Address rewriting guidance

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Address rewriting guidance

Matt Shields
Other than setting up a very basic Postfix server for sending out email, I'm new to the advanced rewriting capabilities.  I need to setup a server that let's me do the following.  I've already setup SMTP relaying through AWS SES and I've setup host based access list to make sure only certain internal hosts can send mail.  But I'm stuck on the address rewriting.  I'm looking for some config examples.

1. Rewrite the FROM address in each message
  a. host1.lan has a process that sets the FROM as [hidden email], this is okay to let relay
  b. host2.lan has a script that sends as [hidden email], rewrite FROM as [hidden email]
  c. For any host not defined, change the FROM address to [hidden email]
2. Rewrite the TO address
  a. host4.lan strip all TO addresses that do not match @mycompany.com.  On some systems (dev/qa) we do not want to send emails to clients.

Matt Shields
781-424-3531
Reply | Threaded
Open this post in threaded view
|

Re: Address rewriting guidance

Viktor Dukhovni
On Fri, Feb 12, 2021 at 12:06:02PM -0500, Matt Shields wrote:

> 1. Rewrite the FROM address in each message
>   a. host1.lan has a process that sets the FROM as [hidden email], this
>      is okay to let relay
>   b. host2.lan has a script that sends as [hidden email], rewrite FROM as
>      [hidden email]

Rewriting the headers of outbound messages received via SMTP should if
at all possible be done on those very same machines, but if for some
reason that is not possible, then something along the lines of:

    http://www.postfix.org/postconf.5.html#local_header_rewrite_clients
    http://www.postfix.org/postconf.5.html#canonical_maps

    local_header_rewrite_clients = permit_mynetworks
    canonical_maps = inline:{ {[hidden email] = [hidden email]} }

Do not tinker with canonical_classes, sender_canonical_maps, or
recipient_canonical_maps, these are for very unusual situations, and
it is almost always a mistake to not apply the same mapping to *all*
addresses.  There is just one exception to the above, if you want to
leave the envelope recipient unmodified in order to deliver to the
right internal address, you can leave "envelope_recipient" out of
canonical_classes:

    #canonical_classes =
    #    envelope_sender, envelope_recipient, header_sender, header_recipient
    canonical_classes =
        envelope_sender, header_sender, header_recipient

You can of course use some other table type other than "inline", if the
rewrites to be done are not just a static handful.

>   c. For any host not defined, change the FROM address to
>      [hidden email]

A wildcard rewrite like that is generally quite fragile, it can
easily apply to the wrong sort of mail, e.g. to bounce messages,
inbound mail from outside, ...  This requires care.  Is there
a dedicated "submission only" SMTP port on this relay?  I'd
not want to configure such a rewrite on port 25.

Furthermore, when you start rewriting just the "From:" address you're
now in a "state of sin".  What if the message has a "Cc:" address, for
purposes of "Reply-All" a "Cc:" address is, like "From:", just another
address to reply to.  What if the message has a "Resent-From:" header,
should the "From:" still be rewritten? ...

That sort of rewriting very much needs to happen at the point of origin.
It is not impossible to do with Postfix, but it is difficult to do right
in all cases.

> 2. Rewrite the TO address
>   a. host4.lan strip all TO addresses that do not match @mycompany.com.  On
>      some systems (dev/qa) we do not want to send emails to clients.

The message headers have nothing to do with where mail is delivered.
Use smtpd_recipient_restrictions and smtpd_relay_restrictions to control
which machines can relay outbound email.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Address rewriting guidance

Matt Shields


On Fri, Feb 12, 2021 at 12:54 PM Viktor Dukhovni <[hidden email]> wrote:
On Fri, Feb 12, 2021 at 12:06:02PM -0500, Matt Shields wrote:


I'll take a look at all the suggestions.  

For below, this is just an internal server(behind firewall) with no internet facing ports.  We use Office365 for corporate mail, and AWS SES for outbound mail from systems.  We're just looking for this server to be an intermediary so that we can make sure that what we're sending to AWS SES has proper addresses and comes through a single IP.  Also, this server is using host based access lists, so that the only way a server in our network sends out mail is through this server and is on the access list.  We also use it to keep an audit trail of messages being sent out.
 
>   c. For any host not defined, change the FROM address to
>      [hidden email]

A wildcard rewrite like that is generally quite fragile, it can
easily apply to the wrong sort of mail, e.g. to bounce messages,
inbound mail from outside, ...  This requires care.  Is there
a dedicated "submission only" SMTP port on this relay?  I'd
not want to configure such a rewrite on port 25.

Furthermore, when you start rewriting just the "From:" address you're
now in a "state of sin".  What if the message has a "Cc:" address, for
purposes of "Reply-All" a "Cc:" address is, like "From:", just another
address to reply to.  What if the message has a "Resent-From:" header,
should the "From:" still be rewritten? ...

That sort of rewriting very much needs to happen at the point of origin.
It is not impossible to do with Postfix, but it is difficult to do right
in all cases.


--
    Viktor.