[Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
Ralph Hayon
ralph at naturalwireless.com
Fri Apr 21 18:26:13 EDT 2023
OK, now I understand why no INPUTMSG for filter_sender(), it is testing
early before all of the message has come in. Got it.
For your SpamAssassin example, what I really want is to extract from
DKIM is the Domain in the signature which will be unique to my company
(we are using gmail business and setup a company domain).
I am getting messages that have a DKIM, but a spoofed sender at
@example.com. To prevent too many false positives on just rejecting
invalid DKIMs, I want to extract the domain from the DKIM to check it
against specific domains I know only come from me.
I had a situation where an employee got tricked with a fake email that
they though came from another company employee.
I don't even want these to come in as SPAM. We had that email marked and
that person just walked past that.
Thanks.,
Ralph
On 4/21/2023 5:59 PM, Bill Cole via MIMEDefang wrote:
> On 2023-04-21 at 16:41:43 UTC-0400 (Fri, 21 Apr 2023 16:41:43 -0400)
> Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org>
> is rumored to have said:
>
>> Hi Dianne,
>>
>> Ok, I could not find any documentation that states this. This was my
>> guess based on my observations.
>
> The filter_* functions are called at the analogous stages in the SMTP
> transaction, so they only have the information known to the server at
> each stage.
>
>> I am trying to easily get the domain extracted by DKIM to validate
>> the sender's email domain.
>
> Until filter() you do not have ANY message headers or data, so you
> cannot validate DKIM until then. It is also worth noting that if you
> want to use DKIM with DMARC, you need to examine the address in the
> From header, NOT the envelope sender, which is what MD puts in the
> $Sender global. To get the From header address, you need to extract it
> from the $entity object that MD passes to the filter() subroutine.
>
>> I want to have a system that confirms that emails to my employees
>> from other employees are valid and not faked.
>
> If you are calling SpamAssassin 4.0 from MIMEDefang, you can use the
> existing rules and welcomelist/blocklist features in SA to do this, no
> coding needed. You would just add something like this to your local.cf:
>
> welcomelist_from_auth *@example.com
>
> describe _FROM_EXAMPLE From header has example.com domain
> header _FROM_EXAMPLE From ~= /\bexample.com\b/
> meta FORGED_FROM_EXAMPLE _FROM_EXAMPLE && !DKIM_VALID_AU
> score FORGED_FROM_EXAMPLE 6
>
> You could do the work in filter() or filter_end() yourself, if you
> don't want to use SA.
>
>> Any suggestions how I can easily extract the arguments provided to
>> filter_sender() in a filter function after filter_begin() so that I
>> can use DKIM tests to assist with this?
>
> The globals documented in the mimedefang-filter man page are
> accessible from filter() as is the MIME::Entity object $entity which
> holds the message. You could also access the HEADERS file directly to
> find the From header.
>
>
>>
>> Thank you for the information!
>>
>> Thanks.
>>
>> Ralph
>>
>> On 4/21/2023 4:25 PM, Dianne Skoll via MIMEDefang wrote:
>>> On Fri, 21 Apr 2023 15:46:17 -0400
>>> Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:
>>>
>>>> When I try calling md_dkim_verify() inside of filter_sender() in
>>>> mimedefang-filter , it fails.
>>>> It also fails when I try callig md_dkim_verify() from
>>>> filter_recipient(), with the same results.
>>> You can't do DKIM tests until you have a message body. So the earliest
>>> you can do that is filter_begin()
>>>
>>> Regards,
>>>
>>> Dianne.
>>>
>>> _______________________________________________
>>> NOTE: If there is a disclaimer or other legal boilerplate in the above
>>> message, it is NULL AND VOID. You may ignore it.
>>>
>>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org
>>>
>>
>>
>> --
>> ***************************************
>> Ralph Hayon
>> Natural Wireless
>>
>> 60 Saddle River Ave, Unit B
>> South Hackensack, New Jersey 07606
>>
>> email: ralph at naturalwireless.com
>> www: naturalwireless.com
>>
>> office: 201-438-2865 x 403
>> fax: 201-438-1803
>> cell: 201-315-7397
>>
>> Natural Wireless
>> An Ultra Internet Service Provider
>> ***************************************
>>
>>
>> _______________________________________________
>> NOTE: If there is a disclaimer or other legal boilerplate in the above
>> message, it is NULL AND VOID. You may ignore it.
>>
>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org
>>
>
>
--
***************************************
Ralph Hayon
Natural Wireless
60 Saddle River Ave, Unit B
South Hackensack, New Jersey 07606
email: ralph at naturalwireless.com
www: naturalwireless.com
office: 201-438-2865 x 403
fax: 201-438-1803
cell: 201-315-7397
Natural Wireless
An Ultra Internet Service Provider
***************************************
More information about the MIMEDefang
mailing list