how to correctly pass 'real-ip' to/through milters?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

how to correctly pass 'real-ip' to/through milters?

pg151
I'm experimenting with setting up & using various milters in my inbound processing.

Atm, I have an internal postfix instance that receives mail from a pre-Q instance of amavisd, which then submits the mail to a chain of milters, then subsequently passes it onto a post-Q amavisd instance for further processing.

In effect,

        (postscreen) -> (postfix internal smtpd) -> (amavisd preQ) -> (milters)

That 'milters' instance has a config of

        ...

        [127.0.0.1]:10010 inet n        -        n        -        -       smtpd
          -o smtpd_banner=localhost.10010
          -o syslog_name=postfix/in-preQ
          -o milter_protocol=6
          -o smtpd_milters=unix:/var/run/clamav/clamav-milter.socket,unix:/var/run/auth-milter/auth-milter.sock,unix:/var/run/milter-regex/milter-regex.sock
          -o content_filter=amavisfeed:[127.0.0.1]:20010
          -o mynetworks=127.0.0.0/8
        ...

Mail flows as I intend, and gets delivered.

The 'auth-milter' authenticates SPF, DKIM, DMARC & ARC, and generates a unified header.

Atm, it's not returning an SPF result.

Speaking with the milter author, he comments

        "The issue is that postfix can't pass the correct IP to the milter when it is not the instance which accepted the original connection. I don't think there is an easy fix for this given the current architecture."

and that one option is to

        "Move the milter calls to authentication_milter to the instance of postfix which accepts the original connection."

I'm unfamiliar with the passing of 'real-IP' information through milters.  

*IS* there an "x-forward" or equivalent that preserves this?

I've (re)read

        Postfix before-queue Milter support
         http://www.postfix.org/MILTER_README.html

and if that's telling me how to deal with this, I'm missing it.



Reply | Threaded
Open this post in threaded view
|

Re: how to correctly pass 'real-ip' to/through milters?

Matus UHLAR - fantomas
On 12.10.18 17:24, [hidden email] wrote:
>I'm experimenting with setting up & using various milters in my inbound
> processing.
>
>Atm, I have an internal postfix instance that receives mail from a pre-Q
> instance of amavisd, which then submits the mail to a chain of milters,
> then subsequently passes it onto a post-Q amavisd instance for further
> processing.

>In effect,
>
> (postscreen) -> (postfix internal smtpd) -> (amavisd preQ) -> (milters)

this is useless. milter is designed to be run directly at messsage
receiving, not during further processing.

>That 'milters' instance has a config of
> ...
>
> [127.0.0.1]:10010 inet n        -        n        -        -       smtpd
>  -o smtpd_banner=localhost.10010
>  -o syslog_name=postfix/in-preQ
>  -o milter_protocol=6
>  -o smtpd_milters=unix:/var/run/clamav/clamav-milter.socket,unix:/var/run/auth-milter/auth-milter.sock,unix:/var/run/milter-regex/milter-regex.sock
>  -o content_filter=amavisfeed:[127.0.0.1]:20010
>  -o mynetworks=127.0.0.0/8
> ...

move the milter to port 25.

>The 'auth-milter' authenticates SPF, DKIM, DMARC & ARC, and generates a unified header.
>
>Atm, it's not returning an SPF result.
>
>Speaking with the milter author, he comments
>
> "The issue is that postfix can't pass the correct IP to the milter
>        when it is not the instance which accepted the original connection.  I
>        don't think there is an easy fix for this given the current architecture."
>
>and that one option is to
>
> "Move the milter calls to authentication_milter to the instance of
>        postfix which accepts the original connection."
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

>I'm unfamiliar with the passing of 'real-IP' information through milters.

move the milter to port 25.

>*IS* there an "x-forward" or equivalent that preserves this?

no.

>I've (re)read
>
> Postfix before-queue Milter support
> http://www.postfix.org/MILTER_README.html
>
>and if that's telling me how to deal with this, I'm missing it.

It's just above. Move the milter to the port 25.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
Reply | Threaded
Open this post in threaded view
|

Re: how to correctly pass 'real-ip' to/through milters?

pg151
On 10/13/18 9:46 AM, Matus UHLAR - fantomas wrote:> this is useless. milter is designed to be run directly at messsage
> receiving, not during further processing.

I've had a production system with a different set of milters in 'the same place' in Postfix config running for quite awhile:

 ...
 [127.0.0.1]:10010 inet n        -        n        -        -      smtpd
   -o smtpd_banner=localhost.10010
   -o syslog_name=postfix/in-preQ
   -o milter_protocol=6
   -o smtpd_milters=unix:/var/run/clamav/clamav-milter.socket,unix:/var/run/opendkim/opendkim.sock,/var/run/opendmarc/opendmarc.sock,unix:/var/run/milter-regex/milter-regex.sock
   -o content_filter=amavisfeed:[127.0.0.1]:20010
   -o mynetworks=127.0.0.0/8
   ...

it's been processing inbound dkim/dmarc for ages. as well as clamav scanning & milter-regex processing.

NONE of which, clearly, are "on port 25"

Can you clarify why/how that's been working vs. your comments that it's "useless" in that location, and must be moved to port 25?
Reply | Threaded
Open this post in threaded view
|

Re: how to correctly pass 'real-ip' to/through milters?

Matus UHLAR - fantomas
>On 10/13/18 9:46 AM, Matus UHLAR - fantomas wrote:
>> this is useless. milter is designed to be run directly at messsage
>> receiving, not during further processing.

On 13.10.18 09:59, [hidden email] wrote:

>I've had a production system with a different set of milters in 'the same
> place' in Postfix config running for quite awhile:
>
> ...
> [127.0.0.1]:10010 inet n        -        n        -        -      smtpd
>   -o smtpd_banner=localhost.10010
>   -o syslog_name=postfix/in-preQ
>   -o milter_protocol=6
>   -o smtpd_milters=unix:/var/run/clamav/clamav-milter.socket,unix:/var/run/opendkim/opendkim.sock,/var/run/opendmarc/opendmarc.sock,unix:/var/run/milter-regex/milter-regex.sock
>   -o content_filter=amavisfeed:[127.0.0.1]:20010
>   -o mynetworks=127.0.0.0/8
>   ...
>
>it's been processing inbound dkim/dmarc for ages. as well as clamav
> scanning & milter-regex processing.
>
>NONE of which, clearly, are "on port 25"

That's why I say it's useless and that's also why the sending IP can't be
passed to milter - here, the sending IP is 127.0.0.1.

If you need to pass original IP to milter, you must use that milter when
receiving mail from client, on port 25 (or any other port you use when
receiving mail).

>Can you clarify why/how that's been working vs. your comments that it's
> "useless" in that location, and must be moved to port 25?

"useless" does not necessarily mean "not working". However, it does not work
for auth-milter as you mentioned and I am explaining why.

As I said, the point of milter is to be able to filter message at SMTP
level.

You seem to receive mail via other connection on other port and push it
further throuch port 10010 on localhost.
Either it is useless, or it makes milters useless.

Maybe you should explain why are you receiving mail in this strange way.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
Reply | Threaded
Open this post in threaded view
|

Re: how to correctly pass 'real-ip' to/through milters?

Wietse Venema
In reply to this post by pg151
The IP address is propagated to the Milter as part of the SMFIC_CONNECT
event.

Therefore, configure the Milter with the SMTPD process that talks  
to the IP address in question.

        Wietse