Does SA always do its "own" DKIM check, or can it be told to use
an already written trusted AuthservId-written
Authentication-Results header, e.g. from OpenDKIM?
Not for DKIM, but by default the SPF plugin will use an
Authentication-Results (or Received-SPF) header written by an
internal host.
Thanks Bill, I figured that was the case from the flow on my system
(it is using upstream SPF but not upstream DKIM). Appreciate the
confirmation.
That would be dangerous on a few levels, completely open to fake
written headers, you could end up "trusting" a spammer
It isn't particularly difficult to discriminate between headers that
exist when a message arrives at the first internal machine and those
written afterwards. If you're aware of a way for a fake
Authentication-Results written by an external system to be treated
as internal by a properly configured SpamAssassin, please open a bug
report.
Yep, been through all of that with making sure SA knows what is
internal and external, and what it can trust and not. No issues there.
Simon
--
Simon Wilson
M: 0400 12 11 16
