search

linagora / james-project

Mirror of Apache James Project
Apache License 2.0
72 stars 62 forks source link

[CNB] DKIMHook should also validate mail from #5265

Closed chibenwa closed 1 month ago

chibenwa commented 2 months ago

On port 25 we wishes that only mails originating from the platform (either authenticated OR DKIM signed) uses FROM local address in their mail headers.

GIVEN attacker@evil.com
WHEN attacker@evil.com sends a mail to a local user
AND uses `MAIL FROM: <attacker@evil.com>` in the envelope
AND sets `From: victim@local.fr`
THEN the SMTP transaction on port 25 gets rejected as the mail is not DKIM signed

Note: legitimate use of local from from external sender is:

GIVEN lawyer1@orange.fr redirects mails to lawyer1@platform.fr
WHEN lawyer2@platform.fr sends a mail to lawyer1@orange.fr
THEN orange.fr will send us a mail using a local From but we shall accept it as the DKIM is valid...

What to do

Modify DKIMHook.DKIMCheckNeeded.onlyForSenderDomain in order to apply if the from of the envelope is matching the domain OR the *header from is matching the specified domain.

Special care needs to be taken in order to handle invalid header from (second clause is skept in case of error).

We need both unit and integration tests for this.

quantranhong1999 commented 1 month ago

https://github.com/apache/james-project/pull/2446

Arsnael commented 1 month ago

Forgot, thanks