On Fri, Nov 04, 2022 at 08:45:15AM +0000, Gino Ferguson wrote:
> Thanks for the replies.
>
> Before I wrote my question I have tried this ('canonical_classes' was the
> default):
> sender_canonical_maps = regexp:/etc/postfix/custom_rewrite_sender
- Firstly, DO NOT use sender_canonical_maps, it fails to rewrite "Cc:".
Use "canonical_maps".
- Secondly, strongly consider processing incoming mail (where you
perform DKIM verification) on a separate machine, or in a separate
Postfix instance from outgoing mail (where you perform DKIM signing).
- Sign outgoing DKIM mail in exactly one stage of your outgoing mail
processing, as late as possible in the pipeline.
> Today morning we did test it again but added
> header_checks = regexp:/etc/postfix/custom_rewrite
NO. Header checks *cannot* parse email addresses in headers.
If you think this works, you're mistaken.
> /etc/postfix/custom_rewrite:
> /^(.*)@originalsender.fqdn$/ REPLACE ${1}@masqueraded.fqdn
NO.
> And the masquerading worked and the DKIM is good.
>
> Now I'm confused.
Use "canonical_maps" with envelope_recipient excluded from
canonical_classes, or perform rewriting only on the outbound MTA, where
it is OK to not do recipient validation (I prefer and recommend divide
and conquer).
--
Viktor.
