Matus UHLAR - fantomas skrev den 2023-03-02 11:50:
Authres plugin should only parse Authentication-Results: headers, not
signatures themselves.
other plugins should be able to use data provided by this plugin.
On 02.03.23 12:55, Benny Pedersen wrote:
+1 funny you provided an eval that worked ? :)
have you seen ARC_VALID or ARC_SIGNED yet ?
many. I just still don't think we should trust ARC headers by default
(someone has signes headers, but that does not mean that someone is
trustful).
if ARC signer is trusted and the signature is correct, the status can be
extracted from ARC-Authentication-Results:
Further modules can use that to e.g. allowlist sender even if the DKIM
fails
Authentication-Results: fantomas.fantomas.sk; arc=pass
smtp.remote-ip=52.100.19.99 arc.chain=microsoft.com
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=pern.onmicrosoft.com; dmarc=pass action=none
header.from=gcwus.edu.pk; dkim=pass header.d=gcwus.edu.pk; arc=none
Here, if I trust "fantomas.fantomas.sk" authentication header (configurable
in AuthRes) and I trust signer microsoft.com, I will believe that the
message passed DMARC and SPF for pern.onmicrosoft.com.
However, if there was other random ARC signer, faking positive results of
spf/dkim/dmarc results, we should not believe the ARC signature
... and this message can still be spam (it is).
imho dmarc in spamassassin is already doing things right, but authres
should maybe just be dokumented when to use it
it's the DKIM module that validates ARC headers in SA.
While the functionality is similar to DKIM,
it already used in perlcode in dmarc, without any eval calls
previous mail i posted is without authres enabled
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
