On Tue, Oct 26, 2010 at 4:53 PM, J.D. Falk
<jdfalk-lists_at_cybernothing.org> wrote:
>>> We also have some Unix workstations
>>> where mutt, for example, invokes /usr/lib/sendmail directly. It's the
>> But it is a lesser degree of trust. So you might be better off
>> signing it with a different subdomain.
> Is it? Presumably the user still has to log in to access mutt.
Signing decision by default uses the From header right? So Joe Shmoe
would normally send email as joe.shmoe_at_user.university.edu. But with
mutt he can simply change the From header to
bigshot.professor_at_staff.university.edu. The email gets sent, it
relays through a central server, and then gets a dkim signature for
staff.university.edu instead of user.university.edu. That is why I
consider it a lesser degree of trust, because it can be socially
engineered.
In my exim system (doesn't use opendkim), I force the signing domain
to be the domain of the smtp auth user (envelope sender), and if it's
from webmail, I force the signing domain to be the domain from the
email address in the From header (users are not allowed to edit the
From header directly, but they can choose from a list of predefined
alias email addresses). My sendmail/opendkim system is segmented such
that my smtp auth and webmail smtp servers are separate and do not
overlap, so I don't need to work on changing the source of the signing
domain.
If there is some flaw in my logic, please do point it out. I am well
aware of your authority WRT to all things internet and your experience
with large systems, so I hesitate to even disagree with you.
--
Regards... Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm. -- Marcus Aurealius
Received on Wed Oct 27 2010 - 04:15:12 PST