You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2019/11/21 14:56:28 UTC
[Bug 7775] New: DKIM plugin: add recognition of
Authentication-Results header
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7775
Bug ID: 7775
Summary: DKIM plugin: add recognition of Authentication-Results
header
Product: Spamassassin
Version: 3.4.2
Hardware: PC
OS: Mac OS X
Status: NEW
Severity: normal
Priority: P2
Component: Plugins
Assignee: dev@spamassassin.apache.org
Reporter: cepheid@3phase.com
Target Milestone: Undefined
(Submitted per request from KAM)
Request to update DKIM plugin to enable recognition/use of
Authentication-Results header from MTA-level DKIM milters.
Many users run DKIM authentication (e.g., opendkim) in their MTA, but SA does
not currently use these results and instead validates DKIM internally. This
duplicates processing unnecessarily, and also can cause issues if the mail
headers or body are modified by some utility (e.g., MailScanner) prior to
getting to SA.
Using the Authentication-Results header output from DKIM milters (e.g.,
opendkim) would reduce SA processing and allow recognition of valid DKIM even
if a downline (trusted!) program may modify the message en route between MTA
and SA prior to final delivery.
Example headers from opendkim:
Received: from some.domain.com (some.domain.com [1.2.3.4])
by mta.myhost.com (8.14.7/8.14.7) with ESMTP id xAKDWAi3031360
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NO)
for <us...@myhost.com>; Wed, 20 Nov 2019 13:32:12 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 mta.myhost.com xAKDWAi3031360
Authentication-Results: mta.myhost.com;
dkim=pass (2048-bit key) header.d=domain.com header.i=@domain.com
header.b="lsRKcc5K"
So, a header rule that looks for "dkim=pass" in Authentication-Results, with
verification server (first FQDN in the header) matching the user domain, should
result in DKIM_VALID; if header.d and/or header.i match sender domain then
DKIM_VALID_EF or _AU.
AFAICT the Authentication-Results header is inserted immediately below the
Received header where DKIM validation is performed, which should be either
last_received or in trusted_networks. Therefore, to prevent spammer spoofing
of this header, require that validation server (first FQDN in the header)
matches the receiving host in immediately preceding Received line, and require
that this host is either last_received or in trusted_networks.
Happy to provide additional header examples, and/or to help with rule
generation, if desired.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7775] DKIM plugin: add recognition of Authentication-Results
header
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7775
Amir Caspi <ce...@3phase.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Hardware|PC |All
CC| |cepheid@3phase.com
OS|Mac OS X |All
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7775] DKIM plugin: add recognition of Authentication-Results
header
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7775
Sidney Markowitz <si...@sidney.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sidney@sidney.com
Target Milestone|Undefined |3.4.5
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7775] DKIM plugin: add recognition of Authentication-Results
header
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7775
Henrik Krohns <ap...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |DUPLICATE
Status|NEW |RESOLVED
CC| |apache@hege.li
--- Comment #1 from Henrik Krohns <ap...@hege.li> ---
There's already Bug 6918 for this.
*** This bug has been marked as a duplicate of bug 6918 ***
--
You are receiving this mail because:
You are the assignee for the bug.