I believe some users are in fact confusing DMARC and DKIM. DMARC is a policy that lets receiving servers know how to deal with mail that seems to be coming from your server but has *not* passed SPF and DKIM checks. From the Google support forum:
DMARC (Domain-based Message Authentication, Reporting, and Conformance) <https://support.google.com/a/answer/2466580>: consente di indicare ai server di destinazione le operazioni da eseguire sui messaggi in uscita della tua organizzazione che non superano l'autenticazione SPF o DKIM The problem with this attack, is that is succeeds in passing SPF record policies and DKIM signature policies with the attackers domain, then injecting a message with a different from header into the validated message, making seem quite like an authentic message. Il Sab 23 Dic 2023, 21:03 Wietse Venema via Postfix-users < postfix-users@postfix.org> ha scritto: > Bill Sommerfeld via Postfix-users: > > On 12/22/23 17:30, Vijay S Sarvepalli via Postfix-users wrote: > > > Arguably the second server is at fault > > > here for "SPF" signing two emails, nevertheless the vulnerability is > due > > > to the combinatorial or Composition Attack as Wietse has identified. > > > > SPF does not involve any per-message signatures. Did you perhaps mean > > to say "DKIM" here? > > Vijay was confused. > > The smuggled message has no From: aligned DKIM signature from the > From: address domain. The receiving mail system is in a different > domain, and therefore cannot add a From: aligned DKIM signature. > > The receiving MTA can assert that the message was received from an > an IP address that satisfied the SPF policy for the envelope sender > domain. That is the whole point this attack on SPF-based authentication. > > Wietse > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org >
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
