async fn update_authservid_candidates(
context: &Context,
authres: &Vec<(String, DkimResult)>,
) -> Result<()>
Expand description
§About authserv-ids
After having checked DKIM, our email server adds an Authentication-Results header.
Now, an attacker could just add an Authentication-Results header that says dkim=pass in order to make us think that DKIM was correct in their From-forged email.
In order to prevent this, each email server adds its authserv-id to the
Authentication-Results header, e.g. Testrun’s authserv-id is testrun.org
, Gmail’s
is mx.google.com
. When Testrun gets a mail delivered from outside, it will then
remove any Authentication-Results headers whose authserv-id is also testrun.org
.
We need to somehow find out the authserv-id(s) of our email server, so that we can use the Authentication-Results with the right authserv-id.
§What this function does
When receiving an email, this function is called and updates the candidates for our server’s authserv-id, i.e. what we think our server’s authserv-id is.
Usually, every incoming email has Authentication-Results with our server’s authserv-id, so, the intersection of the existing authserv-ids and the incoming authserv-ids for our server’s authserv-id is a good guess for our server’s authserv-id. When this intersection is empty, we assume that the authserv-id has changed and start over with the new authserv-ids.
See handle_authres
.