Hello,

Viktor Dukhovni:
I don't recall whether milter message content processing happens before
or after canonical rewriting, Wietse might post a reminder.  If milters
go first, you'll need to do DKIM signing after the message first goes
through a null content filter (directly back into Postfix on a different
port, with nothing in the middle), with milters only on the far side and
the canonical rewrites on the near side.

On 03.11.22 19:42, Wietse Venema wrote:
Postfix rewrites headers and envelopes before storing the message
in a queue file. Then, Milters can make changes, where each Milter
sees the result of changes made by its predecessor.

I have implemented SRS via postsrsd and my observation says that while envelope sender is changed by canonical_maps and the new sender is logged, existing milters only see old sender.

Perhaps I'm doing something wrong?

I use separate postfix instance postfix-srs for outgoing mail with this configuration:

sender_canonical_maps=tcp:localhost:10001
sender_canonical_classes=envelope_sender,header_sender
remote_header_rewrite_domain=fantomas.sk

smtpd_milters=
        inet:localhost:8895
        inet:localhost:8893
        inet:localhost:8891
        inet:localhost:8894

10001 is postsrsd
8895 is vrfydmn
8893 is pyspf-milter
8891 is openskim
8894 is archivesmtp (logging message as milter sees it for debug reasons)

outgoing forwarded mail from uh...@example.com produces these logs:

Nov  6 19:39:00 fantomas postfix-srs/smtpd[32370]: connect from 
localhost[127.0.0.1]
Nov  6 19:39:00 fantomas pyspf-milter[1541]: connect from localhost at 
('127.0.0.1', 49808) EXTERNAL
Nov  6 19:39:00 fantomas pyspf-milter[1541]: prepend Authentication-Results: 
fantomas.fantomas.sk; none (SPF check N/A for local connections -  
client-ip=127.0.0.1; helo=localhost; envelope-from=uh...@example.com; 
receiver=<UNKNOWN>)
Nov  6 19:39:00 fantomas postfix-srs/smtpd[32370]: D22DFA0414: 
client=localhost[127.0.0.1]
Nov  6 19:39:00 fantomas postsrsd[32373]: srs_forward: <uh...@example.com> rewritten 
as <SRS0+oOrGA=3G=example.com=uh...@fantomas.sk>
Nov  6 19:39:00 fantomas postsrsd[32373]: srs_forward: 
<SRS0+oOrGA=3G=example.com=uh...@fantomas.sk> not rewritten: Valid SRS address for 
<uh...@example.com>
Nov  6 19:39:00 fantomas postsrsd[32373]: srs_forward: <uh...@example.com> rewritten 
as <SRS0+oOrGA=3G=example.com=uh...@fantomas.sk>
Nov  6 19:39:00 fantomas postsrsd[32373]: srs_forward: 
<SRS0+oOrGA=3G=example.com=uh...@fantomas.sk> not rewritten: Valid SRS address for 
<uh...@example.com>
Nov  6 19:39:00 fantomas postfix-srs/cleanup[32372]: D22DFA0414: 
message-id=<668b4f7e-1600-f10d-a2e2-7d497cba6...@example.com>
Nov  6 19:39:00 fantomas vrfydmn[2139]: D22DFA0414: 
header_from=<SRS0+oOrGA=3G=example.com=uh...@fantomas.sk> 
mail_from=<uh...@example.com> return_value=continue
Nov  6 19:39:00 fantomas opendkim[2621]: D22DFA0414: DKIM-Signature field added 
(s=fantomas, d=fantomas.sk)
Nov  6 19:39:01 fantomas postfix-srs/qmgr[31552]: D22DFA0414: 
from=<SRS0+oOrGA=3G=example.com=uh...@fantomas.sk>, size=2301, nrcpt=1 (queue 
active)

all milters used (pyspf-milter, vrfydmn, even archivestp) report original address uh...@example.com as envelope sender, postfix reports address after canonical_maps.

I have worked around this by using separate hop for canonical_maps and milters.

(I configured vrydmn, spf-milter and rewriting header sender only for this example).

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.

Reply via email to