Re: how to prevent post-auth sender spoofing

From: Josephus <josephus_at_josephus.hu>
Date: Wed, 16 Jun 2010 12:14:35 +0200

I have found all the solutions in postfix very difficult to implement or
resource consuming, so I decided to write a setup Lua script instead,
which does the following:
- verifies incoming mail
- signs mail if sasl username equals to envelope from and header from
addresses
- checks for additional allowed sender addresses using an sql query
- rejects if the above tests fail
You can fetch it from here: http://pastebin.ca/1884205

Since you probably want to implement a decision logic slightly different
than this one, it would be wise to keep this kind of modifications in
Lua script hooks as they are very fast and easy to implement.

BR,
Jos

On 2010.06.16. 5:44, Daniel Black wrote:
> On Saturday 29 May 2010 12:27:01 Daniel Black wrote:
>
>> On Friday 28 May 2010 12:58:18 Josephus wrote:
>>
>>> Hi,
>>>
>>> I'm trying to deploy dkim into a multi/virtualdomain environment where
>>> users send emails via sasl authentication. A common MTA setup doesn't
>>> check for sender address after the authentication is done.
>>>
>> are you talking about the From: header field or the envelope address?
>>
>> Envelope is a easy to deal with in the MTA (as below).
>>
>>
>>> Once I'm
>>> authenticated I can send mails using anything as the sender.
>>> So once a user is allowed to send, they would select an email address
>>> that's also on the system (on someone else's domain), the message will
>>> be signed with dkim, because the sender domain matches a key in the
>>> database. The receiving end will trust in the dkim signature however the
>>> whole message was forged from the beginning.
>>>
> Given the complexity of a solution here perhaps a new feature is called for.
>
> opendkim.conf.5
> "SignStrict (from|sender|all|none) (default none)
>
> When set to something other than 'none', the signature will only be applied if
> the envelope sender matches the From, Sender, both (From and Sender) header
> fields."
>
> Good/Bad/Ugly?
>
> I'll write it up as a FFR after feedback.
>
> Daniel
>
>
Received on Wed Jun 16 2010 - 10:14:48 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:47 PST