On 3/23/2015 1:20 PM, Sebastian Nielsen wrote:
> How can I in postfix add a header with the original client IP (like
> “X-Original-IP”), such as, it cannot be forged, eg any incoming mail
> will have such headers stripped out, before Postfix adds its own.
>
> The intention of this header is to use it at a later processing step
> for separating phishing mail from legit mail (using SPF), but the
> check must be done after a heavy processing step for technical
> reasons, thus I have to “save” the client IP in the header, then
> process the mail through the heavy step, and then use the client IP
> in authentication. For this reason, any such headers must be
> stripped off first, so a fraudulent user cannot add one or more of
> such a header to “forge” the SPF check.
>
> Or is there some way in a milter/macro to “read” off the XFORWARD
> ip? Im currently using {client_addr} but is there any other macro
> that would “display” the XFORWARD ip?
> I saw a other suggestion to use XCLIENT, but postfix smtp doesnt
> support XCLIENT in client mode.
The client IP is already in the top-most Received: header added by
postfix. Any header below that may be forged, but the top-most
Received: header is added by your system and cannot be forged.
If you want to add some extra header with that same IP, you'll need
to use a policy service with the PREPEND action.
http://www.postfix.org/SMTPD_POLICY_README.html
-- Noel Jones
