You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by Henrik K <he...@hege.li> on 2018/11/11 09:15:39 UTC

Received header order

Ok I can't wrap my head around this header ordering..

I'm using postfix with milter chain opendkim -> opendmarc -> amavisd-milter.

Here's a sanitized example

Return-Path: <xx...@xxx.com>
X-Original-To: hege@hege.li
X-Spam-Status: ...
Received: from xxx (xxx [1.2.3.4])
        by hege.li (Postfix) with ESMTP id xxxxxxxx
        for <he...@hege.li>; Thu,  8 Nov 2018 16:55:03 +0200 (EET)
Authentication-Results: hege.li; dmarc=none (p=none dis=none) header.from=xxx
Authentication-Results: hege.li; spf=pass smtp.mailfrom=xxx
Authentication-Results: hege.li;
        dkim=pass (1024-bit key; unprotected) header.d=xxx.com header.i=@xxx.com header.b=xxx;
        dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=xxx.com; s=s1024; ...
Received: from xxx.com ...
From: Fubar <xx...@xxx.com>

SA doesn't find Authentication-Results from internal headers, since they are
after my internal Received line, thus they are considered external, right?

Are A-R headers in wrong position, should they be before my own Received
header?  Is this the fault of opendkim/dmarc, amavisd-miltes/amavis or
postfix?

Or should SA find the Authentication-Results headers even if they are after
my internal header?  But xxx.com generated DKIM-Signature is there too, so
they surely can't be considered internally added headers?  What is the
correct logic here?

Re: Received header order

Posted by Henrik K <he...@hege.li>.

On Sun, Nov 11, 2018 at 11:15:39AM +0200, Henrik K wrote:
> 
> Ok I can't wrap my head around this header ordering..
> 
> I'm using postfix with milter chain opendkim -> opendmarc -> amavisd-milter.
> 
> Here's a sanitized example
> 
> Return-Path: <xx...@xxx.com>
> X-Original-To: hege@hege.li
> X-Spam-Status: ...
> Received: from xxx (xxx [1.2.3.4])
>         by hege.li (Postfix) with ESMTP id xxxxxxxx
>         for <he...@hege.li>; Thu,  8 Nov 2018 16:55:03 +0200 (EET)
> Authentication-Results: hege.li; dmarc=none (p=none dis=none) header.from=xxx
> Authentication-Results: hege.li; spf=pass smtp.mailfrom=xxx
> Authentication-Results: hege.li;
>         dkim=pass (1024-bit key; unprotected) header.d=xxx.com header.i=@xxx.com header.b=xxx;
>         dkim-atps=neutral
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>         d=xxx.com; s=s1024; ...
> Received: from xxx.com ...
> From: Fubar <xx...@xxx.com>
> 
> SA doesn't find Authentication-Results from internal headers, since they are
> after my internal Received line, thus they are considered external, right?
> 
> Are A-R headers in wrong position, should they be before my own Received
> header?  Is this the fault of opendkim/dmarc, amavisd-miltes/amavis or
> postfix?
> 
> Or should SA find the Authentication-Results headers even if they are after
> my internal header?  But xxx.com generated DKIM-Signature is there too, so
> they surely can't be considered internally added headers?  What is the
> correct logic here?

Sigh, opendkim and opendmarc are broken..

https://github.com/trusteddomainproject/OpenDKIM/issues/24
https://github.com/trusteddomainproject/OpenDMARC/issues/23

So practically noone can make use the A-R headers unless compiling yourself
or some distribution decides to patch them.  The developement on these is so
darn slow, who knows when official versions are out..

PS. In case someone is curious of opendmarc, check out the patch cluster,
I built from this..  http://batleth.sapienti-sat.org/projects/opendmarc/