|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: OT: milter smfi_insheader hdridx mess (with DKIM/DK milters)
From: Mark Martinec (Mark.Martinec+postfix
ijs.si)
Date: Fri Oct 27 2006 - 15:44:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
talking about a setup with multiple milters,
some prepending header fields at hdridx 1 and others at 1...
Claus Assmann wrote:
> The documentation says:
> * For smfi_insheader, filter order is important. Later filters will
> see the header changes made by earlier ones.
> Hence the "last" milter has the full picture (and it can change
> pretty much everything an "earlier" milter did, e.g., it can delete
> a header that an "earlier" milter inserted/added/changed). This
> implies that you have to be careful about the order of your milters.
> There has been some discussion to create a "milter multiplexor"
> that allows the specification of more complex interactions, but so
> far nobody came forward with a design proposal or an implementation.
Thanks for a reply from the first hand!
I was aware of this general concept, but the result surprised me
nevertheless. Repeating the process step by step shows the result
is by the book, yet the result was not useful (see below).
I think the original sin is that the Received header filed
which is to be inserted by MTA, is not yet visible or otherwise
made available to milters. If it were, signing milters would not
need to muck about with inserting their header fields at hdridx 1
or trying to make up a synthetic Received field (e.g. to use it
in a signature calculation or to provide information about
mail origin to SpamAssassin).
Certainly Postfix milter implementation does not mimic what
sendmail does (for better or worse), as illustrated below.
I prepared four test cases, two with sendmail, two with Postfix.
Here are the results, my comments interspersed:
Two hosts, one running sendmail, the other postfix.
Three milters are used at each host in the same order (one content
filter and two signing milters), each inserts exactly one header field:
1. content filter (amavisd with amavisd-milter),
listens at unix:/var/amavis/amavisd-milter.sock
inserts: X-Virus-Scanned: ...
configurable, inserts header fields either at hdridx 1 or 0
2. dk-milter v0.4.1
(is should sign header fields inserted by milter #1)
listens at 4444127.0.0.1
inserts DomainKey-Signature at hdridx 1
3. dkim-milter v0.5.2
(is should sign header fields inserted by milter #1 and #2)
listens at 4445127.0.0.1
inserts DKIM-Signature at hdridx 1
The two 'Authentication-Results:' header fields are inserted by
a receiving MTA (third machine) and are shown in resulting messages
just for illustration.
=================================================
SENDMAIL SETUP:
dnl Content filter:
INPUT_MAIL_FILTER(`amavisd-milter',
`S=unix:/var/amavis/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')
dnl Signers:
INPUT_MAIL_FILTER(`dk-filter-s', `S=inet:4444127.0.0.1, T=R:2m')
INPUT_MAIL_FILTER(`dkim-filter-s', `S=inet:4445127.0.0.1, T=R:2m')
=================================================
MANUAL SUBMISSION AT HOST RUNNING SENDMAIL 8.13.8
=================================================
sleepy$ telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.ijs.si.
Escape character is '^]'.
220 sleepy.ijs.si ESMTP Sendmail 8.13.8/8.13.6; Fri, 27 Oct 2006 21:11:44 +0200 (CEST)
ehlo sleepy.ijs.si
250-sleepy.ijs.si Hello localhost.ijs.si [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
mail from:<Mark.Martinecsleepy.ijs.si>
250 2.1.0 <Mark.Martinecsleepy.ijs.si>... Sender ok
rcpt to:<Mark.Martinecijs.si>
250 2.1.5 <Mark.Martinecijs.si>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Received: (example); Fri, 27 Oct 2006 20:30:06 +0200 (CEST)
Message-Id: <200610271908.k9RJ8REd004003sleepy.ijs.si>
From: Mark.Martinecsleepy.ijs.si
Subject: sendmail, all milters hdridx=1
Date: Fri, 27 Oct 2006 20:30:06 +0200 (CEST)
To: undisclosed-recipients:;
sendmail, all milters hdridx=1
.
250 2.0.0 k9RJBiJP004045 Message accepted for delivery
==============
RESULTING MAIL
==============
Authentication-Results: mail.ijs.si header.From=Mark.Martinecsleepy.ijs.si; dkim=pass (1024-bit key)
Authentication-Results: mail.ijs.si from=Mark.Martinecsleepy.ijs.si; domainkeys=pass
Received: from sleepy.ijs.si (localhost.ijs.si [127.0.0.1])
by sleepy.ijs.si (8.13.8/8.13.6) with ESMTP id k9RJBiJP004045
for <Mark.Martinecijs.si>; Fri, 27 Oct 2006 21:12:03 +0200 (CEST)
(envelope-from Mark.Martinecsleepy.ijs.si)
DKIM-Signature: a=rsa-sha1; c=relaxed/simple; d=sleepy.ijs.si; s=rd;
t=1161976335; bh=4MMD5NffktEZdRa4ruth7Dup2oY=; h=DomainKey-Signature:
X-Virus-Scanned:Received:Message-Id:From:Subject:Date:To; b=Al4nxlr
hhyotbi/1ZbUcaA7ESoUX68fCWmiT+QaUWiYXVNrWRcaq/1l3DWQC+ogBpoyjctOide
8u/cjsJi4milWrKb64Mtb9w8lQCLtCNuiNQD2fg/Mk7jYocyOQ3UwnkeXpqlEZETfKV
jWmZEIf7gQSaIi5X9We0UCr/qLBcoc=
DomainKey-Signature: a=rsa-sha1; s=rd; d=sleepy.ijs.si; c=nofws; q=dns;
h=x-virus-scanned:received:message-id:from:subject:date:to;
b=QMdvYFJhyP+GUd4NEKEUQU6cUFigzPWLNgkFg4wc1gWHMHlYCSJ0ibs4MLP/2HzB3
1SkH03jEVZgxqbVWD8+QsrPgg6Qs9qbxfPIUZRQO/x5WuGwmsioxENyVynRY6XpbX+0
0FrH4hbaWQSijDZiMVK/rQUmovPtW7ovpZqRKX8=
X-Virus-Scanned: amavisd-new at sleepy.ijs.si
Received: (example); Fri, 27 Oct 2006 20:30:06 +0200 (CEST)
Message-Id: <200610271908.k9RJ8REd004003sleepy.ijs.si>
From: Mark.Martinecsleepy.ijs.si
Subject: sendmail, all milters hdridx=1
Date: Fri, 27 Oct 2006 20:30:06 +0200 (CEST)
To: undisclosed-recipients:;
sendmail, all milters hdridx=1
===========================
COMMENT: everything is fine
===========================
=======================================================================
SMTP session continues, content filter amavisd switched to use hdridx=0
=======================================================================
rset
250 2.0.0 Reset state
mail from:<Mark.Martinecsleepy.ijs.si>
250 2.1.0 <Mark.Martinecsleepy.ijs.si>... Sender ok
rcpt to:<Mark.Martinecijs.si>
250 2.1.5 <Mark.Martinecijs.si>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Received: (example); Fri, 27 Oct 2006 20:30:10 +0200 (CEST)
Message-Id: <333610271908.k9RJ8REd004003sleepy.ijs.si>
From: Mark.Martinecsleepy.ijs.si
Subject: sendmail, amavis hdridx=0, dk/dkim hdridx=1
Date: Fri, 27 Oct 2006 20:30:10 +0200 (CEST)
To: undisclosed-recipients:;
sendmail, amavis hdridx=0, dk/dkim hdridx=1
.
250 2.0.0 k9RJBiJR004045 Message accepted for delivery
quit
221 2.0.0 sleepy.ijs.si closing connection
Connection closed by foreign host.
==============
RESULTING MAIL
==============
Authentication-Results: mail.ijs.si header.From=Mark.Martinecsleepy.ijs.si; dkim=pass (1024-bit key)
Authentication-Results: mail.ijs.si from=Mark.Martinecsleepy.ijs.si; domainkeys=fail
X-Virus-Scanned: amavisd-new at sleepy.ijs.si
DKIM-Signature: a=rsa-sha1; c=relaxed/simple; d=sleepy.ijs.si; s=rd;
t=1161976475; bh=pJw15IUHlf4D3srACpxNH9Fm77Y=; h=X-Virus-Scanned:
DomainKey-Signature:Received:Message-Id:From:Subject:Date:To; b=eno
yMvz7akwo6v6gACuWte1byRFfckeMcnX3/aDc6NxEgFUmPcWW2Y9m9GhXZ3SF1SZPyd
Ul6CIqTxl2UvR8VQxHSH2BaduYm+ImhkShJQjPNGqI9EPnDwobNNXoC2kQ8Wxl2sqY0
bW1DMt3764mEU0Pa5/9CZ2xQBZeomsfOUA=
DomainKey-Signature: a=rsa-sha1; s=rd; d=sleepy.ijs.si; c=nofws; q=dns;
h=x-virus-scanned:received:message-id:from:subject:date:to;
b=MzFYpn5tm8WYy82j1RTEuXMTpEqg6w2ubyNfsOTSGl9CEmoxpnzqH+laqOR4wCtHy
sIivHrt0e9zicuZghYbqkVcclZzSuVXyqB2ZpnwO1KHzy9TQ+2wHqpd3KMuayK8RY4R
/vjjKosw69PWoMyOSOaSWQfXkbF7CX06ib1miLk=
Received: from sleepy.ijs.si (localhost.ijs.si [127.0.0.1])
by sleepy.ijs.si (8.13.8/8.13.6) with ESMTP id k9RJBiJR004045
for <Mark.Martinecijs.si>; Fri, 27 Oct 2006 21:13:17 +0200 (CEST)
(envelope-from Mark.Martinecsleepy.ijs.si)
Received: (example); Fri, 27 Oct 2006 20:30:10 +0200 (CEST)
Message-Id: <333610271908.k9RJ8REd004003sleepy.ijs.si>
From: Mark.Martinecsleepy.ijs.si
Subject: sendmail, amavis hdridx=0, dk/dkim hdridx=1
Date: Fri, 27 Oct 2006 20:30:10 +0200 (CEST)
To: undisclosed-recipients:;
sendmail, amavis hdridx=0, dk/dkim hdridx=1
===========================
COMMENT:
- the resulting order conforms to the documentation, but the
result is not useful :) Administrators must be aware not to mix
milters which prepend header fields at different hdridx !!!
- dk verification fails because Received header field appears below
a signature instead of above it
===========================
======================================================
======================================================
POSTFIX SETUP:
smtpd_milters =
unix:/var/amavis/amavisd-milter.sock,
inet:127.0.0.1:4444,
inet:127.0.0.1:4445
======================================================
MANUAL SUBMISSION AT HOST RUNNING POSTFIX 2.4-20061006
======================================================
ezri$ telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.ijs.si.
Escape character is '^]'.
220 ezri.ijs.si ESMTP Postfix
ehlo ezri.ijs.si
250-ezri.ijs.si
250-PIPELINING
250-SIZE 10485760
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<Mark.Martinecezri.ijs.si>
250 2.1.0 Ok
rcpt to:<Mark.Martinecijs.si>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Received: (example); Fri, 27 Oct 2006 20:40:06 +0200 (CEST)
Message-Id: <xxxezri.ijs.si>
From: Mark.Martinecezri.ijs.si
Subject: postfix, all milters hdridx=1
Date: Fri, 27 Oct 2006 20:40:06 +0200 (CEST)
To: undisclosed-recipients:;
postfix, all milters hdridx=1
.
250 2.0.0 Ok: queued as 03C241CC19
==============
RESULTING MAIL
==============
Authentication-Results: mail.ijs.si header.From=Mark.Martinecezri.ijs.si; dkim=pass (1024-bit key)
Authentication-Results: mail.ijs.si from=Mark.Martinecezri.ijs.si; domainkeys=pass (testing)
Received: from ezri.ijs.si (localhost.ijs.si [127.0.0.1])
by ezri.ijs.si (Postfix) with ESMTP id 03C241CC19
for <Mark.Martinecijs.si>; Fri, 27 Oct 2006 21:22:04 +0200 (CEST)
DKIM-Signature: a=rsa-sha1; c=relaxed/simple; d=ezri.ijs.si; s=ez-200611;
t=1161977061; bh=kv/MzuTxTmvN3qKv2rZebAxBxDw=; h=DomainKey-Signature:
X-Virus-Scanned:Received:Message-Id:From:Subject:Date:To; b=gqwQJrv
UhpVlRCowTWl3E3Im5wAfFC9ArgrD0AoLJYrpCD/9SMOqIcJ7JoVIerWL5F1/DStsQn
p95VLzCuT/atD19XDFfN9U7XH9YGTYym1WeR4ol6QHAgKDLeTp8qzM8jw+JCINrR4Ah
7ab3k3TLcIXoPTLotzp1BeVLV1IMpw=
DomainKey-Signature: a=rsa-sha1; s=ez-200611; d=ezri.ijs.si; c=nofws; q=dns;
h=x-virus-scanned:received:message-id:from:subject:date:to;
b=ZysPd8npjY3FkMdIoOdlUT3BAcY/OoHvTo6ZR0U9lu+/wx8EeS6+u5sNSUs+BrM3q
wIwchfJ+AKce4otcgGL+J+GtHS0N5c7pXjhsQC9t4tQ2K4sWPc+SJm8dxT6CuWbcMOq
6CldYMHNhmI1OxzjSYJHCmbZvia9fdbgSlLpIiA=
X-Virus-Scanned: amavisd-new at ezri.ijs.si
Received: (example); Fri, 27 Oct 2006 20:40:06 +0200 (CEST)
Message-Id: <xxxezri.ijs.si>
From: Mark.Martinecezri.ijs.si
Subject: postfix, all milters hdridx=1
Date: Fri, 27 Oct 2006 20:40:06 +0200 (CEST)
To: undisclosed-recipients:;
postfix, all milters hdridx=1
===========================
COMMENT: everything is fine
===========================
=======================================================================
SMTP session continues, content filter amavisd switched to use hdridx=0
=======================================================================
rset
250 2.0.0 Ok
mail from:<Mark.Martinecezri.ijs.si>
250 2.1.0 Ok
rcpt to:<Mark.Martinecijs.si>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Received: (example); Fri, 27 Oct 2006 20:40:10 +0200 (CEST)
Message-Id: <yyyezri.ijs.si>
From: Mark.Martinecezri.ijs.si
Subject: postfix, amavis hdridx=0, dk/dkim hdridx=1
Date: Fri, 27 Oct 2006 20:40:10 +0200 (CEST)
To: undisclosed-recipients:;
postfix, amavis hdridx=0, dk/dkim hdridx=1
.
250 2.0.0 Ok: queued as 2A7581CC19
quit
221 2.0.0 Bye
Connection closed by foreign host.
==============
RESULTING MAIL
==============
Authentication-Results: mail.ijs.si header.From=Mark.Martinecezri.ijs.si; dkim=pass (1024-bit key)
Authentication-Results: mail.ijs.si from=Mark.Martinecezri.ijs.si; domainkeys=pass (testing)
DomainKey-Signature: a=rsa-sha1; s=ez-200611; d=ezri.ijs.si; c=nofws; q=dns;
h=received:message-id:from:subject:date:to;
b=PcVFOv/O633W9tXiLFTAIThYnSOdUMJA4dw4nUn9en3fA7nhT0u1lmnmGkGAFiZjl
KfQFMb5hpAxbxe4sB92U/hJ8uaq7GpUL8Hwm5/Uq8ubVKEdpMelVAnaFl1NGI3qjden
cSLjWHcWAdoYOfK5UdHUxeihljl3BnRpn/7s5x0=
DKIM-Signature: a=rsa-sha1; c=relaxed/simple; d=ezri.ijs.si; s=ez-200611;
t=1161977193; bh=hX0SDD1Ua4+3AJnkDJZPxLcw7nI=; h=X-Virus-Scanned:
Received:Received:Message-Id:From:Subject:Date:To; b=wXEM0aetcNRGPa
37ORNq+f0zdtkLK5pY5q0A51rv+8xHOxHzYQEouIn7M6k/sHB/AeAHRMkr8WQCF2fTx
cEvjzRKr9BaWzVFNUswnZMt7Gd6hn/rpSaIRdcRpajOdWpTSl67e+ZVRimwqTBjSR6M
SqPjvECJDVR+I3abOd0cDrg=
X-Virus-Scanned: amavisd-new at ezri.ijs.si
Received: from ezri.ijs.si (localhost.ijs.si [127.0.0.1])
by ezri.ijs.si (Postfix) with ESMTP id 2A7581CC19
for <Mark.Martinecijs.si>; Fri, 27 Oct 2006 21:25:16 +0200 (CEST)
Received: (example); Fri, 27 Oct 2006 20:40:10 +0200 (CEST)
Message-Id: <yyyezri.ijs.si>
From: Mark.Martinecezri.ijs.si
Subject: postfix, amavis hdridx=0, dk/dkim hdridx=1
Date: Fri, 27 Oct 2006 20:40:10 +0200 (CEST)
To: undisclosed-recipients:;
postfix, amavis hdridx=0, dk/dkim hdridx=1
===========================
COMMENT: behaves differently than sendmail:
- the three header fields DomainKey-Signature, DKIM-Signature and
X-Virus-Scanned are in exactly reverse order compared to sendmail;
- DomainKey-Signature does not see 'X-Virus-Scanned'
- DKIM-Signature does see X-Virus-Scanned, fine;
- DKIM-Signature sees both: Received:Received
===========================
Mark
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]