On Fri, 5 May 2017, David Jones wrote:
I think I would have to write a simple SA plugin to compare the
envelope-from with the DKIM signature domain to see if they matched
then I could use a meta rule to glue all of this together.
From: Matus UHLAR - fantomas <uh...@fantomas.sk>
agreed but there's still one thing I don't understand:
If a mail is DKIM-signed, it means that it's authenticated, including
headers like From:.
On 05.05.17 22:34, David Jones wrote:
Authentication and authorization are very different things.
I should probably have said "authentic" - the content was not modified
between signer and receiver.
what's the point of checking if SPF and DKIM domains match?
This way authentic (but forwarded, e.g. through mailing lists) mail will get
"caught" but what's the poit of it?
DKIM signing only does authentication to prevent tampering with the
body and headers. It doesn't have to do with authorization that like
SPF does. Both authentication and authorization are needed to prove
an email is from who it claims to be and not altered.
actually, if the mail contains DKIM-signed headers and body, it has not been
altered.
It may have been forwarded trough another account or mailing list, but the
DKIM-verified content is still unmodified(1).
Even having broken SPF doesn't mean much in this case (although it should
invalidate whitelist_auth).
but I still don't get the point:
What is a problem when DKIM-verified is forwarded through different domain
(without alteration)?
Of course a compromised mail account can send both an authorized
and authenticated email with malicious content. You don't want to
whitelist_auth domains with real user accounts that can be compromised.
any account can be compromised - you'd have to avoid whitelisting at all.
(1) if DKIM key gets compromised, the whole discussion is irelevant, so I
don't take this into account.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
