[Bug 5941] parsing original SMTP Server not working properly

[bu...@bugzilla.spamassassin.org]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5941





--- Comment #9 from Tom Fernandes <an...@gmx.net>  2008-08-03 08:01:38 PST ---
After reading in lib/Mail/SpamAssassin/Message/Metadata/Received.pm and doing
some tests I think that the issue is that my SMTP-AUTH with the GMX SMTP server
is not recognized by SA.

AFAICT there is nothing in GMXs received headers where SA can tell from that
I've been authenticating with GMX before sending my mail. It looks like GMX
adds the "X-Authenticated" header for that but SA can't rely on that as it can
be easily forged.

When I modify GMXs received header in the mail manually (switch SMTP with
ASMTP) and the according part in Received.pm (the line where GMXs mailserver is
matched) so that SA thinks that I've been authenticated before relaying through
GMX, the connection is trusted and the SPF and other rules are not run on the
dynamic IP.

It looks like this is a problem for all GMX users, using a pop fetcher + SA
when receiving mails from somebody sending from a GMX account using a dialup
IP. It does not make a difference if the sender uses SMTP or GMX webfrontend
for sending. In both cases SA doesn't find out that the user authenticated
before using GMX.

Wouldn't it be possible to trust GMX server if it is the first hop in the
received headers and it's not listed as an MX?. AFAICT GMX is known to
authenticate all users who are relaying through them and the MX servers don't
allow relaying (I did a fast telnet-check).

If the headers of a mail send through the webfrontend is of any help - let me
know.

thanks,


Tom


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.