On Thu, 17 Jan 2008, Jose-Marcio Martins da Cruz wrote: > If I was a spammer, I'd add a faked "Authentification-Results" header. This > trick can work if : > * for some reason, dkim-filter unluckly dies friday night, and stay dead > during all week-end. In this case, forged Authentication-Results > will be passed to my filter who will consider it's OK.
If that's enough of a concern for your site, you should probably tell the MTA to temp-fail messages when dkim-filter is offline. Adding the job ID as a comment is allowed in the current A-R draft so it would be possible to add. For that matter anything you want could go into a comment, such as a fixed shared secret your other filters all know. That way they can tell that the header was added by an upstream filter you trust and there's no change to the rest of the available information or format. On another note, the first field of the A-R header is supposed to be the hostname, but it doesn't have to be (see sections 2.2 and 2.3 of the draft). You can make it the job ID or any other shared secret if that suits your needs. However, if you do this, other downstream filters which implement the A-R header field removal code won't be able to remove forged headers reliably because they won't know which values in that location are yours and which aren't. I'd take this last idea as an FFR adding a configuration option with the default being to use the hostname as it is now. The documentation will have to reflect the limitation it imposes to some sites. > * for some reason, dkim-filter is running but it doesn't remove previous > authentication headers. Is this possible without a misconfiguration > issue ? Sure, there could be a bug. :-) But assuming no bugs and proper configuration, forged headers should be properly stripped when detected. -MSK ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
