At 13:05 +0100 on 02/28/2012, Arnt Gulbrandsen wrote about Re: MUA
support for multiple from addresses:
On 02/28/2012 01:11 AM, ned+ietf-smtp(_at_)mrochek(_dot_)com wrote:
And as Randy points
out, a lot of legitimate uses of it run afoul of incompetently designed
security restrictions.
As it happens I was involved in implementing exactly this restriction once.
The chain of logic was like this: 1. We want to sign using DKIM. 2. For
that we need to make sure each outgoing From address is something the
domain owner is happy to sign for. 3. We'll restrict From and the smtp
sender addresses to ones explictly connected to the SASL/Submit user.
The DKIM design isn't incompetent, none of steps 1-3 seem obviously
incompetent. Tell me what I overlooked?
Arnt
If there are more than one From and/or the From and Sender are
different AND all supplied addresses would be considered to be valid
for your DKIM checking/validation logic if they were the only
supplied address your implementation is IMO incompetently designed if
it rejects immediately when it sees multiple from addresses or a
From/Sender mismatch. It should only reject ONCE it is given an
address that it would have rejected as a sole address.
Note that criteria 3 may need a white list associated with the submit
address (ie: Address X is allowed to send using the SASL/Submit
credentials).