On Fri, Feb 12, 2021 at 12:06:02PM -0500, Matt Shields wrote:
> 1. Rewrite the FROM address in each message
> a. host1.lan has a process that sets the FROM as t...@mycompany.com, this
> is okay to let relay
> b. host2.lan has a script that sends as r...@host2.lan, rewrite FROM as
> sysad...@mycompany.com
Rewriting the headers of outbound messages received via SMTP should if
at all possible be done on those very same machines, but if for some
reason that is not possible, then something along the lines of:
http://www.postfix.org/postconf.5.html#local_header_rewrite_clients
http://www.postfix.org/postconf.5.html#canonical_maps
local_header_rewrite_clients = permit_mynetworks
canonical_maps = inline:{ {r...@host2.lan = sysad...@example.com} }
Do not tinker with canonical_classes, sender_canonical_maps, or
recipient_canonical_maps, these are for very unusual situations, and
it is almost always a mistake to not apply the same mapping to *all*
addresses. There is just one exception to the above, if you want to
leave the envelope recipient unmodified in order to deliver to the
right internal address, you can leave "envelope_recipient" out of
canonical_classes:
#canonical_classes =
# envelope_sender, envelope_recipient, header_sender, header_recipient
canonical_classes =
envelope_sender, header_sender, header_recipient
You can of course use some other table type other than "inline", if the
rewrites to be done are not just a static handful.
> c. For any host not defined, change the FROM address to
> nore...@mycompany.com
A wildcard rewrite like that is generally quite fragile, it can
easily apply to the wrong sort of mail, e.g. to bounce messages,
inbound mail from outside, ... This requires care. Is there
a dedicated "submission only" SMTP port on this relay? I'd
not want to configure such a rewrite on port 25.
Furthermore, when you start rewriting just the "From:" address you're
now in a "state of sin". What if the message has a "Cc:" address, for
purposes of "Reply-All" a "Cc:" address is, like "From:", just another
address to reply to. What if the message has a "Resent-From:" header,
should the "From:" still be rewritten? ...
That sort of rewriting very much needs to happen at the point of origin.
It is not impossible to do with Postfix, but it is difficult to do right
in all cases.
> 2. Rewrite the TO address
> a. host4.lan strip all TO addresses that do not match @mycompany.com. On
> some systems (dev/qa) we do not want to send emails to clients.
The message headers have nothing to do with where mail is delivered.
Use smtpd_recipient_restrictions and smtpd_relay_restrictions to control
which machines can relay outbound email.
--
Viktor.
