Re: "On-Security" parameter

From: Дилян Палаузов <dilyan.palauzov_at_aegee.org>
Date: Tue, 06 Aug 2019 13:11:29 +0000

Hello Nabil,

my understanding is, that there is a setting

       MaximumHeaders (integer)
              Defines the maximum number of bytes the header block of a mes‐
              sage may consume before the filter will reject the message.
              This mitigates a denial-of-service attack in which a client con‐
              nects to the MTA and begins feeding an unbounded number of
              header fields of arbitrary size; since the filter keeps a cache
              of these, the attacker could cause the filter to allocate an un‐
              specified amount of memory. The default is 65536; a value of 0
              removes the limit.

and On-Security mandates the action, when the bytes for headers are exhausted. Why doing (by default) tempfail when the
MaximumHeaders capacity is exhausted I cannot say, neither can I say why “On-Security” is called this way.

Regards
  Дилян


On Tue, 2019-08-06 at 10:12 +0200, Nabil El Alami - Àrea Tècnica SW Hosting wrote:
> Hello,
>
> I need to know the purpose of the parameter "On-Security". According to
> opendkim.conf manual:
>
> On-Security (string)
> Selects the action to be taken when a message arrives containing
> properties that may be a security concern. Possible values are the same
> as those for On-BadSignature. The
> default is tempfail.
>
> Which properties are considered a possible security concern? Can I find
> more information elsewhere about this option?
>
> Thanks!
> Nabil
>
>
Received on Tue Aug 06 2019 - 13:11:47 PST