search

trusteddomainproject / OpenDMARC

This is the Trusted Domain Project's impementation of the DMARC protocol libary and mail filter, called OpenDMARC. A "milter" connects to unix-based mailers (originally, sendmail, but now many) and provides a standard filtering API.
Other
98 stars 52 forks source link

Incorrect header parsing #243

Open kpeeters opened 1 year ago

kpeeters commented 1 year ago

An email with the following "From:" header was accepted by my mail server:

From: "Someone <someone@junk.com>"@mydomain.com

The server a.b.c.d from which this email was sent to my port 25 is a valid (according to SPF) server for "junk.com", but not for "mydomain.com". The domain "mydomain.com" is hosted on my server.

I would have expected this to fail, as a.b.c.d is not a permitted sender for "mydomain.com" according to SPF records. But OpenDMARC probably looked at the "@junk.com" part and decided this was allowed.

A test without the pointy brackets shows that, in that case, the message gets rejected correctly.

This has been confirmed by at least one other person, see https://github.com/mail-in-a-box/mailinabox/issues/2273.

futatuki commented 3 months ago

I've tested dmarcf_mail_parse() and dmarcf_mail_parse_multi() by patching opendmarc-parse-test-patch.txt against opendmarc/parse.c, and compiled with 

cc -DMAILPARSE_TEST -DMAILPARSE_MULTI_TEST -O0 -g -o mailparse_multi 
cc -DMAILPARSE_TEST -O0 -g -o mailparse parse.c`

then got:

$  ./mailparse 'From: "Someone <someone@junk.com>"@mydomain.com'
user: '"Someone <someone@junk.com>"'
domain: 'mydomain.com'
$ ./mailparse_multi 'From: "Someone <someone@junk.com>"@mydomain.com'
user: '"Someone <someone@junk.com>"'
domain: 'mydomain.com'

Also, SPF is not applied to From: header but smtp.from. So I don't think that this is not a problem on header parsing, and if there is some problem about it, it is on handling of smtp.from.

What is smtp.from is the case ?