On 23.05.22 19:31, James Feeney wrote:
My understanding has been that a milter can also *modify* a mail message,
including both the message body and the message headers. And then, what
version of a mail message will a subsequent milter "see" after a
preceding milter has acted upon the mail message?
On 5/24/22 03:36, Matus UHLAR - fantomas wrote:
subsequent milters will see message as modified with previous milter.
On 24.05.22 08:12, James Feeney wrote:
That simple but important point seems to be missing from the Postfix
"Milter Readme".
What I'm wondering is, is it possible - or even reasonable - to have
OpenDKIM "sign" outgoing messages, and have Rspand "verify" incoming
messages? Or, that's not going to work?
since milters run when message is received, every message processed by milter
is by definition incoming.
Ah! Ok - so Postfix - the Milter Protocol - does not directly provide any
information about "outgoing". Hmm - I suppose that, still, a milter could
always compare the RCPT TO with its own idea of the "local" domain...
the master.cf commented definitions for "smtps/submissions" and "submission"
services contain line
# -o milter_macro_daemon_name=ORIGINATING
that should help milter to understand that the mail is "outgoing" since it
was submitted using service where authentication is mandatory.
You can also specify different set of milters for these services, e.g. skip
dmarc and SPF checking (dkim may be still wanted if it signs)
opendkim afaik does not use this macro (I don't know which milters do)
and how opendkim decides if it signs the mail is described in its manual
page.
finally, you can specify different milters if you use multi-instance setup
http://www.postfix.org/MULTI_INSTANCE_README.html
note that when you submit message to postfix, it's "incoming".
That's very useful! Still, Postfix itself distinguishes "sender", "relay",
and "recipient", and has its own notion of "mynetworks" and "mydomain".
Apparently, then, those distinctions, by Postfix, are not incorporated
directly into the Milter Protocol.
they are mostly irelevant when mail is processed by milter
opendkim has ways to decide when the message is to be signed, check its docs.
Ok - I see, man 5 opendkim.conf has:
Domain (dataset)
A set of domains whose mail should be signed by this filter. *Mail
from other domains will be verified rather than being signed.*
[Emphasis added]
So, this "incoming/outgoing" distinction is all up to the milter itself -
in a sense, "redundantly", with respect to Postfix - and nothing to do
with Postfix directly. And then, each milter in a sequence will be
separately required to establish its own references.
Again, another simple but important point that should be incorporated into
the Postfix "Milter Readme". The barest outlines of the Milter Protocol
are missing there.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
