Nick Tait:
> On 13/10/2022 8:04 am, Geert Hendrickx wrote:
> > "permit_mynetworks" has the (documented) drawback that remote mail forwarded
> > by a neighbouring system can still be rewritten (and thus break signatures).
> >
> > My personal preference is permit_inet_interfaces, permit_sasl_authenticated,
> > neither of these should cause false positives.
>
> I agree that the default option value /shouldn't/ include
> "permit_mynetworks", for the exact reason described above.
>
> But IMHO the 'cleaner' solution is to leave the default option value as
> it is ("permit_inet_interfaces"), and instead explicitly configure the
> submission (and submissions) services with "-o
> local_header_rewrite_clients=static:all" to treat all /submission/
> connections as local_header_rewrite_clients?
I agree. For the MUA submission(s)/smtps services, this is better
done in master.cf for the specific services, than in main.cf.
> Doing it this way makes it explicit (easier to comprehend intent),
> rather than having to deduce the behaviour based on the inference that
> submission (and submissions) use SASL authentication, whereas smtp doesn't?
>
> I guess there were two underlying questions I was trying to ask:
>
> 1. Whether it is possible to update the source code to include "-o
> local_header_rewrite_clients=static:all" in master.cf for
> "submission" and "submissions" services only? (NB: No change to
> "smtp" service.)
> 2. And are there any other missing options that should be set? E.g. I
> see the option "always_add_missing_headers" but it seems to work
> fine without adding this, and besides this appears to be a cleanup
> option rather than smtpd option?
Postfix (cleanup) adds headers
- When the SMTP daemon found a match with local_header_rewrite_clients.
This should be used selectively (i.e. for specific services or
address ranges). This is not documented and that should be fixed.
It just makes it easy to canonicalize all header information.
- When always_add_missing_headers=yes. This should not be used if
you want to preserve existing DKIM signatures.
A better name might be "local_header_canonicalize_clients" because
the ultimate goal was to canonicalize all header information from
specific clients. If there is a need to make this more specific,
then we could add a fine control for that.
The defaults would be:
# Default setting for when to canonicalize headers ("safe").
local_header_canonicalize_clients = permit_inet_interfaces
# Default setting for what how to canonicalize (historical behavior).
local_header_canonicalize_classes = rewrite_addresses, add_missing_headers
Wietse
