On Fri, Apr 22, 2022 at 06:54:56PM -0700, Dan Mahoney wrote: > masquerade_domains = !ops.foo.org, !support.foo.org, !gitlab.foo.org, > !lists.foo.org, isc.org > masquerade_exceptions = root
Personally, I avoid masquerade_domains, because it does wildcard rewriting, and effectively breaks recipient validation. Every recipient in one of the input domains is subject to rewriting, and thus deemed valid on input. So this is best avoided at least on Internet facing inbound MX hosts. But frankly, best avoided entirely. Just use a definitive canonical_maps table to map known secondary addresses of users to their preferred primary address and avoid all forms of wildcard rewrites. > So that when root generates an email (like a system mail) it's obvious > what system generated it. A reasonable recipe for exposing where mail from "root" came from on a null client can be found in: http://www.postfix.org/MULTI_INSTANCE_README.html#quick > We *also* recently set sp=reject in dmarc. Which presents us with a problem. I have no advice re DMARC, never have or will use it. -- Viktor.