Skip to content

Insert initial headers like Authentication-Results before the MTA’s Received header#126

Closed
glts wants to merge 1 commit into
trusteddomainproject:developfrom
glts:insheader
Closed

Insert initial headers like Authentication-Results before the MTA’s Received header#126
glts wants to merge 1 commit into
trusteddomainproject:developfrom
glts:insheader

Conversation

@glts
Copy link
Copy Markdown

@glts glts commented May 20, 2021
edited
Loading

The proposed change moves the generated Authentication-Results (et al.) header before the MTA’s Received header. This is achieved by calling the milter library’s smfi_insheader function with index 0 instead of 1, patch provided by @fanto666. This fixes #24.

The Authentication-Results header is specified in RFC 8601. It is a trace header field and therefore expected to come before the Received header. See the explicit requirements on this in sections 4 and 7.1 of RFC 8601, and also the numerous examples in appendix B:

For MTAs that add this header field, adding header fields in order (at the top), per Section 3.6 of [MAIL], is particularly important. Moreover, this header field SHOULD be inserted above any other trace header fields such MTAs might prepend. This placement allows easy detection of header fields that can be trusted.

  1. On the presumption that internal MTAs are fully compliant with Section 3.6 of [MAIL] and the compliant internal MTAs are using their own hostnames or the ADMD's DNS domain name as the authserv-id token, this header field should always appear above a Received header added by a trusted MTA. This can be used as a test for header field validity.

Other software such as SpamAssassin also assumes that trusted Authentication-Results headers come before the trusted Received header.

@glts
Insert trace headers at index 0
c2a8097 
Index 0 inserts before the MTA's Received header. Patch by @fanto666.
This was referenced May 20, 2021
Open
Open
@offbytwo offbytwo mentioned this pull request Mar 7, 2022
Closed
futatuki added a commit to futatuki/OpenDKIM that referenced this pull request Feb 25, 2024
@futatuki
Merge pull request trusteddomainproject#126 from glts/insheader
4b8bedf 
Insert trace headers at index 0
futatuki added a commit to futatuki/OpenDKIM that referenced this pull request Apr 26, 2024
@futatuki
Merge pull request trusteddomainproject#126 from glts/insheade
4a5b1a1 
Insert trace headers at index 0
futatuki added a commit to futatuki/OpenDKIM that referenced this pull request Apr 26, 2024
@futatuki
RELEASE_NOTES: Record merge of PR trusteddomainproject#126
2d9dbd2
@futatuki
Copy link
Copy Markdown

futatuki commented Sep 9, 2024

With this change, with old postfix (2.10) and old libmilter (8.14.7), opendmarc milter cannot get AR headers added by opendkim.

However after rebuilding opendkim and opendmarc with libmilter 8.18.1, even appy this PR patch, opendmarc can get AR headers.

I guess this is related to the change on sendmail 8.17.2.
From RELEASE_NOTE in sendmail-8.18.1:

8.17.2/8.17.2   2023/06/03
...
        LIBMILTER: The macros for the EOH and EOM callbacks are
                sent in reverse order which means accessing macros
                in the EOM callback got the macro for the EOH
                callback. Store those macros in the expected order
                in libmilter. Note: this does not affect sendmail
                because the macros for both callbacks are the same
                because the message is sent to libmilter after it
                is completely read by sendmail.  Fix and problem
                report from David Buergin.
...

@futatuki
Copy link
Copy Markdown

futatuki commented Sep 19, 2024

However after rebuilding opendkim and opendmarc with libmilter 8.18.1, even appy this PR patch, opendmarc can get AR headers.

This was incorrect, even with libmilter bundled in sendmail-8.18.1, our CentOS 7 environment, postfix 2.10, sendmail-milter 8.18.1, opendkim including this change, opendmarc milter after opendkim milter cannot get Authentication-Results: header generated by opendkim milter. (The result in my previous comment was caused by my mistake, when I rebuilt opendkim with newer libmilter, I applyed a patch reverting this change. I'm very sorry.)

Other environment, with Postfix 3.9.0, and with sendmail 8.18.1 on FreeBSD, opendmarc can get AR header from preceding opendkim.

@thegushi thegushi mentioned this pull request May 25, 2026
Merged
@thegushi
Copy link
Copy Markdown
Collaborator

thegushi commented May 25, 2026

Applied cleanly in PR #346 with updated commit message crediting you and @fanto666. Thanks for the patch.

@thegushi thegushi closed this May 25, 2026
thegushi added a commit that referenced this pull request May 25, 2026
@thegushi
opendkim: insert A-R and DKIM-Signature headers at index 0 (issue #24)
7f07f1c 
RFC 8601 sections 4 and 7.1 require Authentication-Results to be
inserted before the MTA's Received header.  SpamAssassin and other
verifiers also rely on this ordering to determine which AR headers
can be trusted.

Change all dkimf_insheader() calls from index 1 to index 0 so that
Authentication-Results, DKIM-Signature, VBR-Info, and X-OpenDKIM
headers are prepended before existing headers rather than inserted
after the first one.

Patch originally by @glts (PR #126), credit also to @fanto666.

Fixes #24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@glts @futatuki @thegushi