Bill Sommerfeld via Postfix-users: > On 12/22/23 17:30, Vijay S Sarvepalli via Postfix-users wrote: > > Arguably the second server is at fault > > here for "SPF" signing two emails, nevertheless the vulnerability is due > > to the combinatorial or Composition Attack as Wietse has identified. > > SPF does not involve any per-message signatures. Did you perhaps mean > to say "DKIM" here?
Vijay was confused. The smuggled message has no From: aligned DKIM signature from the From: address domain. The receiving mail system is in a different domain, and therefore cannot add a From: aligned DKIM signature. The receiving MTA can assert that the message was received from an an IP address that satisfied the SPF policy for the envelope sender domain. That is the whole point this attack on SPF-based authentication. Wietse _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org