Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Thread

S/MIME and PGP signed, crypted or both message whitelisting

S/MIME and PGP signed, crypted or both message whitelisting

2009-01-29 by Christian PELISSIER

Is it possible for milter-greylist to skip greylisting for S/MIME or PGP
signed, signed/crypted messages ?


If not, implementation seems to be easy and could be done at the milter
header stage. Checking the Content-Type header seems to be sufficient :


Thunderbird S/MIME

Content-Type: multipart/signed;
protocol="application/x-pkcs7-signature";
Content-Type: application/x-pkcs7-mime;

Evolution PGP

Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";


More details for 2 mail user agent.

S/MIME
======

* Thunderbird S/MIME signed mail :

User-Agent: Thunderbird 2.0.0.19 (X11/20090110)
MIME-Version: 1.0
...
Show quoted textHide quoted text
Subject: Message =?ISO-8859-15?Q?sign=E9_avec_S/MIME?=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms080106040709000008050704"
Content-Length: 3851
X-UID: 1550
Status: RO


* Thunderbird S/MIME signed and ciphered mail :

User-Agent: Thunderbird 2.0.0.19 (X11/20090110)
MIME-Version: 1.0
...
Subject: TEST signature et chiffrement avec S/MIME
Content-Type: application/x-pkcs7-mime; name="smime.p7m"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7m"
Content-Description: S/MIME Encrypted Message
Content-Length: 6262
X-UID: 1548
Status: RO


For PGP
=======

* Evolution Signed

Subject: Test signature PGP
...
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="=-wUPeojl0Ll5QW4/ozup3"
...
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6.301d
Date: Thu, 29 Jan 2009 10:17:26 +0100
Content-Length: 703



* Evolution Signed and Ciphered

Subject: Test =?iso-8859-15?Q?sign=E9?= et chiffre
...
Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";
boundary="=-fXWByXmrap85hapbFRTd"
...
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6.301d
Date: Thu, 29 Jan 2009 10:18:53 +0100
Content-Length: 1535
...



-- 
Christian P\ufffdlissier

Re: [milter-greylist] S/MIME and PGP signed, crypted or both message whitelisting

2009-01-29 by Kai Schaetzl

Christian PELISSIER wrote on Thu, 29 Jan 2009 10:41:19 +0100:

> Is it possible for milter-greylist to skip greylisting for S/MIME or PGP
> signed, signed/crypted messages ?

A word of caution: as with any incoming headers these can easily be 
forged. e.g. if not greylisting signed messages by headers comes in wide-
spread use spammers may just add this header without actually signing or 
signing with a faked key.

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: [milter-greylist] S/MIME and PGP signed, crypted or both message whitelisting

2009-01-29 by Christian PELISSIER

Le jeu. 29/01/2009 \ufffd 14:51, Michael Menge a \ufffdcrit :
> Quoting Christian PELISSIER <Christian.Pelissier@...>:
> 
> >
> > Is it possible for milter-greylist to skip greylisting for S/MIME or PGP
> > signed, signed/crypted messages ?
> >
> >
> > If not, implementation seems to be easy and could be done at the milter
> > header stage. Checking the Content-Type header seems to be sufficient :
> >
> No, the milter header stage does not include the mail header. See
> http://www.ietf.org/rfc/rfc2821.txt 3.3
> So only IP, HELO/EHLO message, MAIL FROM and RCPT are known before
> data stage.

Sorry. The data stage I was speaking about was not the SMTP one and I
should have to write "the milter header stage".

A few years ago (I hope it's always true) milter split the SMTP DATA
stage in 3 milter callback :

1 mlfi_header : we enter here with the main headers part and leave with
mlfi_eoh
2 mlfi_eoh    : we enter here after the first void line after the main
headers part
3 mlfi_body   : we enter here after mlfi_eoh (other multipart header and
message body or only message body depending off attachement.

If the mail is already whitelisted no need to proceed this check if the
greylist decision is to delay then read ~ 20 lines of headers to give a
new chance to whitelist immediatly :



sfsistat mlfi_header( SMFICTX *ctx, char *headerf, char *headerv )
....
if ( strncasecmp(headerf, "Content-Type", 12) == 0 )
{
    if ( strncasecmp(headerv, "multipart/signed;", 16) == 0 )
    {
            FLAG TO ACCEPT MAIL
    }
        if ( strncasecmp(headerv, "multipart/encrypted;", 20) == 0 )
    {
            FLAG ACCEPT MAIL
    }
   
} else

    FLAG TO REJECT
...


Yes headers other than the first "Received:" are easy to forge, but for
the moment spammers don't waste time to add a forged  S/MIME or PGP
header. So it could be a way to avoid delay for S/MIME and PGP mail
until ...



> 
> You can pares the mailtext in data stage with regular expressions,
> but this is more recoure consuming and as said by Kai Sch\ufffdtzl these
> headers can be forged.
> 
> 
> 
> 
> --------------------------------------------------------------------------------
> M.Menge                                Tel.: (49) 7071/29-70316
> Universit\ufffdt T\ufffdbingen                   Fax.: (49) 7071/29-5912
> Zentrum f\ufffdr Datenverarbeitung          mail:  
> michael.menge@...-tuebingen.de
> W\ufffdchterstra\ufffde 76
> 72074 T\ufffdbingen
-- 
Christian P\ufffdlissier
Office National d'\ufffdtudes et de Recherches A\ufffdrospatiales
BP 72 92322 Chatillon
Tel: 33 1 46 73 44 19, Fax: 33 1 46 73 41 50

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.