[Bug 7775] New: DKIM plugin: add recognition of Authentication-Results header

Thu, 21 Nov 2019 06:56:59 -0800 

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7775

            Bug ID: 7775
           Summary: DKIM plugin: add recognition of Authentication-Results
                    header
           Product: Spamassassin
           Version: 3.4.2
          Hardware: PC
                OS: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Plugins
          Assignee: dev@spamassassin.apache.org
          Reporter: ceph...@3phase.com
  Target Milestone: Undefined

(Submitted per request from KAM)

Request to update DKIM plugin to enable recognition/use of
Authentication-Results header from MTA-level DKIM milters.

Many users run DKIM authentication (e.g., opendkim) in their MTA, but SA does
not currently use these results and instead validates DKIM internally.  This
duplicates processing unnecessarily, and also can cause issues if the mail
headers or body are modified by some utility (e.g., MailScanner) prior to
getting to SA.

Using the Authentication-Results header output from DKIM milters (e.g.,
opendkim) would reduce SA processing and allow recognition of valid DKIM even
if a downline (trusted!) program may modify the message en route between MTA
and SA prior to final delivery.

Example headers from opendkim:

Received: from some.domain.com (some.domain.com [1.2.3.4])
        by mta.myhost.com (8.14.7/8.14.7) with ESMTP id xAKDWAi3031360
        (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NO)
        for <u...@myhost.com>; Wed, 20 Nov 2019 13:32:12 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 mta.myhost.com xAKDWAi3031360
Authentication-Results: mta.myhost.com;
        dkim=pass (2048-bit key) header.d=domain.com header.i=@domain.com
header.b="lsRKcc5K"


So, a header rule that looks for "dkim=pass" in Authentication-Results, with
verification server (first FQDN in the header) matching the user domain, should
result in DKIM_VALID; if header.d and/or header.i match sender domain then
DKIM_VALID_EF or _AU.

AFAICT the Authentication-Results header is inserted immediately below the
Received header where DKIM validation is performed, which should be either
last_received or in trusted_networks.  Therefore, to prevent spammer spoofing
of this header, require that validation server (first FQDN in the header)
matches the receiving host in immediately preceding Received line, and require
that this host is either last_received or in trusted_networks.

Happy to provide additional header examples, and/or to help with rule
generation, if desired.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to