On Sun, Nov 11, 2018 at 11:15:39AM +0200, Henrik K wrote: > > Ok I can't wrap my head around this header ordering.. > > I'm using postfix with milter chain opendkim -> opendmarc -> amavisd-milter. > > Here's a sanitized example > > Return-Path: <x...@xxx.com> > X-Original-To: h...@hege.li > X-Spam-Status: ... > Received: from xxx (xxx [1.2.3.4]) > by hege.li (Postfix) with ESMTP id xxxxxxxx > for <h...@hege.li>; Thu, 8 Nov 2018 16:55:03 +0200 (EET) > Authentication-Results: hege.li; dmarc=none (p=none dis=none) header.from=xxx > Authentication-Results: hege.li; spf=pass smtp.mailfrom=xxx > Authentication-Results: hege.li; > dkim=pass (1024-bit key; unprotected) header.d=xxx.com > header.i=@xxx.com header.b=xxx; > dkim-atps=neutral > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; > d=xxx.com; s=s1024; ... > Received: from xxx.com ... > From: Fubar <x...@xxx.com> > > SA doesn't find Authentication-Results from internal headers, since they are > after my internal Received line, thus they are considered external, right? > > Are A-R headers in wrong position, should they be before my own Received > header? Is this the fault of opendkim/dmarc, amavisd-miltes/amavis or > postfix? > > Or should SA find the Authentication-Results headers even if they are after > my internal header? But xxx.com generated DKIM-Signature is there too, so > they surely can't be considered internally added headers? What is the > correct logic here?
Sigh, opendkim and opendmarc are broken.. https://github.com/trusteddomainproject/OpenDKIM/issues/24 https://github.com/trusteddomainproject/OpenDMARC/issues/23 So practically noone can make use the A-R headers unless compiling yourself or some distribution decides to patch them. The developement on these is so darn slow, who knows when official versions are out.. PS. In case someone is curious of opendmarc, check out the patch cluster, I built from this.. http://batleth.sapienti-sat.org/projects/opendmarc/
