On Wed, 31 May 2023, Matus UHLAR - fantomas wrote:
milter adds own synthetised Received: header at the very beginning,
which is mosts possibly the correct reason. spamass-milter should
add this header behind locally added Authentication-Results:
headers, but it needs change in spamass-milter.
On 31.05.23 09:19, Dave Funk wrote:
tl;dr if those 'Authentication-Results: headers' are generated by the
MTA itself the milter may not ever see them.
Which agent in the whole MTA system is adding those
'Authentication-Results: headers'?
Is it the master MTA itself (EG: postfix or sendmail) or is it some
other milter component?
Headers are added by previous milter components.
A milter can only work with what it's handed by the master MTA, if the
Authentication-Results: headers aren't in its input stream then it
cannot work with them.
In the original sendmail incarnation of the milter API it was designed
so that a milter received the message input stream -before- local
headers were added, thus the need for spamassassin 'glue' milters to
do that Received: header synthesis.
This is what spamass-milter does. It does see headers added by former
milters, but not yet the Received: header added by local postfix, so it must
synthetize one.
this is documented and consistent with sendmail functionality:
http://www.postfix.org/MILTER_README.html#when-inspect
If those Authentication-Results: headers are being generated by
another milter then the solution is easy, just set the MTA
configuration to run that milter before the spamassassin 'glue'
milter. Milter results are chained so any headers explicitly added by
one milter are passed on to succeeding milters.
If those headers are being generated by the MTA then it may not be
possible for milters to see them with out hacking the MTA itself.
THe problem is that while spamass-milter generates Received: header as the
first of headers, before Authentication-Results: added by other milters.
So, while spamassassin does see those headers, it does not trust them.
One possible fix is to add Received: headers AFTER locally added
Authentication-Results, which requires parsing those headers and only
trusting those that match local hostname (and hope they don't come fake)
Another possible fix is to add local Received: header by postfix and not
spamass-milter. This requires changing both postfix and spamass-milter.
This would otoh make those headers fully trusted, but incompatible with
sendmail.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS$\*.*
