Hi Jose-Marcio, At 12:05 17-01-2008, Jose-Marcio Martins da Cruz wrote: >I was thinking about two low probabilities situations. > >If I was a spammer, I'd add a faked "Authentification-Results" header. >This trick can work if : >* for some reason, dkim-filter unluckly dies friday night, and stay dead > during all week-end. In this case, forged Authentication-Results > will be passed to my filter who will consider it's OK.
That would be a problem in such a situation as your filter automatically trusts the A-R header it is getting. I would make sure that the message doesn't get through (tempfail) if dkim-filter dies. That may not be an acceptable "fix" in some environments as mail won't be coming in over the weekend. Using the queue-id would only lower the probability further. >* for some reason, dkim-filter is running but it doesn't remove previous > authentication headers. Is this possible without a misconfiguration > issue ? This situation would arise only if there is a bug in dkim-filter. These situations have been discussed on the Authentication-Results mailing list. Murray posted another proposal (draft-kucherawy-sender-auth-esmtp-00) which conveys the information through an SMTP extension instead of a mail header. That should reduce the scope for forgeries. Regards, -sm ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
