> On Apr 22, 2022, at 8:53 PM, Viktor Dukhovni <postfix-us...@dukhovni.org>
> wrote:
>
> On Fri, Apr 22, 2022 at 06:54:56PM -0700, Dan Mahoney wrote:
>
>> masquerade_domains = !ops.foo.org, !support.foo.org, !gitlab.foo.org,
>> !lists.foo.org, isc.org
>> masquerade_exceptions = root
>
> Personally, I avoid masquerade_domains, because it does wildcard
> rewriting, and effectively breaks recipient validation. Every
> recipient in one of the input domains is subject to rewriting,
> and thus deemed valid on input.
>
> So this is best avoided at least on Internet facing inbound MX
> hosts. But frankly, best avoided entirely. Just use a definitive
> canonical_maps table to map known secondary addresses of users to
> their preferred primary address and avoid all forms of wildcard
> rewrites.
>
>> So that when root generates an email (like a system mail) it's obvious
>> what system generated it.
>
> A reasonable recipe for exposing where mail from "root" came from on a
> null client can be found in:
> http://www.postfix.org/MULTI_INSTANCE_README.html#quick
Interesting, but maybe overkill. Also, some of my systems on the outside just
have DMA and not full-blown postfix, so they send with their full hostname but
are then flattened by postfix on our border MXes (which is also their
smarthost).
Typically on BSD systems, the “Root” user has a realname in the password file
of “Charlie Root”, and perhaps using puppet to set that to a hostname-specific
variant could be useful. Programs like /bin/mail pull the passwd value in
automatically when generating an envelope from.
Does postfix have any support at all for rewriting the non-email-address
portion of the from line? (The “Real name” portion).
-Dan
