Hello,
Viktor Dukhovni:
I don't recall whether milter message content processing happens before
or after canonical rewriting, Wietse might post a reminder. If milters
go first, you'll need to do DKIM signing after the message first goes
through a null content filter (directly back into Postfix on a different
port, with nothing in the middle), with milters only on the far side and
the canonical rewrites on the near side.
On 03.11.22 19:42, Wietse Venema wrote:
Postfix rewrites headers and envelopes before storing the message
in a queue file. Then, Milters can make changes, where each Milter
sees the result of changes made by its predecessor.
I have implemented SRS via postsrsd and my observation says that while
envelope sender is changed by canonical_maps and the new sender is logged,
existing milters only see old sender.
Perhaps I'm doing something wrong?
I use separate postfix instance postfix-srs for outgoing mail with this
configuration:
sender_canonical_maps=tcp:localhost:10001
sender_canonical_classes=envelope_sender,header_sender
remote_header_rewrite_domain=fantomas.sk
smtpd_milters=
inet:localhost:8895
inet:localhost:8893
inet:localhost:8891
inet:localhost:8894
10001 is postsrsd
8895 is vrfydmn
8893 is pyspf-milter
8891 is openskim
8894 is archivesmtp (logging message as milter sees it for debug reasons)
outgoing forwarded mail from uh...@example.com produces these logs:
Nov 6 19:39:00 fantomas postfix-srs/smtpd[32370]: connect from
localhost[127.0.0.1]
Nov 6 19:39:00 fantomas pyspf-milter[1541]: connect from localhost at
('127.0.0.1', 49808) EXTERNAL
Nov 6 19:39:00 fantomas pyspf-milter[1541]: prepend Authentication-Results:
fantomas.fantomas.sk; none (SPF check N/A for local connections -
client-ip=127.0.0.1; helo=localhost; envelope-from=uh...@example.com;
receiver=<UNKNOWN>)
Nov 6 19:39:00 fantomas postfix-srs/smtpd[32370]: D22DFA0414:
client=localhost[127.0.0.1]
Nov 6 19:39:00 fantomas postsrsd[32373]: srs_forward: <uh...@example.com> rewritten
as <SRS0+oOrGA=3G=example.com=uh...@fantomas.sk>
Nov 6 19:39:00 fantomas postsrsd[32373]: srs_forward:
<SRS0+oOrGA=3G=example.com=uh...@fantomas.sk> not rewritten: Valid SRS address for
<uh...@example.com>
Nov 6 19:39:00 fantomas postsrsd[32373]: srs_forward: <uh...@example.com> rewritten
as <SRS0+oOrGA=3G=example.com=uh...@fantomas.sk>
Nov 6 19:39:00 fantomas postsrsd[32373]: srs_forward:
<SRS0+oOrGA=3G=example.com=uh...@fantomas.sk> not rewritten: Valid SRS address for
<uh...@example.com>
Nov 6 19:39:00 fantomas postfix-srs/cleanup[32372]: D22DFA0414:
message-id=<668b4f7e-1600-f10d-a2e2-7d497cba6...@example.com>
Nov 6 19:39:00 fantomas vrfydmn[2139]: D22DFA0414:
header_from=<SRS0+oOrGA=3G=example.com=uh...@fantomas.sk>
mail_from=<uh...@example.com> return_value=continue
Nov 6 19:39:00 fantomas opendkim[2621]: D22DFA0414: DKIM-Signature field added
(s=fantomas, d=fantomas.sk)
Nov 6 19:39:01 fantomas postfix-srs/qmgr[31552]: D22DFA0414:
from=<SRS0+oOrGA=3G=example.com=uh...@fantomas.sk>, size=2301, nrcpt=1 (queue
active)
all milters used (pyspf-milter, vrfydmn, even archivestp) report original
address uh...@example.com as envelope sender, postfix reports address after
canonical_maps.
I have worked around this by using separate hop for canonical_maps and milters.
(I configured vrydmn, spf-milter and rewriting header sender only for this
example).
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.