-
When I send e-mail from other host with forged mine envelope sender address, it is not detected. Assume there are no e-mail headers.
2009-10-17 14:33:23 UTC by gresko
-
Hi,
I have created patch to allow to get from addr (in _eoh) from arbitrary milter macro.
The problem here is as follows:
When you host multiple customers and you want to sign mail for many/all of them, it's easily possible to authenticate using one email address and send message using "From:" from another hosted domain name.
My patch is far from perfect, but it should allow to set...
2009-09-23 08:47:56 UTC by ondrass
-
More details: The problem appears to occur when CRLFs are split across calls to dkim_body(), but it's not specific to signing. Interestingly, there's already a unit test which covers this case and it wasn't failing, so the counting of blank lines within a message is also involved (the unit test didn't do that).
2009-07-09 21:29:10 UTC by cm-msk
-
The problem appears to occur during signing when a CRLF is split across calls to dkim_body(). Working on a patch now.
2009-07-09 18:34:16 UTC by cm-msk
-
OK, I see it with 2.8.3 when signing, but not when verifying.
2009-07-09 18:22:42 UTC by cm-msk
-
I just tried this with both 2.8.2 and 2.8.3 on FreeBSD and can't reproduce this; I never get a double CR in the temporary files thus produced.
The only difference is that I'm using FreeBSD 6.2-RELEASE, and I didn't get it from ports.
2009-07-09 17:54:24 UTC by cm-msk
-
Right now, On-NoSignature action gets blindly applied by the verifier even so there is no policy reord available for the author domain and thus may lead to RFC breakage/unwanted results. Thus
On-NoSignature action should be used ONLY when there is a policy record available.
That means, since "all" and "discardable" checks have already passed the code in question, right now "unknown" aka...
2009-06-29 05:08:19 UTC by elkner
-
Since neither RFC 4871 nor ssp|adsp says, that it is an error or suspicious condition, if an MTA submits a mail with the same author signature domain, for which the receiving MTA is (as well) responsible, this unecessary check and misleading log message should be avoided (or better: don't try to turn dkim-filter into a multi-purpose milter)!
suggested patch attached.
2009-06-29 03:19:41 UTC by elkner
-
Right now, dkimf_libstatus status uses the On-BadSignature action, if the reputation data returned from a query are corrupt/truncated/expired/unexpected or there was an error in transit (DKIM_STAT_CANTVRFY). However, this is completely different than having a bad signature - the signature might be completely ok/valid and most admins probably do not want reject mails, just because the "check...
2009-06-29 03:01:28 UTC by elkner
-
RFC 4871, section 3.6.1 says, that if the tag-list in the DNS record contains a flag value of 'y' (i.e. t="y[:s]"), the "Verifiers MUST NOT treat messages from signers in testing mode differently from unsigned email, even should the signature fail to verify.". However, dkim-filter rejects mail. E.g.
----- The following addresses had permanent fatal errors -----
...
2009-06-27 00:00:10 UTC by elkner
