On 13/10/2022 8:04 am, Geert Hendrickx wrote:
The HISTORY file says it is:
20041014-23
Postfix still appends $@myorigin or .$mydomain to headers
from the Postfix sendmail command, or from clients listed
with the new local_header_rewrite_clients parameter (default:
permit_mynetworks, permit_sasl_authenticated).
although the actual default is (and always has been?) permit_inet_interfaces.
"permit_mynetworks" has the (documented) drawback that remote mail forwarded
by a neighbouring system can still be rewritten (and thus break signatures).
My personal preference is permit_inet_interfaces, permit_sasl_authenticated,
neither of these should cause false positives.
I agree that the default option value /shouldn't/ include
"permit_mynetworks", for the exact reason described above.
But IMHO the 'cleaner' solution is to leave the default option value as
it is ("permit_inet_interfaces"), and instead explicitly configure the
submission (and submissions) services with "-o
local_header_rewrite_clients=static:all" to treat all /submission/
connections as local_header_rewrite_clients?
Doing it this way makes it explicit (easier to comprehend intent),
rather than having to deduce the behaviour based on the inference that
submission (and submissions) use SASL authentication, whereas smtp doesn't?
I guess there were two underlying questions I was trying to ask:
1. Whether it is possible to update the source code to include "-o
local_header_rewrite_clients=static:all" in master.cf for
"submission" and "submissions" services only? (NB: No change to
"smtp" service.)
2. And are there any other missing options that should be set? E.g. I
see the option "always_add_missing_headers" but it seems to work
fine without adding this, and besides this appears to be a cleanup
option rather than smtpd option?
Thanks,
Nick.
