On Fri 03/Apr/2020 22:42:23 +0200 Damian Lukowski wrote: >> The system should remove the quotes when comparing, and should also do >> any decoding to get the admds into the same format. > > My question's intent was not particularly about the quotes and UTF-8, I > just chose it, because the syntactically invalid version looks more > legit than the syntactically valid one. Assume some plain-ASCII > examples. A mail system with own authservid of domain.tld receives mail > with:
My system, my rules: >> Authentication-Results: domain.tld; spf=pass [email protected] > > Needs to be removed? Clearly yes. Yes, and log it. >> Authentication-Results: otherdomain.tld; spf=pass [email protected] > > Needs to be removed? Clearly no. Rename the header field to Old-Authentication-Results anyway. >> Authentication-Results: {garbage} > > Needs to be removed? I say no. Rename the header field to Old-Authentication-Results anyway. >> Authentication-Results: domain.tld, spf=pass [email protected] > > Needs to be removed? I say no. Yes, and log it. >> Authentication-Results: domain.tld; {garbage} > > Needs to be removed? I say no. Yes, and log it. >> Authentication-Results: "domain.tld"; {garbage} > > Needs to be removed? I say no. > >> Authentication-Results: "domain.tld"; spf=pass [email protected] > > Needs to be removed? Yes. Both cases are renamed to Old-Authentication-Results anyway. The part that would log it, however, doesn't recognize the quotes (I'm going to fix it now) and intermittently removes the header. Note that some tools, e.g. Thunderbird DKIM-Verifier[*] can be configured to either "Read Authentication-Results header" or not. Hence is makes sense to rename all on entry. Note2: even if a tool accepted a list of trusted authserv-id's, consider a MUA simultaneously accessing two mailboxes, at example.com and example.org, say. Of course you would configure the tool to trust both of their authserv-id (which is already beyond what an average user is willing to configure). Then, a malicious party can send you a message at your @example.com address, bearing a faked Authentication-Results by example.org. Should the tool trust it? jm2c Ale -- [*] https://www.reddit.com/r/Thunderbird/comments/5nheej/is_it_possible_to_make_thunderbird_display_the/ (The "Edit 2" is bogus, but the previous edit describes the point well.) _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
