On 5/23/22 13:51, post...@ptld.com wrote:
Rejects a command is if something in that milter returns a reject response
code like 4xx or 5xx. If dkim runs first before dmarc, and dkim issues a
5xx reject causing the email to be rejected by postfix, then that's it,
...
On 23.05.22 19:31, James Feeney wrote:
Hmm - possibly I do not understand exactly how a milter responds to
Postfix. Does a milter only "return a response code"?
it's in the milter protocol, admins usually don't need to know this.
My understanding has been that a milter can also *modify* a mail message,
including both the message body and the message headers. And then, what
version of a mail message will a subsequent milter "see" after a preceding
milter has acted upon the mail message?
subsequent milters will see message as modified with previous milter.
I for example run spf, dkim and dmarc milters in this order, to dmarc
milter sees headers added by previous milters to decide if message passes or
not.
And then, a DKIM milter is, perhaps, unusual, in the sense that it may
either - or both? - "sign" a mail message, and also "verify" a mail
message.
it's up to milter, e.g. opendkim in validating mode verifies if DKIM is valid
and adds Authentication-Results: header and in signing mode it creates
DKIM signature and adds DKIM-Signature: header.
What happens to a mail message passing through a sequence of two DKIM
milters, neither of which "rejects" the message - or rather, does a second
DKIM milter process a mail message "as modified" by a preceding DKIM
milter?
yes.
Or, does each DKIM milter *always* issue some kind of "accept" or "reject"
response code, regardless of whether it is "signing" or "verifying"?
this is milter protocol
What I'm wondering is, is it possible - or even reasonable - to have
OpenDKIM "sign" outgoing messages, and have Rspand "verify" incoming
messages? Or, that's not going to work?
since milters run when message is received, every message processed by
milter is by definition incoming.
note that when you submit message to postfix, it's "incoming".
opendkim has ways to decide when the message is to be signed, check its
docs.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
