-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix failed signatures with multiple transitions #173
base: develop
Are you sure you want to change the base?
Fix failed signatures with multiple transitions #173
Conversation
Perhaps the commit f6b57dc intended to reject messages with maricious AR header(s), and I agree that it is not good. However, I think the condition If an openarc milter runs on mode contains "v", it means that the openarc milter verifies messages by itself (and then insert a AR header), so it should not believe any ARC results in AR header in the case, I think. (e.g. assume a message is submitted to the MTA with openarc running on "sv" mode, the message signed as i=1 cv=none and added AR header with arc=none. Then it sent to remote MTA and the message is forwarded by an alias or mailing list system, and finally returns to the first MTA with remaining the AR header for ARC result "none"). On the other hand, if the milter runs on mode "s" without "v", it means that it believe the most recent result even if the message was modified after verification and use the result in the AR header for signing. It seems the PR code covers this case. |
Thanks @futatuki - just to confirm, do you think the PR is okay as it is? As far as I am aware, authentication-results headers for the same authserv-id are ignored, unless they arrive from hosts on a trusted network (?) |
I'm not okay the PR as it is. Only the basic concept, that we should not regardlessly reject message which have multiple AR headers of ARC result in own Authserve-ID, is okay. The config parameter The config parameter In the mode In the However, in the |
This is the responsibility of the ADMD border MTA to deal with; as per RFC 8601 "any MTA conforming to this specification MUST delete any discovered instance of this header field that claims, by virtue of its authentication service identifier, to have been added within its trust boundary but that did not come directly from another trusted MTA." It's out of scope for OpenARC to make this modification, so in order to use A-R at all we have to be able to trust that this processing has occurred, and that any A-R headers for our ADMD were added within the trust boundary. I do think it's reasonable to have this behaviour controlled by a config flag, and off by default. flowerysong/OpenARC@63fd6e8 |
Sure, actually for that purpose I use opendkim with
This assumption seems to be valid.
My thought is that it is controled by "v" flag in In one of my use case:
With this case, an ADMD is constructed be step 1. - 3. and modification in step 2. may break the signature of the last ARC set, however if I correctly understand, it can use the varidation result in step 1. If the milter always update arc_state by |
I don't really like magical behaviour like that, which is one reason I made it a config flag. The other reason is people who don't specify a mode, who should also have a way to control this behaviour.
We can change the default, I don't feel strongly about it. Defaulting it to "no" is safer in the case of misconfigured environments, but it might be better to remain compatible with the old behaviour by default.
Right, this is why the flag exists. If you enable it (or if we default it to "yes") it will be allowed to override the fail status. The only cases where my change disallows an override are explicit |
My bad, I couldn't read in |
Commit f6b57dc causes messages transitioning multiple times in the same Authserv-ID domain to always have an ARC result of fail. This PR allows that to happen and takes the most recent result instead.
Fixes issue #172