Re: how to prevent post-auth sender spoofing

From: Murray S. Kucherawy <>
Date: Thu, 27 May 2010 22:00:31 -0700 (PDT)

On Fri, 28 May 2010, Josephus wrote:
> I'm trying to deploy dkim into a multi/virtualdomain environment where
> users send emails via sasl authentication. A common MTA setup doesn't
> check for sender address after the authentication is done. Once I'm
> authenticated I can send mails using anything as the sender. So once a
> user is allowed to send, they would select an email address that's also
> on the system (on someone else's domain), the message will be signed
> with dkim, because the sender domain matches a key in the database. The
> receiving end will trust in the dkim signature however the whole message
> was forged from the beginning. I know it's not really a dkim issue, but
> you might have dealt with the situation before. Using Postfix I have
> thought about restricting sender addresses to the sasl authenticated
> username, but that would kill the feature where you can set up multiple
> identities in your MUA for all your aliases. Not to mention that we have
> some internal hosts for which we do not require authentication (such as
> webservers).

If I understand what you're asking, you want to prevent your users from
forging mail as anyone other than themselves after they've authenticated,
since the forgery would then be signed by your server's main key, meaning
you've taken responsibility for the forgery.

I have a couple of suggestions:

1) Generate one key per domain you support, and use one of the Lua script
hooks (probably "setup") to sign by selecting the domain's key based on
the domain of the authenticated user. Thus, if that user forges the From:
field in a message after authentication, the recipient knows (and you
know) which domain is responsible for the forgery.

2) Also using the "setup" script hook, reject (or just log) a message if a
user attempts to send mail using a domain in the From: field that doesn't
match the authenticated domain. (This would much better be done in a
filter outside of opendkim, but it's possible to do it here.)

In both cases you can easily make exceptions for your internal hosts.

Hope this helps. Let us know if you need more information.

Received on Fri May 28 2010 - 05:00:57 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:47 PST