Welcome to the mailbox user forum
 

Inconsistent "Authentication-Results" of mailbox servers seems potentially risky

k234525 shared this idea 21 months ago
Proposed

Currently, the mailbox SMTP server seems to apply the "Authentication-Results" header only if DKIM signatures were found. This can be a problem when enabling Auto PGP, where an e-mail client may be configured to rely on the headers instead, and given an attacker can inject "Authentication-Results" further below in the return path as well.

In practice, the e-mail IMAP clients I tested simply seem to check whether any "Authentication-Results: ... dkim=pass" header is present in absence of any specifying "none" or "fail". They seem to do this even if there's not even a DKIM signature present. This seems to mean if the mailbox SMTP doesn't always set "Authentication-Results", a client might blindly trust an attacker-injected one even in absence of a valid DKIM signature.

Unless I'm missing something, mailbox should probably always inject "Authentication-Results", e.g. via OpenDKIM's AlwaysAddARHeader.

Best Answer
photo

Hi,

thank you very much for your posting and the heads up. We are looking into the matter. Please keep in mind that this is a forum for users to help each other. It would be great if you could report bugs or feature requests directly to helpdesk here https://support.mailbox.org in the future. That way we can better keep track of it.

With kind regards

your mailbox.org team

This comment is in trash! Restore

Replies (3)

photo
1

This still seems to be unaddressed as of today.

This comment is in trash! Restore
photo
1

This seems to be ongoing still.

This comment is in trash! Restore
photo
2

Hi,

thank you very much for your posting and the heads up. We are looking into the matter. Please keep in mind that this is a forum for users to help each other. It would be great if you could report bugs or feature requests directly to helpdesk here https://support.mailbox.org in the future. That way we can better keep track of it.

With kind regards

your mailbox.org team

This comment is in trash! Restore
photo
1

Thanks so much for the response! Typically, when I bring up some technical issue, support redirects me here, which is fair enough. This includes when my own suspicion is that it's a bug on the mailbox side. I have therefore resorted to posting them here instead to avoid doing that twice.

This comment is in trash! Restore
photo
1

Happy new year! As of 2025/01/13, this still seems to be ongoing.

This comment is in trash! Restore
photo
1

As of a mail received on 2025/03/05, this still seems to be unfixed.

This comment is in trash! Restore
photo
1

As of 2025/03/21, this still seems to be unfixed.

This comment is in trash! Restore
photo
1

As of mid June 2025, this still seems to be unfixed.

This comment is in trash! Restore
photo
1

As of today, 1st of July 2025. this appears to be ongoing.

This comment is in trash! Restore
photo
2

Come on, it's only been nine months. :-) Do you know how other e-mail providers handle this?

This comment is in trash! Restore
photo
1

It's a one line config option in most setups. I'm not aware of other providers handle this, no.

This comment is in trash! Restore
photo
3

Thank you for your comments. We are currently looking into the matter and will get back to you, as soon as we have more information. Until then we ask for a little more patience.

With kind regards

Your mailbox.org team

This comment is in trash! Restore
photo
2

Big update: this has kind of been implemented, but it still seems to be a little buggy:

Authentication-Results: incoming_mbo;
    dkim=none;
    dmarc=none;
Shouldn't this say something.mailbox.org and not "incoming_mbo" so we know a mailbox.org server added this? Other than that, this looks very promising.

This comment is in trash! Restore
photo
Leave a Comment
 
Attach a file
You can't vote. Please authorize!