Hi Kevin, > I am using two milters to check incoming mail for DKIM signatures and SPF > records. They are specified in main.cf using the "smtpd_milters" parameter. > > Now, > when I place the DKIM milter before the SPF milter, like so: > > > smtpd_milters = inet:dkim-milter-host:port, inet:spf-milter-host:port > > > the final delivered message headers will look like: > > > Received: from <MY-RECEIVER> ... > Authentication-Results: <MY-RECEIVER-SPF> ... > Received: from <REMOTE-SENDER> ... > Authentication-Results: <MY-RECEIVER-DKIM> ... > Authentication-Results: <REMOTE-SENDER> auth=pass (login) > > > (note the <REMOTE-SENDER> "Received" header between the two <MY-RECEIVER> > "Authentication-Results" headers) > > > > When I place the SPF milter before the DKIM milter, like so: > > > smtpd_milters = inet:spf-milter-host:port, inet:dkim-milter-host:port > > > the final delivered message headers will look like: > > > Received: from <MY_RECEIVER> ... > Authentication-Results: <MY_RECEIVER-SPF> ... > Authentication-Results: <MY_RECEIVER-DKIM> ... > Received: from <REMOTE-SENDER> ... > Authentication-Results: <REMOTE-SENDER> auth=pass (login) > > > (no <REMOTE-SENDER> "Received" header between the two <MY-RECEIVER> > "Authentication-Results" headers)
Here is the very technical explanation for your observation. Milters decide themselves where they want to insert headers, by index. Depending on the order in which milters run, insertion done by one milter can shift the insertion point of the next milter. The sendmail milter API that milters use to insert headers has a bit of an oddity when using index 0 and 1 to insert: Index 0 inserts *before* the MTA’s ‘Received’ header, index 1 *after*. When all milters use index 1, headers will be inserted in (reverse) order after the ‘Received’ header. However, when just one milter uses index 0, all subsequent milters using index 1 also insert *before* the MTA’s ‘Received’ header. (For details see doc for ‘smfi_insheader’.) This is what I would guess is happening in your case. By the way, RFC 8601 says that ‘Authentication-Results’ headers should be inserted *before* the MTA’s ‘Received’ header. If it is OpenDKIM you’re talking about, you may be interested in this recent change request to fix this and make it consistent: https://github.com/trusteddomainproject/OpenDKIM/pull/126 > 1. Is there a situation in which the order of the "Authentication-Results" > header matters? > > I tend to think not, since the ones set by the remote MTA and the ones set > by my milter should be distinguishable based on the "authserv-id" field. > Is this correct? > > 2. For incoming mail, I like to place the DKIM milter first, before any > other milter has the chance to change relevant headers. Personally I prefer to do SPF before DKIM. Because SPF looks at envelope information, which comes before the data, it seems more logical to check that first. > But I think in this particular case it would not matter if SPF is performed > before DKIM, since as far as I know the Authentication-Results header is > generally not included in the DKIM signature. So basically the SPF > authentication header added by my milter should not affect the DKIM > signature check on the incoming message. > Is this correct? > > 3. From what I've read, the milters are called in the order they are > specified. > > But does that mean that for each SMTP event Postfix will call the milters in > the specified order? Or does it mean that it will call and wait until the > first milter finishes processing all SMTP events and then it moves on to the > next milter from the list? > > As far as I can tell it is the first case (otherwise, i guess that in my > particular case, when the SPF milter is placed after the DKIM milter this > should be reflected in the order of the auth results headers. But in my case > the SPF auth results header is always places before the DKIM auth results > header). I'm not sure the second case would even make sense with the SMTP > protocol :) . > > Do I understand this correctly? Ciao, -- David
