Check DKIM Authentication-Results (#3583)

Fix #3507 Note that this is not intended for a release at this point! We first have to test whether it runs stable enough. If we want to make a release while we are not confident enough in authres-checking, then we have to disable it. BTW, most of the 3000 new lines are in `test_data/messages/dkimchecks...`, not the actual code da3a4b94 adds the results to the Message info. It currently does this by adding them to `hop_info`. Maybe we should rename `hop_info` to `extra_info` or something; this has the disadvantage that we can't rename the sql column name though. Follow-ups for this could be: - In `update_authservid_candidates()`: Implement the rest of the algorithm @hpk42 and me thought about. What's missing is remembering how sure we are that these are the right authserv-ids. Esp., when receiving a message sent from another account at the same domain, we can be quite sure that the authserv-ids in there are the ones of our email server. This will make authres-checking work with buzon.uy, disroot.org, yandex.ru, mailo.com, and riseup.net. - Think about how we present this to the user - e.g. currently the only change is that we don't accept key changes, which will mean that the small lock on the message is not shown. - And it will mean that we can fully enable AEAP, after revisiting the security implications of this, and assuming everyone (esp. @link2xt who pointed out the problems in the first place) feels comfortable with it.
2026-04-17 21:46:35 +03:00 · 2022-10-28 12:15:37 +02:00
parent d8bc3769a5
commit b1c6c40fa7
326 changed files with 3304 additions and 42 deletions
--- a/test-data/message/dkimchecks_create-authresadding-attacker.py
+++ b/test-data/message/dkimchecks_create-authresadding-attacker.py
@@ -0,0 +1,22 @@
+# This is a small script which helped me write the atuhresadding-attacker@example.com emails
+# I still did quite some things manually.
+# cd dkimchecks-2022-09-28; for d in *; do cd $d ; python3 ../../create-forged-authres-added.py >forged-authres-added@example.com; cd $HOME/deltachat-android/jni/deltachat-core-rust/test-data/message/dkimchecks-2022-09-28; done
+
+with open("nami.lefherz@delta.blinzeln.de", "r") as f:
+    inheader = False
+    for l in f:
+        if inheader and l.startswith(" "):
+            print(l, end='')
+            continue
+        else:
+            inheader=False
+        if l.startswith("Authentication-Results: secure-mailgate.com"):
+            print(f"Authentication-Results: aaa.com; dkim=pass header.i=@example.com")
+        elif l.startswith("Authentication-Results:") and not l.startswith("Authentication-Results: secure-mailgate.com"):
+            print(l, end='')
+            inheader=True
+        if l.startswith("From:"):
+            print("From: forged-authres-added@example.com");
+        if l.startswith("Authentication-Results-Original"):
+            print("TO BE DELETED")
+    print(f"Authentication-Results: aaa.com; dkim=pass header.i=@example.com")