milter: default PermitAuthenticationOverrides off

Author: flowerysong

CHANGELOG.md

@@ -41,6 +41,7 @@ All notable changes to this project will be documented in this file.
   headers are parsed is built without making you jump through weird hoops.
 - milter - The default behaviour for messages that fail basic validity checks
   (malformed headers, too many headers) is to reject them.
+- milter - `PermitAuthenticationOverrides` defaults to `false`.
 
 ### Removed
 - libopenarc - `arc_mail_parse()`

openarc/openarc.c

@@ -1163,7 +1163,6 @@ arcf_config_new(void)
     }
 
     new->conf_maxhdrsz = DEFMAXHDRSZ;
-    new->conf_overridecv = true;
     new->conf_safekeys = true;
     new->conf_authresip = true;
 

openarc/openarc.conf.5.in

@@ -239,6 +239,11 @@ will be checked.
 Controls whether a previous Authentication-Result with the same
 .Ar authserv-id
 is allowed to override the computed ARC chain validation status.
+The default is
+.Cm false ,
+because this is unsafe unless you have verified that forged
+Authentication-Result headers will be removed before this filter
+processes the message.
 
 .It Cm PidFile Pq string
 Specifies the path to a file that should be created at process start

test/conftest.py

@@ -81,6 +81,7 @@ def milter_config(request, tmp_path, private_key):
         'KeyFile': 'elpmaxe._domainkey.example.com.key',
         'Mode': 'sv',
         'FixedTimestamp': '1234567890',
+        'PermitAuthenticationOverrides': 'true',
         'RequireSafeKeys': 'false',  # tmp is world writeable
     }