Hello everybody,
I am using two milters to check incoming mail for DKIM signatures and
SPF records. They are specified in main.cf using the "smtpd_milters"
parameter.
Now,
when I place the DKIM milter before the SPF milter, like so:
smtpd_milters = inet:dkim-milter-host:port, inet:spf-milter-host:port
the final delivered message headers will look like:
Received: from <MY-RECEIVER> ...
Authentication-Results: <MY-RECEIVER-SPF> ...
Received: from <REMOTE-SENDER> ...
Authentication-Results: <MY-RECEIVER-DKIM> ...
Authentication-Results: <REMOTE-SENDER> auth=pass (login)
(note the <REMOTE-SENDER> "Received" header between the two
<MY-RECEIVER> "Authentication-Results" headers)
When I place the SPF milter before the DKIM milter, like so:
smtpd_milters = inet:spf-milter-host:port, inet:dkim-milter-host:port
the final delivered message headers will look like:
Received: from <MY_RECEIVER> ...
Authentication-Results: <MY_RECEIVER-SPF> ...
Authentication-Results: <MY_RECEIVER-DKIM> ...
Received: from <REMOTE-SENDER> ...
Authentication-Results: <REMOTE-SENDER> auth=pass (login)
(no <REMOTE-SENDER> "Received" header between the two <MY-RECEIVER>
"Authentication-Results" headers)
1. Is there a situation in which the order of the
"Authentication-Results" header matters?
I tend to think not, since the ones set by the remote MTA and the ones
set by my milter should be distinguishable based on the "authserv-id" field.
Is this correct?
2. For incoming mail, I like to place the DKIM milter first, before any
other milter has the chance to change relevant headers.
But I think in this particular case it would not matter if SPF is
performed before DKIM, since as far as I know the Authentication-Results
header is generally not included in the DKIM signature. So basically the
SPF authentication header added by my milter should not affect the DKIM
signature check on the incoming message.
Is this correct?
3. From what I've read, the milters are called in the order they are
specified.
But does that mean that for each SMTP event Postfix will call the
milters in the specified order? Or does it mean that it will call and
wait until the first milter finishes processing all SMTP events and then
it moves on to the next milter from the list?
As far as I can tell it is the first case (otherwise, i guess that in my
particular case, when the SPF milter is placed after the DKIM milter
this should be reflected in the order of the auth results headers. But
in my case the SPF auth results header is always places before the DKIM
auth results header). I'm not sure the second case would even make sense
with the SMTP protocol :) .
Do I understand this correctly?
Cheers,
Kevin.
