Bug 7764 - TxRep doesn't use SPF correctly
Summary: TxRep doesn't use SPF correctly
Status: NEW
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Libraries (show other bugs)
Version: SVN Trunk (Latest Devel Version)
Hardware: All All
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
Depends on:
Reported: 2019-10-24 17:45 UTC by RW
Modified: 2019-10-24 17:45 UTC (History)
0 users

Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description RW 2019-10-24 17:45:42 UTC
In TxRep.pm

1332 	  if ($signedby) {
1333 	    $ip       = undef;
1334 	    $domain   = $signedby;
1335 	  } elsif ($pms->{spf_pass} && $self->{conf}->{txrep_spf}) {
1336 	    $ip       = undef;
1337 	    $signedby = 'spf';
1338 	  }

IMO $signedby should only be set to 'spf' if there's also relaxed alignment between $from and the envelope sender. Otherwise it's very easy to spoof, it can even happen automatically with forwarding.

Setting $signedby to the sender domain or $from to the sender address are superficially appealing, but don't help under forwarding.