In the IETF-DKIM mailing list, it came to light that an attacker could
send a properly signed email with the attacker's domain, but prepend a
second From: header that says it's from someone@???, and MUA's
will show the second From. It doesn't screw up the signature because
the original From: is what is used to verify the signature. At issue
is that RFC 5532 requires that an email have only one From: header.
To enforce this within exim, I have a simple ACL and perl function
that will count whatever headers you ask it to.
1. Put this somewhere in your data ACL, preferably before the first accept verb:
deny set acl_m_h_from_count = ${perl{count_headers}{from}}
message = Rejected: RFC 5322 limits an email to one
From header, yours had $acl_m_h_from_count
condition = ${if >{$acl_m_h_from_count}{1}}
2. Put this in your perl file:
sub count_headers {
my $name = shift() || return('0');
my @headers = split(/\n/, Exim::expand_string('$message_headers'));
my $count = 0;
foreach my $line ( @headers ) {
$count++ if ( $line =~ m/^\Q$name\E/i );
}
return("$count");
}
If you don't have exim configured to use the built in perl
interpreter, enabling it is easy. The way I did it was to create an
/etc/exim/mod_exim.pl file with the contents being the perl function
above. Then in /etc/exim/exim.conf, I put:
perl_startup = do '/etc/exim/mod_exim.pl'
perl_at_start
Restart exim and VOILA, rejection of emails with more than one From:
header. Exim for great justice!
BTW, this function can be used to count any headers. In the same way,
you could limit the number of received headers, or date headers, or
require a minimum number of received headers, etc. Imagination is
your only limitation.
--
Regards... Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm. -- Marcus Aurealius
