On Sat, 13 Jan 2024, Benny Pedersen via mailop wrote:
Andrew C Aitchison via mailop skrev den 2024-01-13 07:16:
[ Wearing an MTA developer's hat. ]
+1
I see that an MTA is supposed to remove existing Authentication-Results and
BIMI-Indicator headers, and that generally an MUA may use these headers if
present.
where is this dokumented ?
https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/
7.8. Handle Existing BIMI-Location and BIMI-Indicator Headers
Regardless of success of the BIMI lookup, if a BIMI-Location or a
BIMI-Indicator header is already present in a message it MUST be
either removed or renamed. This is because the MTA performing BIMI-
related processing immediately prior to a Mail Delivery Agent (or
within the same administrative realm) is the only entity allowed to
specify the BIMI-Location or BIMI-Indicator headers (e.g. not the
sending MTA, and not an intermediate MTA). Allowing one or more
existing headers through to a MUA is a security risk.
If the original email message had a DKIM signature, it has already
been evaluated. Removing the BIMI-Location header at this point
should not invalidate the signature since it should not be included
within it per this spec.
I presume that most MTAs only add these headers on delivery, but if a
non-compliant MTA received a message with these headers there is a risk
that the MUA would trust them.
it is tested on incomming mails, not on outgoing
That is what a well-meaning MTA will do, and I have no evidence that
any MTA does not do this. However Blank et. al. considered the
possibility that a rogue MTA might set these headers on outgoing mail,
so included a rule to handle this risk.
Would it help if MUAs that don't actively support BIMI at least removed
these headers when delivering to local mailboxes ?
mua must trust LAST MTA, not all MTA on transit, is this a big hint ?
Agreed. But there appears to be no way for the MUA to verify these
headers, so am I right to think that a good MTA should not pass them
through, even if it does not create its own versions ?
AIUI, at present there are very few MUAs that display BIMI that are
not intimately connected to a mailbox provider that verifies BIMI,
so the question is probably not urgent, but getting it right at
leisure now is better than trying to fix the world in a panic.
--
Andrew C. Aitchison Kendal, UK
[email protected]
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
