You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2019/11/21 14:56:28 UTC

[Bug 7775] New: DKIM plugin: add recognition of Authentication-Results header

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7775

            Bug ID: 7775
           Summary: DKIM plugin: add recognition of Authentication-Results
                    header
           Product: Spamassassin
           Version: 3.4.2
          Hardware: PC
                OS: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Plugins
          Assignee: dev@spamassassin.apache.org
          Reporter: cepheid@3phase.com
  Target Milestone: Undefined

(Submitted per request from KAM)

Request to update DKIM plugin to enable recognition/use of
Authentication-Results header from MTA-level DKIM milters.

Many users run DKIM authentication (e.g., opendkim) in their MTA, but SA does
not currently use these results and instead validates DKIM internally.  This
duplicates processing unnecessarily, and also can cause issues if the mail
headers or body are modified by some utility (e.g., MailScanner) prior to
getting to SA.

Using the Authentication-Results header output from DKIM milters (e.g.,
opendkim) would reduce SA processing and allow recognition of valid DKIM even
if a downline (trusted!) program may modify the message en route between MTA
and SA prior to final delivery.

Example headers from opendkim:

Received: from some.domain.com (some.domain.com [1.2.3.4])
        by mta.myhost.com (8.14.7/8.14.7) with ESMTP id xAKDWAi3031360
        (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NO)
        for <us...@myhost.com>; Wed, 20 Nov 2019 13:32:12 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 mta.myhost.com xAKDWAi3031360
Authentication-Results: mta.myhost.com;
        dkim=pass (2048-bit key) header.d=domain.com header.i=@domain.com
header.b="lsRKcc5K"


So, a header rule that looks for "dkim=pass" in Authentication-Results, with
verification server (first FQDN in the header) matching the user domain, should
result in DKIM_VALID; if header.d and/or header.i match sender domain then
DKIM_VALID_EF or _AU.

AFAICT the Authentication-Results header is inserted immediately below the
Received header where DKIM validation is performed, which should be either
last_received or in trusted_networks.  Therefore, to prevent spammer spoofing
of this header, require that validation server (first FQDN in the header)
matches the receiving host in immediately preceding Received line, and require
that this host is either last_received or in trusted_networks.

Happy to provide additional header examples, and/or to help with rule
generation, if desired.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7775] DKIM plugin: add recognition of Authentication-Results header

Posted by bu...@spamassassin.apache.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7775

Amir Caspi <ce...@3phase.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Hardware|PC                          |All
                 CC|                            |cepheid@3phase.com
                 OS|Mac OS X                    |All

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7775] DKIM plugin: add recognition of Authentication-Results header

Posted by bu...@spamassassin.apache.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7775

Sidney Markowitz <si...@sidney.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sidney@sidney.com
   Target Milestone|Undefined                   |3.4.5

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7775] DKIM plugin: add recognition of Authentication-Results header

Posted by bu...@spamassassin.apache.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7775

Henrik Krohns <ap...@hege.li> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |DUPLICATE
             Status|NEW                         |RESOLVED
                 CC|                            |apache@hege.li

--- Comment #1 from Henrik Krohns <ap...@hege.li> ---
There's already Bug 6918 for this.

*** This bug has been marked as a duplicate of bug 6918 ***

-- 
You are receiving this mail because:
You are the assignee for the bug.