From: Steve Huston (hustonastro.princeton.edu)
Date: Thu Sep 09 2010 - 12:02:16 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm using Postfix 2.3.3 (from CentOS 5.5) and am trying to rewrite the
initial Received: header on messages for which the sender is SMTP AUTH'd
already (due to the original IP in the headers causing spam scanners to
give bad scores to legitimate messages). A bit of searching had turned
up this message in a perfectly relevant thread from not long ago:

  http://archives.neohapsis.com/archives/postfix/2009-03/0331.html

However, the problem I'm having is that the Received: header is still
not being rewritten. If I move the test to "further along" then it's
seen, but then the rewrite would be tripped (or at least checked) on
many more messages than we need or desire.

*) When is the Received: line actually written to the message? If it's
after cleanup runs, then this is moot and I will have to figure a
different way of doing things (I have an idea already [1])

*) If the Received: header is written either before smtpd->cleanup or
before header_checks would run, then why isn't this finding it?

The workflow in this case: Port 587 smtpd -> separate cleanup instance
-> separate amavisd-new instance (port 10026) -> internal delivery queue
(port 10025)

Normal messages: port 25 smtpd -> standard cleanup -> amavisd-new (port
10024) -> internal delivery queue (port 10025)

relevant master.cf bits (using port 20000 instead of 587 for testing
right now, so the submission port is unaffected by tests):

20000 inet n - n - - smtpd
        -o cleanup_service_name=cleanup_submission
        -o smtpd_proxy_filter=127.0.0.1:10026
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_etrn_restrictions=reject
        -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

cleanup_submission unix n - n - 0 cleanup
        -o header_checks=pcre:/etc/postfix/received_mask

received_mask:
/^Received: from (.*)(\(using TLS.*)by mail\.astro\.princeton\.edu
\(Postfix\) (.*)/ REPLACE X-Submitted: to mail.astro.princeton.edu $2 $3

Example header:

Received: from xanadu.astro.princeton.edu (xanadu.astro.Princeton.EDU
[128.112.24.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
bits)) (No client certificate requested) (Authenticated sender: huston)
by mail.astro.princeton.edu (Postfix) with ESMTP for
<hustonsrhuston.net>; Thu, 9 Sep 2010 12:37:31 -0400 (EDT)

1: The idea, if the header is written too late for what I want to do, is
to split off a new "internal queue"; have the submission-only-amavisd
instance pass to port 10027 or whatever, and run the header_check there.
 Would still limit the check and rewrites to only mails that come in via
AUTH'd users, which is the end goal.

--
Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences
  Princeton University | ICBM Address: 40.346525 -74.651285
    206 Peyton Hall |"On my ship, the Rocinante, wheeling through
  Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]