[Mimedefang] X-MIMEDefang-Relay leaking through bounces (was re: Questions on Received, stream_by_recipient, and SpamAssassin)

[David F. Skoll]

On Mon, 21 Apr 2003, Kelson Vibber wrote:

> I think I found the problem.  I have MD reject mail that scores higher than
> 25 points with SpamAssassin.  If I've streamed the message by recipient,
> the reject code goes to my own server instead of the relay, and Sendmail
> generates and queues up a full bounce notice.

Ah.

Actually, leaking out the key is not a terrible thing.  If you read the
mimedefang-filter(5) man page, it recommends not trusting the header unless
it is set by a host you trust, like one of your secondary MX hosts
or 127.0.0.1.  Here's the recommended code to put in filter_begin:

            if ($WasResent) {
                 if ($RealRelayAddr ne "127.0.0.1" and
		     $RealRelayAddr ne "ip.of.secondary.mx" and
                     $RealRelayAddr ne "ip.of.tertiary.mx") {
                      $RelayAddr = $RealRelayAddr;
                      $RelayHostname = $RealRelayHostname;
                 }
            }

This means that if someone forges the header and sends it to your
machine, your machine won't believe it (because it doesn't come from
a "trusted" machine.)  If someone forges the header and sends it to
one of your other MX hosts, that's OK; MIMEDefang on that host will
delete the header and replace it with the proper value.  As long as all
your trusted hosts always put in a valid header, and as long as they ignore
a header from an untrusted host, you're OK.  In the extreme case where
only 127.0.0.1 adds the header, you simply don't trust it unless the
real relay address is 127.0.0.1.

The only reason, in fact, to use a randomized key instead of a
standard header is to make spammers who don't know any better do more
work... they might think they have to forge the header for each
receiving site. :-)

Regards,

David.