On 2023-12-13 at 13:06:36 UTC-0500 (Wed, 13 Dec 2023 19:06:36 +0100) Jiri Bourek via Postfix-users <bou...@thinline.cz> is rumored to have said:
> On 11. 12. 23 1:04, Wietse Venema via Postfix-users wrote: >> >> Confirmed. A premiminary fix is below. This will prepend the >> Received-SPF from the policy service after the Postfix-generated >> Received: header and before the received message. >> >> With this fix, a Milter can replace a PREMENDed Received-SPF: header >> as one would expect. >> >> This change is a bit invasive as it changes the message layout, >> which is not needed if a configuration does not use Milters. >> > > Will this not cause breakages in other programs though? With the current > behaviour, you can easily determine that a header was added by some local > (own) program and consider it trustworthy. Any header below own Received: is > controlled by the sender and can contain fake information. > > SpamAssasin comes to mind as an example. I would need to re-check but I think > it only considers Received-SPF to be trustworthy, if it's above own Received > header (trusted/internal network relays come into play here but let's stick > with the simple case) [dons SA contributor hat...] Generally speaking, correct. Technically it needs to be above/before the last trusted Received header. It should be possible to construct rules to identify one's own authentication headers and score appropriately, if you feel that necessary. In my opinion that's not worthwhile because SA will do its own SPF check and if something else has just done the needed DNS queries, they'll still be in cache. Very fast. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
