Super. Thank you for all the info :)
Cheers,
Kevin
On 28/06/2021 00:04, David Bürgin wrote:
Kevin N.:
Milters decide themselves where they want to insert headers, by index.
Depending on the order in which milters run, insertion done by one
milter can shift the insertion point of the next milter.
The sendmail milter API that milters use to insert headers has a bit of
an oddity when using index 0 and 1 to insert: Index 0 inserts *before*
the MTA’s ‘Received’ header, index 1 *after*. When all milters use
index 1, headers will be inserted in (reverse) order after the
‘Received’ header. However, when just one milter uses index 0, all
subsequent milters using index 1 also insert *before* the MTA’s
‘Received’ header. (For details see doc for ‘smfi_insheader’.) This is
what I would guess is happening in your case.
I definitely need to take a closer look at the 'smfi_insheader' docs.
I forgot the main bit of my explanation. So: If your spf-milter inserts
at index 0 and your dkim-milter inserts at index 1, then the header
order behaviour that you showed is exactly as expected.
By the way, RFC 8601 says that ‘Authentication-Results’ headers should
be inserted *before* the MTA’s ‘Received’ header.
I totally missed this part while I was skimming through the RFC.
So, just to make sure that I understand this correctly, the order of the
"Authentication-Results" headers do matter. Correct?
RFC 8601 seems to give significance to the relative ordering of
‘Authentication-Results’ and ‘Received’ headers.
If it is OpenDKIM you’re talking about, you may be interested in this recent
change
request to fix this and make it consistent:
https://github.com/trusteddomainproject/OpenDKIM/pull/126
Yes, I was talking about OpenDKIM. I forgot to mention that in my initial
mail.
I'll take a look at the pull request. Thanks for pointing this out :)
Personally I prefer to do SPF before DKIM. Because SPF looks at envelope
information, which comes before the data, it seems more logical to check
that first.
This actually makes a lot of sense now that you mentioned it :) .
But in this case, can there be a situation in which the
"Authentication-Results" header added by the SPF check could mess up the
DKIM signature check?
From what I read, in certain situations, milters running before the milter
that does the DKIM check, could add headers that would mess up the DKIM
signature check.
Is it safe to assume that the "Authentication-Results" header added by the
SPF check is *not* such a case? Or am I misunderstanding this completely :)
?
I hadn’t thought about this in detail but checked quickly. RFC 6376,
sections 5.4.1 and 5.4.2 makes it clear that this is not a problem.
Cheers,
