ubuntu-mail-server team mailing list archive

Thread
Date

[Bug 644046] Re: should test handling of multiple From addresses

To: ubuntu-mail-server@xxxxxxxxxxxxxxxxxxx
From: Scott Kitterman <ubuntu@xxxxxxxxxxxxx>
Date: Mon, 04 Oct 2010 22:29:34 -0000
Reply-to: Bug 644046 <644046@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The potential for this problem is now public.

http://mipassoc.org/pipermail/ietf-dkim/2010q4/014633.html

** Visibility changed to: Public

-- 
should test handling of multiple From addresses
https://bugs.launchpad.net/bugs/644046
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to pydkim in ubuntu.

Status in “pydkim” package in Ubuntu: Confirmed

Bug description:
Scott Kitterman mentioned problems in some dkim implementations.  By inspection I don't think pydkim is vulnerable to this but it would be nice to add a test.  He asked that this be kept confidential for now.

----

I've recently become aware that there are potential problems with multiple 
>From addresses and DKIM.  At least one vendor has modified their code to deal 
with the problem of a message being DKIM signed with one From and then later 
the bad guy adds a second from to the message and resends it.  Since the 
original From is still there, the signature still validates, but many MUAs 
will display the second one leading to a case where users might be presented a 
DKIM validates message and a From that isn't the one in the signature.

The solution is to make sure when you are canonicalizing the message include 
all From headers and not just one.  That way if a From is added, the signature 
validation will fail.

I have not had time to check pydkim to see how it handles this.  If I do, I'll 
let you know.  Since this is a protocol vulnerability, it will take some time 
to get a coordinated resolution, so if you change things in the meantime, 
please don't say you're doing it for security reasons.

Scott K