On Tue, Sep 10, 2024 at 01:44:39PM +0200, Anton Hofland via Postfix-users wrote:
> I have this milter that sits on a server which is not directly
> connected to the internet. Instead there is an internet facing firewall
> mail server in front of it which has all the usual defences. There are
> many reasons for this, some of which are just my preferences.
>
> Anyway, I use the XFORWARD capability of Postfix to pass the original
> client address and other bits from the firewall mail server to the
> server with the milter. This server also has content filters and
> XFORWARD works well with those. However, the milter does not which is
> mostly the fault of the milter. It appears to use "i", "j" and
> "{auth_authen}".
>
> Question: If I were to enhance this milter so that it asks for
> "{client_addr}", would it be provided with the orig_client_addr
> (XFORWARD) or would it be provided with the ip address used by the
> firewall server to deliver the mail from the firewall to the internal
> server? I have the impression from the documentation that it is the
> latter.
Your impression is correct. XFORWARD is primarily for logging, access
decisions are still based on the immediate client IP.
The milter can (with care) examine the topmost Received header to find
the upstream client IP.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
