Matus UHLAR - fantomas via Postfix-users wrote in
<zdeizvdskmgkq...@fantomas.sk>:
...
|I can now also say that these milters:
|
|pyspf-milter
|opendkim
|opendmarc
|
|(at least their versions in Debian 12)
|
|do NOT remove existing Authentication-Results: and thus this ste is
|necessary to avoid possible confusion of mail filters.
I should have been more specific:
the milters above do not remove any Authentication-Results: headers,
therefore they keep even Authentication-Results: header containing local
hostname.
|the "openarc" milter seems to detect and remove offending header.
openarc DOES remove/replace Authentication-Results: header containing local
hostname, not A-R header with other hostnames.
On 22.02.24 22:46, Steffen Nurpmeso via Postfix-users wrote:
As a spoken out opponent of this header (*in*my*opinion* a new
flag "V" for the DKIM signature that i then produce would be the
signal that my email infrastructure verified (the) signature(s) on
ingress side of things) as well as of SPF, ARC and DMARC i am
interested in this topic.
However, if i recall correctly, the very sophisticated RFC (that
i read more than one year ago) speaks about trust boundaries or
similar, on the background of an entire reputation system.
Simply removing all instances of this header blows this up, no?
Incoming mail can contain multiple Authentication-Results: with the
different authserv-id values, including local hostname.
RFC 8601 section 5. requires (MUST) removing headers containing the latter.
I am only removing Authentication-Results: headers that contain $myhostname:
header_checks = pcre:{ {/^Authentication-Results:\s+\Q$myhostname\E[\s;]/
IGNORE} }
so I'm doing exactly what given RFC orders me to do.
(this was also part of my former questions, if I should remove all such
headers or only those with $myhostname)
Other than that i could imagine adding a flag to my maturing
simple DKIM (yet sign-only) milter that removes headers as
configured (Authentication-Results, X-Google-DKIM-Signature,
ARC-Seal, ARC-Signature, elder DKIM-Signature). Except for the
possible last Authentication-Results (of yourself/your provider)
it rapidly looses its meaning, or already lost it once it arrives.
Since there can be other types of Authentication-Results: headers defined
later, and since people may not want/need to use all of possible milters
checking only "their" types, I believe that removing these headers and not
relying on spf/dkim/arc/dmarc milters to to that is a good idea.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
