Inconsistent "Authentication-Results" of mailbox servers seems potentially risky
Currently, the mailbox SMTP server seems to apply the "Authentication-Results" header only if DKIM signatures were found. This can be a problem when enabling Auto PGP, where an e-mail client may be configured to rely on the headers instead, and given an attacker can inject "Authentication-Results" further below in the return path as well.
In practice, the e-mail IMAP clients I tested simply seem to check whether any "Authentication-Results: ... dkim=pass" header is present in absence of any specifying "none" or "fail". They seem to do this even if there's not even a DKIM signature present. This seems to mean if the mailbox SMTP doesn't always set "Authentication-Results", a client might blindly trust an attacker-injected one even in absence of a valid DKIM signature.
Unless I'm missing something, mailbox should probably always inject "Authentication-Results", e.g. via OpenDKIM's AlwaysAddARHeader.
I like this idea 
Hi,
thank you very much for your posting and the heads up. We are looking into the matter. Please keep in mind that this is a forum for users to help each other. It would be great if you could report bugs or feature requests directly to helpdesk here https://support.mailbox.org in the future. That way we can better keep track of it.
With kind regards
your mailbox.org team
Hi,
thank you very much for your posting and the heads up. We are looking into the matter. Please keep in mind that this is a forum for users to help each other. It would be great if you could report bugs or feature requests directly to helpdesk here https://support.mailbox.org in the future. That way we can better keep track of it.
With kind regards
your mailbox.org team
This still seems to be unaddressed as of today.
This still seems to be unaddressed as of today.
This seems to be ongoing still.
This seems to be ongoing still.
Hi,
thank you very much for your posting and the heads up. We are looking into the matter. Please keep in mind that this is a forum for users to help each other. It would be great if you could report bugs or feature requests directly to helpdesk here https://support.mailbox.org in the future. That way we can better keep track of it.
With kind regards
your mailbox.org team
Hi,
thank you very much for your posting and the heads up. We are looking into the matter. Please keep in mind that this is a forum for users to help each other. It would be great if you could report bugs or feature requests directly to helpdesk here https://support.mailbox.org in the future. That way we can better keep track of it.
With kind regards
your mailbox.org team
Replies have been locked on this page!