Mailing List Archive

SA DKIM check
Does SA always do its "own" DKIM check, or can it be told to use an
already written trusted AuthservId-written Authentication-Results
header, e.g. from OpenDKIM?

Thanks

--
Simon Wilson
M: 0400 12 11 16
Re: SA DKIM check [ In reply to ]
On 01/04/2021 23:10, Simon Wilson wrote:

> Does SA always do its "own" DKIM check, or can it be told to use an
> already written trusted AuthservId-written Authentication-Results
> header, e.g. from OpenDKIM?
>
> Thanks

That would be dangerous on a few levels, completely open to fake written
headers, you could end up "trusting" a spammer

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.
Re: SA DKIM check [ In reply to ]
On 1 Apr 2021, at 22:07, Noel Butler wrote:

> On 01/04/2021 23:10, Simon Wilson wrote:
>
>> Does SA always do its "own" DKIM check, or can it be told to use an
>> already written trusted AuthservId-written Authentication-Results
>> header, e.g. from OpenDKIM?

Not for DKIM, but by default the SPF plugin will use an
Authentication-Results (or Received-SPF) header written by an internal
host.

> That would be dangerous on a few levels, completely open to fake
> written headers, you could end up "trusting" a spammer

It isn't particularly difficult to discriminate between headers that
exist when a message arrives at the first internal machine and those
written afterwards. If you're aware of a way for a fake
Authentication-Results written by an external system to be treated as
internal by a properly configured SpamAssassin, please open a bug
report.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: SA DKIM check [ In reply to ]
On 4/1/21 3:10 PM, Simon Wilson wrote:
> Does SA always do its "own" DKIM check, or can it be told to use an already written trusted AuthservId-written Authentication-Results header, e.g. from OpenDKIM?
>
I think Mail::SpamAssassin::Plugin::AuthRes (on trunk) is what you are looking for.

Giovanni
Re: SA DKIM check [ In reply to ]
On Fri, 2 Apr 2021 13:22:47 +0200
Giovanni Bechis wrote:

> On 4/1/21 3:10 PM, Simon Wilson wrote:
> > Does SA always do its "own" DKIM check, or can it be told to use an
> > already written trusted AuthservId-written Authentication-Results
> > header, e.g. from OpenDKIM?
> I think Mail::SpamAssassin::Plugin::AuthRes (on trunk) is what you
> are looking for.

Is it actually connected to anything? It says it *can* supply
the results obtained to other plugins, but I don't see any mention of
authres in DKIM.pm.
Re: SA DKIM check [ In reply to ]
>>> Does SA always do its "own" DKIM check, or can it be told to use
>>> an already written trusted AuthservId-written
>>> Authentication-Results header, e.g. from OpenDKIM?
>
> Not for DKIM, but by default the SPF plugin will use an
> Authentication-Results (or Received-SPF) header written by an
> internal host.

Thanks Bill, I figured that was the case from the flow on my system
(it is using upstream SPF but not upstream DKIM). Appreciate the
confirmation.

>
>> That would be dangerous on a few levels, completely open to fake
>> written headers, you could end up "trusting" a spammer
>
> It isn't particularly difficult to discriminate between headers that
> exist when a message arrives at the first internal machine and those
> written afterwards. If you're aware of a way for a fake
> Authentication-Results written by an external system to be treated
> as internal by a properly configured SpamAssassin, please open a bug
> report.

Yep, been through all of that with making sure SA knows what is
internal and external, and what it can trust and not. No issues there.

Simon

--
Simon Wilson
M: 0400 12 11 16