On Mon, Mar 09, 2015 at 05:27:21AM +0100, Sebastian Nielsen wrote:
> Did split up the OpenDKIM process into 2 instances, one running as verifier,
> placed before any content modification, and one running as signer, placed
> after any content modification.
> I also moved the SPF signature validator to the instance before content
> modification. That was not because SPF signatures has with content to do,
> rather it was because the old SPF signature validator I had, was a policy
> script checking against MAIL FROM. The new SPF signature validator checks
> against the "From:" MIME header, which raises security, but milters do not
> get access to the XFORWARD client IP, thus I had to move the milter to "the
> front" so it sees the real IP.
SPF is not a signature protocol. SPF is *supposed* to check the
envelope sender and NOT the author. Applying spf to message headers
was SenderID which inteoperated with mailing lists by matching
"Sender" when present. With rampant misuse of SPF records, I
neither publish nor check SPF records.
Good luck.
--
Viktor.
