> On Oct 8, 2022, at 18:57, Wietse Venema <wie...@porcupine.org> wrote:
>
> Wietse Venema:
>> Dan Mahoney:
>>>
>>>
>>>> On Oct 8, 2022, at 12:59, Wietse Venema <wie...@porcupine.org> wrote:
>>>>
>>>> Dan Mahoney:
>>>>> Hey there all,
>>>>>
>>>>> We have a couple of recipient canonical maps that do things like
>>>>> transform firstname_lastname into username (i.e. dan_mahoney -->
>>>>> dmahoney), also handle things like mapping people's former names
>>>>> into current names.
>>>>>
>>>>> This is useful where a user wants to have one canonical spamassassin
>>>>> settings folder, WHICH SPAMASS-MILTER GETS BY LOOKING AT THE LEFt
>>>>> HAND SIDE OF THE ADDRESS. So we clearly want spamass-milter to
>>>>> run after this rewriting happens.
>>>>
>>>> [sorry for shouting, I captalized some text that is problematic.]
>>>>
>>>> The system described in the capitalized text should not rely on the
>>>> message HEADER to determine who an email message is for.
>>>>
>>>> For example, this message is sent to your email address, but you
>>>> are not in any recipient header. You are in the envelope.
>>>>
>>>> A proper spam filter looks at the ENVELOPE recipient address to
>>>> determine who an email message is for.
>>>>
>>>> Canonicalizing the envelope recipient before the DKIM check would
>>>> not cause the DKIM check to fail, because DKIM looks at message
>>>> content. It also does affect SPF, because SPF looks at where mail
>>
>> Damn. It does NOT affect SPF. Sorry for dropping a word.
>>
>>>> comes from, not recipients.
>>>>
>>>> There is no problem with canonical mapping before DKIM check, as
>>>> long as the mapping is limited to the envelope. And it is perfetly
>>>> legitimate to use virtual_alias_mnaps for that.
>>>>
>>>> It took a few iterations before I think I hit the root problem.
>>>
>>> Sorry, I think we've not solved this yet.
>>>
>>> Here I've sent an email to dan_maho...@foo.org, which gets mapped
>>> to dmaho...@foo.org, and postfix rewrites this because of canonical
>>> recipient headers. This is also where it does the spam check.
>
> The spam filter should not depend on recipient headers to figure
> out the recipient address. As I told you, this postfix-user message
> goes to your address, but you are not listed in the tecipient
> headers. Instead the filter should rely in the envelope address.
It does. I was thrown off by this line in the manpage for spamass-milter:
Note that spamass-milter does not know whether an email is
incoming or outgoing, so a message from <us...@localdomain.com>
to <us...@yahoo.com> will make spamass-milter pass -u user2 to
spamc.
(The bit in the angle brackets made me assume it was a body check, rather than
something passed in by the milter api).
> DO canonicalize LOCAL addresses in headers before DKIM signing,
> while receiving mail from users in your domain.
>
> DO NOT canonicalize ANY address in headers while receiving mail
> from other organizations. That way you won't break DKIM signatures.
>
> Postfix uses local_header_rewrite_clients to distinguish between
> the two cases above.
Yes, as discovered, we were rewriting the headers on all messages, rather than
the default.
> Yhis strategy needs some help with submission/smtps clients,
> but it is too late in the day to get into that now.
Indeed. Thanks for your help and feedback.
Best,
Dan
