On 10/4/19 12:22 PM, A. Schulze wrote:
Hi Grant,Maybe we're talking about different things :-)
Based on your description, I believe we are talking about different things. Thank you for the clarification.
The OpenDMARC bug could be triggered by this RFC5322.From:
From: user <user@yahoo.example>, user <user@badguy.example>
I seem to recall that it is within RFC spec to have multiple addresses in the From: header.
I would assume that all would need to pass DMARC alignment tests for the message to also pass DMARC alignment tests. This would likely be difficult to do if the From: addresses are part of separate domains, especially if they are from separate organizations.
Mallory could send a message which authenticates as badguy.example but OpenDMARC report "dmarc=pass domain=yahoo.example" That's fixed with https://github.com/trusteddomainproject/OpenDMARC/pull/48/commits/f6b615e345037408b88b2ffd1acd03239af8a858
That seems like a problem. I'm glad that it was fixed.
But back to SA:there is a difference between this comma separated list and the display name containing a second address ...
Agreed.I still think that the MUA has some culpability in both cases; multiple addresses in one From: header and multiple From: headers.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
