Add BIMI plugin (#8143) #8860
Add BIMI plugin (#8143) #8860
Conversation
candrews
force-pushed
the
bimi
branch
3 times, most recently
from
86f9000 to
51ca1e4
Compare
Brand Indicator Message Identification (BIMI) is an industry-wide standards effort to use brand logos as indicators to help email recipients recognize and avoid fraudulent messages. See: https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ Signed-off-by: Craig Andrews <[email protected]>
|
How do you prevent spam mails from impersonating/phishing others? I know the official RFC has some insane signing requirements, but would be nice to not have to force this. Maybe only show the images if they are not in the Junk folder? Or only show the BIMI if DKIM=pass? |
Indeed, I really don't want to have to implement that. Other providers aren't requiring certificates (aka VMCs) either; for example, Yahoo isn't requiring VMCs. As a user, I've added BIMI to my personal domain, and I'm certainly not going to pay $500+ for a VMC; I suspect there are many other people/organizations with that feeling too.
Do you have any hints as to how the plugin can know if the current email is in the junk folder?
That seems like a great idea, and I just noticed that the RFC suggests doing that: https://datatracker.ietf.org/doc/html/draft-brotman-ietf-bimi-guidance#name-bimi-processing-requirement And Apple does that, too. I'm not sure how to read the current email's headers to tell if DKIM passed; I'll try to figure that out, but if you happen to know, I'd love a pointer to save me the trouble of figuring it out on my own :) |
|
Apple seems to require the certificate still. I meant You can look at https://github.com/pimlie/authres_status for inspiration, if you only look at DMARC for validation it shouldn't be that hard to check the Authentication-Results headers for |
|
@candrews, reading the message headers is documented |
|
I tried checking the Authentication-Results header, etc. FYI. Below is what I am checking
|
|
It makes no sense to query DNS records live. Rely on the mail-headers. |
Which mail header? I don't think there is one that specifies the necessary BIMI information. |
|
It was in reply to @ma3ki |
|
Hello, It seams needed to query live DNS record for some information (as the policy) not present in the header. Regards, |
|
It would be great to support BIMI without requiring paid certification of course :) I looked at the plugin code and its missing all the validation steps. Off the top of my head, the plugin should at least perform the following things: Authentication requirements
Assertion Record Discovery
Indicator Discovery Without Evidence
Indicator Validation
|
|
I agree it needs more validation. Also maybe |
| $res = $client->request('GET', $bimi_url); | ||
| if ( $res->getStatusCode() == 200 && $res->hasHeader('Content-Type') && strcasecmp($res->getHeader('Content-Type')[0], self::MIME_TYPE) == 0) { | ||
| $svg = $res->getBody()->getContents(); | ||
| $svg = rcmail_attachment_handler::svg_filter($svg); |
There was a problem hiding this comment.
Inlining arbitrary SVG into a page without even CSP and iframing equates installing a backdoor into every single message view. Removing a few specific XSS vectors that the filter knows about does not make that safe.
|
@candrews: Can you update your PR with latest BIMI draft version? |
|
I just had thought about this implementation and @ghost comment and recent draft, from user experience point of view which doesn't break the draft standards, I don't think it looks the best when loading multiple avatars for email account and displaying them, it just feels better if there is just one avatar, using following logic, if there is bimi present from the recipient message, current avatar should be replaced with bimi, and then alternative perhaps using gravatar or roundcube addressbook avatars. Here are a relevant snapshots attached below from the bimi draft expiring on the 8th of May 2025. It looks like the indicator can be displayed without evidence, as long as the uri with https transport call was made to retrieve the SVG/SVGZ, Also, size limit is not an issue, and receiver can proceed to display SVG as long as its valid even without evidence. 
Here it touches on personal avatars and BIMI, and it looks like if tag s=bimi is not present, then it should treated as the sender require BIMI to have preference while if was set to personal, then avatar should be used instead of BIMI, therefore its per this PR implementation I think its considered valid BIMI integration, since we still have choice to display personal avatar over BIMI, i.e. don't participate in BIMI whenever we want. 
Lastly, BIMI processing is performed at MTA level and the only thing Roundcube needs to do either need to check message headers, which can be considered the secure way to fetch the SVG and decide whether to display it or not, when BIMI SVG is getting hashed and its hash truncation included in AR headers, otherwise retrieving SVG from DNS records with https call, its too considered safe perhaps safest since this bypasses the risk of message headers modification, and should be considered as the most valid BIMI source, and finally the SVG needs just to be validated and filtered from any other non-SVG tags and per comments, it looks like displaying the SVG via img tag src attribute is safer than displaying it via raw SVG element tag. Also, this bimi validator could be useful, I dont have experience writing code in perl and it would be great if anyone can convert it to PHP package. Also, this package, it might be helpful I recognise that many of the MTAs have not integrated BIMI up until now and difficult to test, but I hope to see this PR closed, with fully rounded plugin ready to include as part Roundcube anytime soon. |
Brand Indicator Message Identification (BIMI) is an industry-wide standards effort to use brand logos as indicators to help email recipients recognize and avoid fraudulent messages.
See: https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/
Closes: #8143