should accept dkim based on from address and signing address belonging to the same person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Martin Pool |
Bug Description
Following on from bug 316272 and https:/
It's fairly common for people to send mail from <email address hidden> with a From address of <email address hidden>. We could accept this as strongly authenticated if all of the following are true:
* the mail has a valid dkim signature
* the dkim signing domain matches the Sender address
* there is a Launchpad account P with active email addresses for both the Sender and From addresses
* the dkim signature covers both the From and Sender fields (is this needed?)
This could perhaps be simplified to
* the mail has a valid dkim signature
* the signature covers the Sender field
* there is an account with active email address matching the Sender field
then we consider it strongly authenticated as coming from the sender.
Related branches
- Graham Binns (community): Approve (code)
-
Diff: 281 lines (+145/-36)3 files modifiedlib/lp/services/mail/incoming.py (+67/-36)
lib/lp/services/mail/tests/test_dkim.py (+24/-0)
scripts/process-one-mail.py (+54/-0)
Changed in launchpad-foundations: | |
status: | Confirmed → Triaged |
Changed in launchpad-foundations: | |
importance: | Low → High |
Changed in launchpad-foundations: | |
assignee: | nobody → Martin Pool (mbp) |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
You want to limit DKIM to cases where the signing domain (d=) matches the From domain in the body of the message. Looking at Sender and ignoring From puts the identity precedence backwards. It is not unheard of for mailing lists to add a sender header and for mailing lists to add DKIM signatures. If there were a mailing list hosted under the domain in question, relying on Sender might allow malicious commands to be authenticated:
1. Sign up for mailing list on target domain.
2. Send message to mailing list (LP won't get this because it's not subscribed).
3. Collect message plus signature from mailing list.
4. Replay message with rcpt to LP.
5. Profit.
Keep in mind that envelope identities like rcpt to are not bound to DKIM signatures and so replay like this is trivial. It's not currently done because it's not valuable to do so. Please don't make it valuable to do so.