Matus UHLAR - fantomas skrev den 2023-03-02 11:50:
Authres plugin should only parse Authentication-Results: headers, not
signatures themselves.

other plugins should be able to use data provided by this plugin.

On 02.03.23 12:55, Benny Pedersen wrote:
+1 funny you provided an eval that worked ? :)

have you seen ARC_VALID or ARC_SIGNED yet ?

many. I just still don't think we should trust ARC headers by default (someone has signes headers, but that does not mean that someone is trustful).

if ARC signer is trusted and the signature is correct, the status can be extracted from ARC-Authentication-Results:

Further modules can use that to e.g. allowlist sender even if the DKIM fails
Authentication-Results: fantomas.fantomas.sk; arc=pass 
smtp.remote-ip=52.100.19.99 arc.chain=microsoft.com
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
        smtp.mailfrom=pern.onmicrosoft.com; dmarc=pass action=none
        header.from=gcwus.edu.pk; dkim=pass header.d=gcwus.edu.pk; arc=none


Here, if I trust "fantomas.fantomas.sk" authentication header (configurable in AuthRes) and I trust signer microsoft.com, I will believe that the message passed DMARC and SPF for pern.onmicrosoft.com.

However, if there was other random ARC signer, faking positive results of spf/dkim/dmarc results, we should not believe the ARC signature

... and this message can still be spam (it is).


imho dmarc in spamassassin is already doing things right, but authres should maybe just be dokumented when to use it

it's the DKIM module that validates ARC headers in SA.
While the functionality is similar to DKIM,
it already used in perlcode in dmarc, without any eval calls

previous mail i posted is without authres enabled

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.

Reply via email to