Viktor and Wietse thanks a lot you brought me to the right direction. Enabling the setting allowed the header checks on bounces, although the FILTER did not work first. But it brought be to the idea to simply dump the headers found in the bounce by
/^([^:]+:)(.*)$/ WARN found $1 $2 and then I realized that there are a lot of headers in the bounce but Message-ID was not among them (although the bounce in the inbox of the recipient clearly shows the expected message id). I saw that the dedicated hostname that I defined in the special cleanup/bounce service in master.cf though was part of the Content-Type Header that the header_checks can see Content-Type: multipart/report; report-type=delivery- status;??boundary="4cCQGp3lDgz1vSQ.1756394786/[REDACTED] so the solution was to change the header_checks to go after the Content-Type for the FILTER /^Content-Type: .*\/[REDACTED]/ FILTER smtp:[our.bouncer.tld]:25 and tada to=<PRIVACY>, relay=REDACTED[10.20.50.14]:25, delay=0.21, delays=0.01/0.11/0.05/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4cCQGq0258z1vSG) so with that the local generated bounce is indeed routed according to FILTER in header_checks and not the transport_maps Just wonder: why is the Message-ID header not seen by header_checks on the bounce? But anyway it works. Thanks a lot again and have a good one tobi On Thu, 2025-08-28 at 11:07 -0400, Wietse Venema via Postfix-users wrote: > Tobi via Postfix-users: > > Hi Wietse > > > > thanks for your appreciated input. Maybe I did not strike out > > enough > > that is mainly related to bounces generated locally by the system. > > So > > not about incoming bounces but locally generated. Based on your > > input I > > tried the following: > > > > First defined a dedicated bounce and cleanup service > > > > > > bounce unix - - y - 0 bounce > > -o myhostname=[REDACTED] > > -o cleanup_service_name=bounce-cleanup > > bounce-cleanup unix n - - - 0 cleanup > > -o myhostname=[REDACTED] > > > > the idea was to have a dedicated hostname that will be used after @ > > in > > message-id when the local bounce is generated. So a local bounce > > could > > be distinguished from "normal" bounces. And this works, I can see > > that > > the domain part of the Message-ID in the bounce is [REDACTED] > > > > Then added a header_checks on top of the file > > > > /^Message-ID: <.+@[REDACTED]>$/ FILTER > > smtp:[our.bouncer.tld]:25 > > > > so the rule should only match if the bounce was generated locally. > > But > > seems that header_checks are not executed for local generated > > bounces. > > Even when I add -o header_checks=pcre:/path/to/file to the custom > > bounce-cleanup above, the bounce was always routed according to > > transport_maps and not through the FILTER from header_checks. > > Because header/body_checks can reject text in a message, Postfix > by default does not inspect bounces, because it could reject its own > bounces and that would not be useful. Or stuff could loop. > > If you think that is not a problem then you can change the Postfx > internal filter settings. This setting needs to be used by the bounce > daemon. Setting this for the bounce-cleanup daemin is too late. > > https://www.postfix.org/postconf.5.html#internal_mail_filter_classes > > > As this did not work out I tried with a content_filter approach, > > but > > even with a very simple testscript I always got > > > > > Aug 28 15:57:46 prv-deliver postfix/pipe[2751934]: fatal: service > > bounce-router requires privileged operation > > The pipe daemon will NEVER run commands as 'root' or '$mail_owner'. > > > Is there a possibility at all to route local generated bounces on > > postfix not according to the transport_maps? > > That is what FILTER is for. > > Wietse > _______________________________________________ > Postfix-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
