On 2022-04-08 16:22, Wietse Venema wrote:
Jesper Dybdal:
I run Amavis as a before-queue filter, and opendmarc in the after-Amavis
smtpd instance.
Why not use Amavis as a before-queue MILTER? Then there is no need
to propagate remote SMTP client info through non-Postfix programs.
That might well be a good idea. I'll need to study the documentation
carefully before I experiment with such a change.
Postfix supports XFORWARD for logging which requires a low level
of trust, because information from XFORWARD has no effect on SMTP
server policies. XFORWARD could be used to integrate with a remote
provider that sends you cleaned email.
XCLIENT is for impersonation, which requires a high level of trust
because information from XFORWARD will affect SMTP server policies.
So we should not mix up XFORWARD with XCLIENT.
As I obviously did - I had forgotten that there are two variants with
that important difference.
Does it make sense to send XCLIENT into a content filter? It would
not be difficult to add, but all filters of interest have a MILTER
API nowadays, so people can use that instead.
And in addition, for my setup, Amavis would also have to forward XCLIENT
to the after-amavis smtpd - I don't know if it would do that.
I think I'll manage with what I have until I have the time to understand
and setup an amavis-milter solution.
Are smtpd_recipient_restrictions, particularly policy services,
evaluated before milters, so that I could use policyd_spf to check SPF,
and have amavis and opendmarc milters in that same smtpd instance - so
the milters could use the Authentication-Results header from policyd_spf
and opendmarc could use the one from amavis' DKIM check? (I have a
feeling that this is a stupid question with an obvious answer, but if
so, the answer eludes me right now.) Alternatively, I'll just have to
use a milter SPF checker.
Thanks to Wietse and Benny for the responses.
--
Jesper Dybdal
https://www.dybdal.dk
