Hi,
Thanks for the replies.
Before I wrote my question I have tried this ('canonical_classes' was the
default):
sender_canonical_maps = regexp:/etc/postfix/custom_rewrite_sender
/etc/postfix/custom_rewrite_sender:
/^(.*)@originalsender.fqdn$/ ${1}@masqueraded.fqdn
it worked but broke DKIM.
This is an example log, the sender was @originalsender.fqdn and was masqueraded
to @masqueraded.fqdn:
1. 07:39:15.377412+00:00 MAILSERVER postfix/smtpd[784439]: 4N3XZC2gS4z2x98:
client=CLIENTHOSTNAME[CLIENTIP]
2. 07:39:15.382102+00:00 MAILSERVER postfix/cleanup[784441]: 4N3XZC2gS4z2x98:
info: header FooHeader: foo from CLIENTHOSTNAME[CLIENTIP];
from=<t...@masqueraded.fqdn> to=<test@recipient> proto=SMTP
helo=<CLIENTHOSTNAME>
3. 07:39:15.382404+00:00 MAILSERVER postfix/cleanup[784441]: 4N3XZC2gS4z2x98:
info: header From: t...@originalsender.fqdn from CLIENTHOSTNAME[CLIENTIP];
from=<t...@masqueraded.fqdn> to=<test@recipient> proto=SMTP
helo=<CLIENTHOSTNAME>
4. 07:39:15.382667+00:00 MAILSERVER postfix/cleanup[784441]: 4N3XZC2gS4z2x98:
info: header To: test@recipient from CLIENTHOSTNAME[CLIENTIP];
from=<t...@masqueraded.fqdn> to=<test@recipient> proto=SMTP
helo=<CLIENTHOSTNAME>
5. 07:39:15.382860+00:00 MAILSERVER postfix/cleanup[784441]: 4N3XZC2gS4z2x98:
info: header Subject: test from CLIENTHOSTNAME[CLIENTIP];
from=<t...@masqueraded.fqdn> to=<test@recipient> proto=SMTP
helo=<CLIENTHOSTNAME>
6. 07:39:15.393667+00:00 MAILSERVER opendkim[121023]: 4N3XZC2gS4z2x98:
DKIM-Signature field added (s=dkimselector, d=originalsender.fqdn)
7. 07:39:15.437810+00:00 MAILSERVER postfix/qmgr[784434]: 4N3XZC2gS4z2x98:
from=<t...@masqueraded.fqdn>, size=431, nrcpt=1 (queue active)
In line #2 there is already the masqueraded sender, then the original can be
seen in #3 then the DKIM happens for the original in #6.
Today morning we did test it again but added
header_checks = regexp:/etc/postfix/custom_rewrite
and removed 'sender_canonical_maps'.
/etc/postfix/custom_rewrite:
/^(.*)@originalsender.fqdn$/ REPLACE ${1}@masqueraded.fqdn
And the masquerading worked and the DKIM is good.
Now I'm confused.
------- Original Message -------
On Friday, November 4th, 2022 at 00:55, Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
> On Thu, Nov 03, 2022 at 07:42:17PM -0400, Wietse Venema wrote:
>
> > > I don't recall whether milter message content processing happens before
> > > or after canonical rewriting, Wietse might post a reminder. If milters
> > > go first, you'll need to do DKIM signing after the message first goes
> > > through a null content filter (directly back into Postfix on a different
> > > port, with nothing in the middle), with milters only on the far side and
> > > the canonical rewrites on the near side.
> >
> > Postfix rewrites headers and envelopes before storing the message
> > in a queue file. Then, Milters can make changes, where each Milter
> > sees the result of changes made by its predecessor.
>
>
> [ I should have known this, or figured it out as the only sensible
> design choice, but chose to punt. ]
>
> Thanks, this makes the OP's job rather simpler, just use $canonical_maps
> with "envelope_recipient" excluded from $canonical_classes, making use
> of wildcard rewrites fairly harmless (unless also using something more
> exotic like reject_unlisted_sender).
>
> --
> Viktor.
