hostname of this machine, used in the \fBAuthentication\-Results\fP header\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
 .IP \(bu 2
 \fB\-\-helo\fP, \fB\-e <hostname>\fP
 Client hostname from the EHLO/HELO command, used in some specific SPF checks\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
 .IP \(bu 2
 \fB\-\-sender\fP, \fB\-f <address>\fP
-Email address from the \fBMAIL FROM\fP command\. If not set then the address from the latest \fIReturn\-Path\fR header is used instead\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
+The email address from the \fBMAIL FROM\fP command\. If not set, the address from the latest \fIReturn\-Path\fR header is used instead\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
 .IP \(bu 2
 \fB\-\-dns\-cache\fP, \fB\-n <file>\fP
-Path to a JSON file with cached DNS responses\. If this file is given then no actual DNS requests are performed\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
+Path to a JSON file with cached DNS responses\. If this file is given, then no actual DNS requests are performed\. Anything that is not listed returns an \fBENOTFOUND\fP error\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
 .IP \(bu 2
 \fB\-\-private\-key\fP, \fB\-k <file>\fP
 Path to a private key for signing\. Allowed key types are RSA and Ed25519 (\fBsign\fP, \fBseal\fP)
@@ -91,16 +95,16 @@ Signing algorithm\. Defaults either to \fIrsa\-sha256\fR or \fIed25519\-sha256\f
 Canonicalization algorithm\. Defaults to \fIrelaxed/relaxed\fR\|\. (\fBsign\fP)
 .IP \(bu 2
 \fB\-\-body\-length\fP, \fB\-l <number>\fP
-\|'Maximum length of canonicalizated body to sign\. (\fBsign\fP)
+The maximum length of the canonicalized body to sign\. (\fBsign\fP)
 .IP \(bu 2
 \fB\-\-time\fP, \fB\-t <number>\fP
-Signing time as a unix timestamp\. (\fBsign\fP, \fBseal\fP)
+Signing time as a Unix timestamp\. (\fBsign\fP, \fBseal\fP)
 .IP \(bu 2
 \fB\-\-header\-fields\fP, \fB\-h <list>\fP
 Colon separated list of header field names to sign\. (\fBsign\fP, \fBseal\fP)
 .IP \(bu 2
 \fB\-\-headers\-only\fP, \fB\-o\fP
-Return signing headers only\. By default the entire message is printed to console\. (\fBsign\fP, \fBseal\fP, \fBspf\fP)
+Return signing headers only\. By default, the entire message is printed to the console\. (\fBsign\fP, \fBseal\fP, \fBspf\fP)
 .IP \(bu 2
 \fB\-\-max\-lookups\fP, \fB\-x\fP
 How many DNS lookups allowed for SPF validation\. Defaults to 50\. (\fBreport\fP, \fBspf\fP)
@@ -108,7 +112,7 @@ How many DNS lookups allowed for SPF validation\. Defaults to 50\. (\fBreport\fP
 .RE
 .SH DNS CACHE
 .P
-For cached DNS requests use the following JSON structure where main keys are domain names and subkeys are rr types\.
+For cached DNS requests, use the following JSON object structure: primary keys are domain names, and subkeys are resource record types\.
 .P
 .RS 2
 .nf
@@ -125,13 +129,13 @@ For cached DNS requests use the following JSON structure where main keys are dom
 .fi
 .RE
 .P
-Longer TXT strings can be split into multiple strings\. Unlike in real DNS there is no length limit, so you can put the entire public key into a single string\.
+You can split longer TXT strings into multiple strings\. There is no length limit, unlike in actual DNS so you can put the entire public key into a single string\.
 .SH BUGS
 .P
-Please report any bugs to https://github\.com/andris9/mailauth/issues\.
+Please report any bugs to https://github\.com/postalsys/mailauth/issues\.
 .SH LICENSE
 .P
-Copyright (c) 2020, Andris Reinman (MIT)\.
+Copyright (c) 2020\-2022, Postal Systems (MIT)\.
 .SH SEE ALSO
 .P
 node\.js(1)

package/man/man.md

@@ -12,7 +12,7 @@
 
 ## DESCRIPTION
 
-Mailauth is an email authentication application to validate SPF, DKIM, DMARC and ARC. You can also sign emails with DKIM digital signatures and seal messages with ARC.
+Mailauth is an email authentication application to validate SPF, DKIM, DMARC, and ARC. You can also sign emails with DKIM digital signatures and seal messages with ARC.
 
 ## COMMANDS
 
@@ -49,7 +49,7 @@ Display licenses for mailauth and included modules
 
 ## EMAIL ARGUMENT
 
-Email argument defines path to the email message file in EML format. If not specified then
+Email argument defines the path to the email message file in EML format. If not specified, then
 content is read from standard input.
 
 ## OPTIONS
@@ -61,19 +61,19 @@ content is read from standard input.
     Print application version
 
 -   `--client-ip`, `-i <ip>`
-    Client IP used for SPF checks. If not set then parsed from the latest Received header. (`report`, `seal`, `spf`)
+    Client IP used for SPF checks. If not set, then parsed from the latest Received header. (`report`, `seal`, `spf`)
 
 -   `--mta`, `-m <hostname>`
-    Hostname of this machine, used in the Authentication-Results header. (`report`, `seal`, `spf`)
+    The hostname of this machine, used in the `Authentication-Results` header. (`report`, `seal`, `spf`)
 
 -   `--helo`, `-e <hostname>`
     Client hostname from the EHLO/HELO command, used in some specific SPF checks. (`report`, `seal`, `spf`)
 
 -   `--sender`, `-f <address>`
-    Email address from the `MAIL FROM` command. If not set then the address from the latest _Return-Path_ header is used instead. (`report`, `seal`, `spf`)
+    The email address from the `MAIL FROM` command. If not set, the address from the latest _Return-Path_ header is used instead. (`report`, `seal`, `spf`)
 
 -   `--dns-cache`, `-n <file>`
-    Path to a JSON file with cached DNS responses. If this file is given then no actual DNS requests are performed. (`report`, `seal`, `spf`)
+    Path to a JSON file with cached DNS responses. If this file is given, then no actual DNS requests are performed. Anything that is not listed returns an `ENOTFOUND` error. (`report`, `seal`, `spf`)
 
 -   `--private-key`, `-k <file>`
     Path to a private key for signing. Allowed key types are RSA and Ed25519 (`sign`, `seal`)
@@ -91,23 +91,23 @@ content is read from standard input.
     Canonicalization algorithm. Defaults to _relaxed/relaxed_. (`sign`)
 
 -   `--body-length`, `-l <number>`
-    'Maximum length of canonicalizated body to sign. (`sign`)
+    The maximum length of the canonicalized body to sign. (`sign`)
 
 -   `--time`, `-t <number>`
-    Signing time as a unix timestamp. (`sign`, `seal`)
+    Signing time as a Unix timestamp. (`sign`, `seal`)
 
 -   `--header-fields`, `-h <list>`
     Colon separated list of header field names to sign. (`sign`, `seal`)
 
 -   `--headers-only`, `-o`
-    Return signing headers only. By default the entire message is printed to console. (`sign`, `seal`, `spf`)
+    Return signing headers only. By default, the entire message is printed to the console. (`sign`, `seal`, `spf`)
 
 -   `--max-lookups`, `-x`
     How many DNS lookups allowed for SPF validation. Defaults to 50. (`report`, `spf`)
 
 ## DNS CACHE
 
-For cached DNS requests use the following JSON structure where main keys are domain names and subkeys are rr types.
+For cached DNS requests, use the following JSON object structure: primary keys are domain names, and subkeys are resource record types.
 
 ```
 {
@@ -122,7 +122,7 @@ For cached DNS requests use the following JSON structure where main keys are dom
 }
 ```
 
-Longer TXT strings can be split into multiple strings. Unlike in real DNS there is no length limit, so you can put the entire public key into a single string.
+You can split longer TXT strings into multiple strings. There is no length limit, unlike in actual DNS so you can put the entire public key into a single string.
 
 ## BUGS
 
@@ -130,7 +130,7 @@ Please report any bugs to https://github.com/postalsys/mailauth/issues.
 
 ## LICENSE
 
-Copyright (c) 2020-2021, Postal Systems (MIT).
+Copyright (c) 2020-2022, Postal Systems (MIT).
 
 ## SEE ALSO
 

package/package.json

@@ -1,13 +1,13 @@
 {
     "name": "mailauth",
-    "version": "2.2.3",
+    "version": "2.3.2",
     "description": "Email authentication library for Node.js",
     "main": "lib/mailauth.js",
     "scripts": {
         "test": "eslint \"lib/**/*.js\" \"test/**/*.js\" && mocha --recursive \"./test/**/*.js\" --reporter spec",
         "prepublish": "npm run man || true",
         "man": "cd man && marked-man --version `node -e \"console.log('v'+require('../package.json').version)\"` --manual 'Mailauth Help' --section 1 man.md > mailauth.1",
-        "build-dist": "npm run man && npm run licenses && pkg package.json",
+        "build-dist": "npm run man && npm run licenses && pkg --compress Brotli package.json",
         "licenses": "license-report --only=prod --output=table --config license-report-config.json > licenses.txt"
     },
     "repository": {
@@ -31,28 +31,28 @@
     },
     "homepage": "https://github.com/postalsys/mailauth",
     "devDependencies": {
-        "chai": "4.3.4",
-        "eslint": "8.0.0",
+        "chai": "4.3.6",
+        "eslint": "8.14.0",
         "eslint-config-nodemailer": "1.2.0",
-        "eslint-config-prettier": "8.3.0",
+        "eslint-config-prettier": "8.5.0",
         "js-yaml": "4.1.0",
-        "license-report": "4.5.0",
+        "license-report": "5.0.2",
         "marked": "0.7.0",
         "marked-man": "0.7.0",
         "mbox-reader": "1.1.5",
-        "mocha": "9.1.2",
-        "pkg": "5.3.3"
+        "mocha": "9.2.2",
+        "pkg": "5.6.0"
     },
     "dependencies": {
         "@fidm/x509": "1.2.1",
         "ipaddr.js": "2.0.1",
-        "joi": "17.4.2",
+        "joi": "17.6.0",
         "libmime": "5.0.0",
-        "node-forge": "0.10.0",
-        "nodemailer": "6.7.0",
+        "node-forge": "1.3.1",
+        "nodemailer": "6.7.3",
         "psl": "1.8.0",
         "punycode": "2.1.1",
-        "yargs": "17.2.1"
+        "yargs": "17.4.1"
     },
     "engines": {
         "node": ">=14.0.0"
@@ -60,20 +60,21 @@
     "bin": {
         "mailauth": "bin/mailauth.js"
     },
-    "directories": {
-        "man": "man"
-    },
+    "man": [
+        "man/mailauth.1"
+    ],
     "pkg": {
         "scripts": [
             "workers/**/*.js"
         ],
         "assets": [
             "man/**/*",
-            "licenses.txt"
+            "licenses.txt",
+            "LICENSE.txt"
         ],
         "_targets": [
             "node16-macos-x64"
         ],
-        "outputPath": "dist"
+        "outputPath": "ee-dist"
     }
 }

package/licenses.txt

@@ -1,11 +0,0 @@
-name        license type               link                                              author
-----        ------------               ----                                              ------
-@fidm/x509  MIT                        git+ssh://git@github.com/fidm/x509.git            n/a
-ipaddr.js   MIT                        git://github.com/whitequark/ipaddr.js.git         whitequark
-joi         BSD-3-Clause               git://github.com/sideway/joi.git                  n/a
-libmime     MIT                        git://github.com/andris9/libmime.git              Andris Reinman
-node-forge  (BSD-3-Clause OR GPL-2.0)  git+https://github.com/digitalbazaar/forge.git    Digital Bazaar, Inc.
-nodemailer  MIT                        git+https://github.com/nodemailer/nodemailer.git  Andris Reinman
-psl         MIT                        git+ssh://git@github.com/lupomontero/psl.git      Lupo Montero
-punycode    MIT                        git+https://github.com/bestiejs/punycode.js.git   Mathias Bynens
-yargs       MIT                        git+https://github.com/yargs/yargs.git            n/a