On Wed, 18 Nov 2015 16:10:13 +0200 Elod G wrote: > I am using Spamassassin 3.4.0 called by spamass-milter with Postfix > 2.11 on Ubuntu 14.04. I can't get SA to recognize Auth-results > headers added by policyd-spf, a Postfix policy server. > If I run SA with -D -lint with the message source (as received) piped > into it, it works and the headers are recognized and used. > However, when called through the milter SPF checks are (re)done by SA. > Looking at > /usr/share/perl5/Mail/SpamAssassin/Plugin/SPF.pm > it seems that > my @internal_hdrs = split("\n", $scanner->get('ALL-INTERNAL')); > is parsed for Auth-results and it doesn't find anything. In fact, it > seems that ALL-INTERNAL only has 3 headers: X-Envelope-From, > X-Envelope-To and Received. > > Changing to ALL makes it work,
Do you mean that it works in the milter on new mail without a pre-exiting Received-SPF header? For it to work the SPF header presumably needs to be above the MX Received header. From what you've written it works correctly when rescanning delivered mail, but not in the milter, unless external headers are allowed. That suggests that the SPF header and the Received header are in the opposite order in the milter copy compared with the final delivered version. I don't know much about Postfix; is that possible? > but I was wondering what are the security implications It should be OK, if you have: use_newest_received_spf_header 1