"Murray S. Kucherawy" <msk_at_cloudmark.com> wrote on 10.9.2010 20:24:33:
...
>>
>> I know that sender (MAIL FROM) can also be faked, but the way I've set
>> up postfix is that the sender must be a valid alias for a login name,
>> or relaying is denied, so there is no issue with fakes.
>
>This is the main reason why both the From: domain and the client IP are checked before the decision to sign is made. Someone that is not coming from an authorized source won't be able to get mail signed even if the domain is one for which you would normally sign.
Correct me of I'm wrong but you can do that if you do know the IP addresses of the senders. But still this doesn't solve the problem where the From is different from envelope sender (assuming this is what MTA get in MAIL FROM right). As Richard said it all comes down to trust, but nowadays you can't trust anybody. You can put some faith if yo are putting this up for a single company where all access is done from internal network and you have just a few external IPs.
>As someone else mentioned you can use the Lua script hooks to determine whether or not the client has authenticated, for example. For that matter you can check any MTA-provided macro value, and thus co-ordinate between the two some way of indicating whether or not this is an authorized client.
>You can also tell the filter to make the decision based on a different header field or a macro if that's what you'd prefer. In the former case you want the SenderHeaders setting; in the latter, compile with "--enable-sender_macro" and use the SenderMacro setting. If you want to base it on the envelope sender, I believe that's available in an MTA macro.
A didn't compile with --enable-sender_macro and this was getting a strange error: "opendkim: /etc/opendkim.conf: configuration error at line 269: unrecognized parameter"
The log now says that the envelope sender is used to search for a signing key. I'll also combine this with the lua script mentioned by Josephus, where I won't sign if the From field differs from envelope sender and thus I think will prevent the risk of fake signed messages.
Nonetheless I'm worried because default settings are so relaxed, because you usually don't have your users under control. It would be better if by default they would be as tight as I'm trying to make them right now.
If this would be implemented in native code then my suggestion is, add two new variables to config:
TakeEmail(Domain)ForSignatureFrom From field || sender macro || (From field && sender macro)
If both compare: full email || domain part ||doesn't matter
2nd option would be just to add Compare variable which would do just that.
Regards,
Miha
--
It's time to get rid of your current e-mail client ...
... and start using si.Mail.
It's small & free. ( http://www.simail.si/ )
Received on Fri Sep 10 2010 - 19:56:31 PST