Join Log in
Score:1
giosh94mhz avatar Server

Postifix: use myorigin=$myhostname for local email and myorigin=$mydomain for trusted networks

fr flag
giosh94mhz

I have a postfix instance configured for address rewriting which allow canonicalization of from header.

Current (required?) configurations

This are the relevant configurations:

# Basic conf
myhostname = hostname.example.test
mydomain = example.test
mynetworks = 127.0.0.0/8,1.2.3.4/32
myorigin = $mydomain
mydestination =

# Rewrite options
append_at_myorigin = yes
local_header_rewrite_clients = permit_mynetworks
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = hash:/etc/postfix/sender_canonical
recipient_canonical_classes = envelope_recipient, header_recipient
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical

# restrictions (redacted for readability)
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, permit

Desired result

I want to achieve that:

  1. when an email is received from 127.0.0.1, From: root is rewritten as From: [email protected] (i.e. root@$hostname)
  2. when an email is received from 1.2.3.4, From: root is rewritten as From: [email protected] (i.e. root@$mydomain)
  3. when an email is received from anyone else, an email From: root is rejected (since restriction reject_non_fqdn_sender is in place)

The problem

The variable $myorigin should be different based on the receiving address, but I cannot find a way to do so. So, far I've tried many solutions but failed.

Unsuccessful attempt...

I've tried creating two smtp master services -- 127.0.0.1:smtp with myorigin = $myhostname and 192.168.1.2:smtp with myorigin = $mydomain -- but since the myorigin option is related to process trivial-rewrites it gets ignored.

Mapping for canonical/virtual seems to be unusable since they happens after trivial rewrites is executed.

Mapping for aliases seems to be unusable since they are used after the message is determined to be sent to $mydestination, but this messages elsewhere.

159
1 + 5
anx avatar
fr flag
anx
*"it gets ignored"* I could not say without trying whether that helps, but you *can* duplicate `trivial-rewrite` instances (e.g. with different `-o remote_header_rewrite_domain=example.invalid` settings) and point `smtpd` instances in `master.cf` to alternates via `-o smtpd_client_restrictions=permit_mynetworks,reject -o rewrite_service_name=rewrite-local`.
1
Reply
giosh94mhz avatar
fr flag
giosh94mhz
Yes, I totally agree that the sender should fix their servers. Problem is that I it should be configurable, and the client should be able to receive from very old systems (e.g. AS400).
0
Reply
giosh94mhz avatar
fr flag
giosh94mhz
Great hint with `rewrite_service_name`! Didn't noticed that I can replace every process using `*_service_name` I'm figuring out how to solve this scenario and then will publish the answer. Thank you very much!
0
Reply
anx avatar
fr flag
anx
I have seen problems that could be solved that way, and some where that did not help (if you wanted post-queue changes, you could as well run two instances), I only know it works reliably for replacing `cleanup`. Since simpler maintenance and diagnostics is still preferable, could you not deal with the "configurable" requirement by canonicalizing *all* locally administered names of some agreed suffix, yet still requiring that the senders follow spec insofar as sending proper names, even if not the ones eventually used?
0
Reply
giosh94mhz avatar
fr flag
giosh94mhz
I see what you are suggesting and generally agreed that canonicalization is a good thing. Since this software is used by other mail administrator, on the behalf of the user, you probably see why I just want for locally generated "root"/"postmaster" email, to be rewritten with the hostname; I'll handle SPF validation on the hostname level and no one but the system can generate such email. This time I live with this master.cf configuration, maybe a postmulti will be required next time.
0
Reply
Score:1
giosh94mhz avatar Server
fr flag
giosh94mhz

Thanks to anx feedback I found the solution.

The solution scheme

According to Postfix official docs about rewriting, the master process tree is like the following:

smtp   --+--> cleanup --> rewrite --> [queue]
pickup --/

So I ended up creating a pipeline specific for localhost, like the following:

192.168.1.2:smtp  --+--> cleanup --> rewrite ------------+--> [queue]
127.0.0.1:smtp  --+--> cleanup_local --> rewrite_local --/
pickup -----------/

The configuration

This is the main.cf configuration, which represent external IP configurations:

#  configure the global desiderata

# Basic conf (for display purpose, use your own configuration)
# myhostname = hostname.example.test
# mydomain = example.test
# mydestination =
# mynetworks = 127.0.0.0/8,1.2.3.4/32

# Rewrite options
myorigin = $mydomain
append_at_myorigin = yes
local_header_rewrite_clients = permit_mynetworks
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = hash:/etc/postfix/sender_canonical
recipient_canonical_classes = envelope_recipient, header_recipient
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical

# restrictions (redacted for readability)
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, permit

This is the master.cf configuration, with the customized pipeline:

# add this for local smtp service
127.0.0.1:smtp      inet  n       -       n       -       -       smtpd
  -o myorigin=$myhostname
  -o cleanup_service_name=cleanup_local
  -o inet_interfaces=loopback-only
  -o local_header_rewrite_clients=permit_inet_interfaces

# edit pickup sevice with this two options
pickup    unix  n       -       n       60      1       pickup
  -o myorigin=$myhostname
  -o cleanup_service_name=cleanup_local

# add this for local email cleanup
cleanup_local   unix  n       -       n       -       0       cleanup
  -o myorigin=$myhostname
  -o rewrite_service_name=rewrite_local

# add this for local email basic rewrite
rewrite_local   unix  -       -       n       -       -       trivial-rewrite
  -o myorigin=$myhostname
  -o local_header_rewrite_clients=permit_inet_interfaces

# Then for each public IP assigned to the machine, add smtp service like this
192.168.3.85:smtp      inet  n       -       n       -       -       smtpd
# and remove default service smtp inet [..cut..] smtpd
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.