On Sun, 19 Aug 2012, Devin Carraway wrote:
> This was reported as Debian bug#684571 (http://bugs.debian.org/684571):
>
> > When TLS is in use, qpsmtpd creates a Received header of the form
> >
> > Received: from 87.114.148.171.plusnet.thn-ag1.dyn.plus.net (HELO
> > george.localnet) (87.114.148.171)
> > (smtp-auth username XXELIDEDXXX, mechanism cram-md5)
> > by tauism.org (qpsmtpd/0.84) with (AES256-SHA encrypted) ESMTPSA; Thu, 02
> > Aug 2012 23:04:55 +0100
> >
> > According to RFC 5322, comments may not appear between "with" and the
> > protocol. The BNF allows only FWS there, not CFWS.
>
> This appears correct based on a quick read of RFC5321 (RFC5322 doesn't
> explicitly say as much but defers to 5321 concerning specific trace data).
>
> The reporter goes on to suggest that this causes a mis-parse by spamassassin
> and causes mail to be interpreted as from an untrusted source since the sender
> auth isn't collected. I haven't verified this part.
>
> Submitter provides a patch, available here:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=qpsmtpd-received-with-ssl.patch;att=1;bug=684571
The patch does more than just excise the "comment". It also removes the
auth information, for privacy/security reasons. Ditto for the encryption
"comment", which has just been deleted, rather than added another way -
e.g. using a suffix rather than infix "comment" as Exim appears to do:
...
Received: from catfur.mutualaid.org ([64.27.25.168])
by mail.sourceforge.net with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.44)
id 1EbHQq-0007HV-5t
for [email protected]; Sun, 13 Nov 2005 04:58:05 -0800
...
The proposed Debian patch shouldn't be applied as-is, at least not without
discussion.
