On Thu, Sep 30, 2010 at 6:44 AM, Todd Lyons <[email protected]> wrote:
>> I haven't thought about this deeply, but: what are the circumstances
>> under which you'd want to sign an email where the envelope sender isn't
>> the same as one of the addresses in the From: header?
>
> I have custA and custB, two different domains, thus two different
> email addresses, and both use SMTP Auth to send email. Suppose custA
> sends an email, but sets the From to be custB's email. Further
> suppose that my system is configured to sign for both domains if the
> source is webmail or smtp auth. If I only use the From: header to
> determine the signing domain, it will sign custA's email with custB's
> key. You might ask, what's the big deal? custA could abuse custB's
> reputation by sending email as that user.
<snip>
> Based on your example (in the previous email), I need to modify my domain and
> local_part
> extractions to perform the ${sg...} on the From: header to extract
> only the first address because I just plain forgot that From: could
> have multiple addresses :-(
Ok, so here is the logic I am using:
1. If user is using SMTP Auth, the first From: header address must
match the authenticated address, thus use the authenticated address to
generate signing domain.
2. If user is sending via webmail then use the first address in the
>From header (tests for a webmail header and from a webmail hostlist
are done elsewhere in an acl and router) to generate the signing
domain
Here is what I ended up with in its final configuration:
FIRST_FROM_ADDRESS = ${lc:${sg{${addresses:$h_from:}}{:.*}{}}}
DKIM_SENDER_MATCHES_FROM = eq{${lc:$sender_address}} {FIRST_FROM_ADDRESS}
DKIM_SMTP_AUTH_SENDER = ${if DKIM_SENDER_MATCHES_FROM
{${lc:$sender_address}} {} }
DKIM_DOMAIN = ${if def:sender_host_authenticated
{${domain:DKIM_SMTP_AUTH_SENDER}} {${domain:FIRST_FROM_ADDRESS}} }
DKIM_LOCAL_PART = ${if def:sender_host_authenticated
{${local_part:DKIM_SMTP_AUTH_SENDER}}
{${local_part:FIRST_FROM_ADDRESS}} }
Damn, that sure seems complicated. :-( Can the above be simplified
without losing the check that it performs? Or is the check
superfluous? As long as I don't allow one user to impersonate another
another use their keys, that's all that matters.
>> ... cases where the envelope sender doesn't match the first
>> from address are not signed?
That's where I ended up going with the above, thanks for the suggestion.
--
Regards... Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm. -- Marcus Aurealius
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
