I'm experimenting with setting up & using various milters in my inbound
processing.
Atm, I have an internal postfix instance that receives mail from a pre-Q
instance of amavisd, which then submits the mail to a chain of milters, then
subsequently passes it onto a post-Q amavisd instance for further processing.
In effect,
(postscreen) -> (postfix internal smtpd) -> (amavisd preQ) -> (milters)
That 'milters' instance has a config of
...
[127.0.0.1]:10010 inet n - n - - smtpd
-o smtpd_banner=localhost.10010
-o syslog_name=postfix/in-preQ
-o milter_protocol=6
-o
smtpd_milters=unix:/var/run/clamav/clamav-milter.socket,unix:/var/run/auth-milter/auth-milter.sock,unix:/var/run/milter-regex/milter-regex.sock
-o content_filter=amavisfeed:[127.0.0.1]:20010
-o mynetworks=127.0.0.0/8
...
Mail flows as I intend, and gets delivered.
The 'auth-milter' authenticates SPF, DKIM, DMARC & ARC, and generates a unified
header.
Atm, it's not returning an SPF result.
Speaking with the milter author, he comments
"The issue is that postfix can't pass the correct IP to the milter when
it is not the instance which accepted the original connection. I don't think
there is an easy fix for this given the current architecture."
and that one option is to
"Move the milter calls to authentication_milter to the instance of
postfix which accepts the original connection."
I'm unfamiliar with the passing of 'real-IP' information through milters.
*IS* there an "x-forward" or equivalent that preserves this?
I've (re)read
Postfix before-queue Milter support
http://www.postfix.org/MILTER_README.html
and if that's telling me how to deal with this, I'm missing it.
