Authentication-Results header - wrong position
Closed this issue · 3 comments
The spf-milter inserts the Authentication-Results header below the Received header inserted by its own MTA. This can be problematic if you use the spf milter only for tagging and want to delegate processing to a later stage (e.g. Spamassassin on a different machine). Spamassassin will never use this Authentication-Results header because when correctly configured due to the position of the header it will never consider it trustworthy.
The Authentication-Results header is specified in RFC 8601. It is a trace header field and therefore expected to come before the Received header. See the explicit requirements on this in sections 4 and 7.1 of RFC 8601.
For MTAs that add this header field, adding header fields in order (at the top), per Section 3.6 of [MAIL], is particularly important. Moreover, this header field SHOULD be inserted above any other trace header fields such MTAs might prepend. This placement allows easy detection of header fields that can be trusted.
OpenDKIM has a similar issue open github
Following patch solves the problem
--- /tmp/smf-spf.c 2020-11-12 22:44:54.000000000 +0100
+++ smf-spf.c 2022-03-07 12:00:18.150462870 +0100
@@ -1136,7 +1136,7 @@
authserv_id, "none", context->sender, context->helo);
break;
}
- smfi_insheader(ctx, 1, "Authentication-Results", spf_hdr);
+ smfi_insheader(ctx, 0, "Authentication-Results", spf_hdr);
free(spf_hdr);
}
}
Hi @offbytwo , can you make a PR?
I have to admit that I'm not very familiar with git. So maybe someone else could make a PR with the patch I posted above. The patch is running in production here for nearly 3 weeks now and works as expected. Especially Spamassassin now honors the "Authentication-Results" header which is inserted by this milter.