Bill Sommerfeld via Postfix-users:
> On 12/22/23 17:30, Vijay S Sarvepalli via Postfix-users wrote:
> > Arguably the second server is at fault
> > here for "SPF" signing two emails, nevertheless the vulnerability is due
> > to the combinatorial or Composition Attack as Wietse has identified.
>
> SPF does not involve any per-message signatures. Did you perhaps mean
> to say "DKIM" here?
Vijay was confused.
The smuggled message has no From: aligned DKIM signature from the
From: address domain. The receiving mail system is in a different
domain, and therefore cannot add a From: aligned DKIM signature.
The receiving MTA can assert that the message was received from an
an IP address that satisfied the SPF policy for the envelope sender
domain. That is the whole point this attack on SPF-based authentication.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
