[Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()

Ralph Hayon ralph at naturalwireless.com
Fri Apr 21 18:26:13 EDT 2023 

OK, now I understand why no INPUTMSG for filter_sender(), it is testing 
early before all of the message has come in. Got it.

For your SpamAssassin example, what I really want is to extract from 
DKIM is the Domain in the signature which will be unique to my company 
(we are using gmail business and setup a company domain).

I am getting messages that have a DKIM, but a spoofed sender at 
@example.com. To prevent too many false positives on just rejecting 
invalid DKIMs, I want to extract the domain from the DKIM to check it 
against specific domains I know only come from me.

I had a situation where an employee got tricked with a fake email that 
they though came from another company employee.

I don't even want these to come in as SPAM. We had that email marked and 
that person just walked past that.

Thanks.,

Ralph


On 4/21/2023 5:59 PM, Bill Cole via MIMEDefang wrote:
> On 2023-04-21 at 16:41:43 UTC-0400 (Fri, 21 Apr 2023 16:41:43 -0400)
> Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org>
> is rumored to have said:
>
>> Hi Dianne,
>>
>> Ok, I could not find any documentation that states this. This was my 
>> guess based on my observations.
>
> The filter_* functions are called at the analogous stages in the SMTP 
> transaction, so they only have the information known to the server at 
> each stage.
>
>> I am trying to easily get the domain extracted by DKIM to validate 
>> the sender's email domain.
>
> Until filter() you do not have ANY message headers or data, so you 
> cannot validate DKIM until then. It is also worth noting that if you 
> want to use DKIM with DMARC, you need to examine the address in the 
> From header, NOT the envelope sender, which is what MD puts in the 
> $Sender global. To get the From header address, you need to extract it 
> from the $entity object that MD passes to the filter() subroutine.
>
>> I want to have a system that confirms that emails to my employees 
>> from other employees are valid and not faked.
>
> If you are calling SpamAssassin 4.0 from MIMEDefang, you can use the 
> existing rules and welcomelist/blocklist features in SA to do this, no 
> coding needed. You would just add something like this to your local.cf:
>
>    welcomelist_from_auth   *@example.com
>
>    describe _FROM_EXAMPLE  From header has example.com domain
>    header   _FROM_EXAMPLE  From ~= /\bexample.com\b/
>    meta     FORGED_FROM_EXAMPLE   _FROM_EXAMPLE && !DKIM_VALID_AU
>    score    FORGED_FROM_EXAMPLE   6
>
> You could do the work in filter() or filter_end() yourself, if you 
> don't want to use SA.
>
>> Any suggestions how I can easily extract the arguments provided to 
>> filter_sender() in a filter function after filter_begin() so that I 
>> can use DKIM tests to assist with this?
>
> The globals documented in the mimedefang-filter man page are 
> accessible from filter() as is the MIME::Entity object $entity which 
> holds the message. You could also access the HEADERS file directly to 
> find the From header.
>
>
>>
>> Thank you for the information!
>>
>> Thanks.
>>
>> Ralph
>>
>> On 4/21/2023 4:25 PM, Dianne Skoll via MIMEDefang wrote:
>>> On Fri, 21 Apr 2023 15:46:17 -0400
>>> Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:
>>>
>>>> When I try calling md_dkim_verify() inside of filter_sender() in
>>>> mimedefang-filter , it fails.
>>>> It also fails when I try callig md_dkim_verify() from
>>>> filter_recipient(), with the same results.
>>> You can't do DKIM tests until you have a message body.  So the earliest
>>> you can do that is filter_begin()
>>>
>>> Regards,
>>>
>>> Dianne.
>>>
>>> _______________________________________________
>>> NOTE: If there is a disclaimer or other legal boilerplate in the above
>>> message, it is NULL AND VOID.  You may ignore it.
>>>
>>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org 
>>>
>>
>>
>> -- 
>> ***************************************
>> Ralph Hayon
>> Natural Wireless
>>
>> 60 Saddle River Ave, Unit B
>> South Hackensack, New Jersey 07606
>>
>> email:     ralph at naturalwireless.com
>> www:    naturalwireless.com
>>
>> office: 201-438-2865 x 403
>> fax:    201-438-1803
>> cell:     201-315-7397
>>
>>        Natural Wireless
>> An Ultra Internet Service Provider
>> ***************************************
>>
>>
>> _______________________________________________
>> NOTE: If there is a disclaimer or other legal boilerplate in the above
>> message, it is NULL AND VOID.  You may ignore it.
>>
>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org 
>>
>
>

-- 
***************************************
Ralph Hayon
Natural Wireless

60 Saddle River Ave, Unit B
South Hackensack, New Jersey 07606

email: 	ralph at naturalwireless.com
www:	naturalwireless.com

office: 201-438-2865 x 403
fax:	201-438-1803
cell: 	201-315-7397

        Natural Wireless
An Ultra Internet Service Provider
***************************************

More information about the MIMEDefang mailing list