Dan Mahoney:
>
>
> > On Oct 8, 2022, at 12:59, Wietse Venema <wie...@porcupine.org> wrote:
> >
> > Dan Mahoney:
> >> Hey there all,
> >>
> >> We have a couple of recipient canonical maps that do things like
> >> transform firstname_lastname into username (i.e. dan_mahoney -->
> >> dmahoney), also handle things like mapping people's former names
> >> into current names.
> >>
> >> This is useful where a user wants to have one canonical spamassassin
> >> settings folder, WHICH SPAMASS-MILTER GETS BY LOOKING AT THE LEFt
> >> HAND SIDE OF THE ADDRESS. So we clearly want spamass-milter to
> >> run after this rewriting happens.
> >
> > [sorry for shouting, I captalized some text that is problematic.]
> >
> > The system described in the capitalized text should not rely on the
> > message HEADER to determine who an email message is for.
> >
> > For example, this message is sent to your email address, but you
> > are not in any recipient header. You are in the envelope.
> >
> > A proper spam filter looks at the ENVELOPE recipient address to
> > determine who an email message is for.
> >
> > Canonicalizing the envelope recipient before the DKIM check would
> > not cause the DKIM check to fail, because DKIM looks at message
> > content. It also does affect SPF, because SPF looks at where mail
Damn. It does NOT affect SPF. Sorry for dropping a word.
> > comes from, not recipients.
> >
> > There is no problem with canonical mapping before DKIM check, as
> > long as the mapping is limited to the envelope. And it is perfetly
> > legitimate to use virtual_alias_mnaps for that.
> >
> > It took a few iterations before I think I hit the root problem.
>
> Sorry, I think we've not solved this yet.
>
> Here I've sent an email to dan_maho...@foo.org, which gets mapped
> to dmaho...@foo.org, and postfix rewrites this because of canonical
> recipient headers. This is also where it does the spam check.
DO canonicalize LOCAL addresses in headers before DKIM signing,
while receiving mail from users in your domain.
DO NOT canonicalize ANY address in headers while receiving mail
from other organizations. That way you won't break DKIM signatures.
Postfix uses local_header_rewrite_clients to distinguish between
the two cases above.
Yhis strategy needs some help with submission/smtps clients,
but it is too late in the day to get into that now.
Wietse
