|
|
SA Bugzilla – Full Text Bug Listing |
- Home
- | New
- | Browse
- | Search
- | [?]
- | Reports
- | Help
- | New Account
- | Log In
- | Forgot Password
|
|
|
SA Bugzilla – Full Text Bug Listing |
| Summary: | TxRep doesn't use SPF correctly | ||
|---|---|---|---|
| Product: | Spamassassin | Reporter: | RW <rwmaillists> |
| Component: | Libraries | Assignee: | SpamAssassin Developer Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | giovanni, mnalis-sabug, paul.stead, sidney |
| Priority: | P2 | ||
| Version: | SVN Trunk (Latest Devel Version) | ||
| Target Milestone: | 4.0.1 | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
Hiya -
Is this fixed by setting signedby to $pms->{spf_sender} (or extracting the domain from spf_sender)?
Something like
1335 } elsif ($pms->{spf_pass} && $self->{conf}->{txrep_spf}) {
$ip = undef;
my $spf_domain = $pms->{spf_sender};
$spf_domain =~ s/^.+@//;
$signedby = 'spf-'.$spf_domain;
does this have the intended consequence for making this key less spoofable? I feel like I'm missing a scenario, but I've run it through a few times.
Paul
Doh, sorry - I don't think this variable actually exists upon testing! But would be easy enough to add to the output from Plugin/SPF? Rather than looking up the SPF authed domain ourselves in TxRep |
In TxRep.pm 1332 if ($signedby) { 1333 $ip = undef; 1334 $domain = $signedby; 1335 } elsif ($pms->{spf_pass} && $self->{conf}->{txrep_spf}) { 1336 $ip = undef; 1337 $signedby = 'spf'; 1338 } IMO $signedby should only be set to 'spf' if there's also relaxed alignment between $from and the envelope sender. Otherwise it's very easy to spoof, it can even happen automatically with forwarding. Setting $signedby to the sender domain or $from to the sender address are superficially appealing, but don't help under forwarding.