[exim-dev] [Bug 3069] Protect MUAs against attacks on BIMI

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim Bugzilla
Date:  
À: exim-dev
Sujet: [exim-dev] [Bug 3069] Protect MUAs against attacks on BIMI
https://bugs.exim.org/show_bug.cgi?id=3069

--- Comment #3 from Andrew Aitchison <exim@???> ---
(In reply to Jeremy Harris from comment #2)
> I'm not sure whether this really belongs as part of exim, beyond possibly
> being documented somewhere.


The test is real, but everything else is just documentation.
The action is in the sample config, but commented out.

In theory these headers are only added on final delivery when the final MTA
calculates and verifies them (using DMARC and more DNS and https
so I don't envisage we will ever do this).
The attack is to set them maliciously and have the MUA display the icon.
The draft requests that MTAs remove the headers to protect against this.
Since Google and Yahoo! now support BIMI, if, say Thunderbird, implements
it too it would be nice to protect our users.

> If it's only stripping a specific few headers, by name, we surely already
> test for that elsewhere in the testsuite.


The draft says that these headers should *not* be signed.
I wanted to test that we don't break DKIM by removing them,
thus losing messages.

I don't really have a problem if you think the existing tests are
sufficient. I put this one in for completeness and practice.

> So possibly moot:
>
> I'm unclear how much the patch here is dependent on dkim and dmarc.
> The testcase seems to assume them but I suspect the patch is entirely
> independent. That could be tidied up.


BIMI requires dmarc, but you are right we could remove dmarc from the test.

I'd like to use dkim in the test if it is available, but still test
if it is not. Is that possible ?

> Also, the testcase log seems to accept a message but never deliver it,
> yet one appears in the test/mail/ dir.


If I change the file test/mail/4640 then
        runtest 4640
complains. I thought that was the delivery.
What have I missed ?


--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/