Hi Wietse!! Thanks a lot for your time. I answer below :)
I’m the same person behind [email protected]. > El 20 may 2021, a las 20:02, Wietse Venema <[email protected]> escribió: > > > > Egoitz Aurrekoetxea: >> Good afternoon, >> >> I have a Postfix machine that accepts outgoing mail when MUA has >> authenticated. Later I send that email to Amavis in order to get tagged or >> signed (with DKIM and Altermime). When that mails come back from Amavis >> (in the Postfix smtpd instance where amavis processed mail is delivered) I >> would needed to know which authenticated user has delivered the mail to >> this mail machine, in order to be able to call a FILTER action from a >> policy (in this Postfix smtpd instance for receiving mail processed by >> Amavisd). The problem is that coming mail from Amavis, does not auth so in >> the policy elements I don't have the sasl_username. >> >> Could I achieve in some manner, to know the sasl authenticated user in the >> smtpd instance for mail coming from Amavis?. Could I do perhaps with some >> policy element, try to later relate an incoming mail (where I see >> sasl_username) with that same email in the instance that comes from Amavis >> for being able to know which FILTER action should I use?. > > Indeed, a policy that replies with > > PREPEND headername: headervalue > > would create a channel for this information to propagate through > an external content filter. Of course the header can leak and > should not contain secrets. I see. This could be a solution because I could create a not known header which I could remove in the smtpd instance that comes from Amavis. And with that header I could select the needed FILTER. I was thinking too in some sort of policy parameter like instance, which you could use at different dialogue stages (rcpt, end-of-data...) for knowing you are receiving params of the same message. In this case, not for different stages but something similar, for different smtpd services of the same Postfix system. Sometimes you need to use two FILTER actions for a mail, but you can’t obviously in the same smtpd service. The problem of using two smtpd instances is that in the second one, you loose info like sasl_user as a policy param (unless something as Xclient could be used between them). > >> I know there's a possibility of using smtpd sasl authenticated header but I >> don't really trust in that way... > > Oh, because the client might provide a fake one? Yep. We use dedicated ip addresses for each customer (just for providing a good service, of course not for allowing outgoing spam) and we do it with FILTER and the corresponding smtp client instance. So, we were using SASL auth domain for routing each customer mail properly. A standard header, could be faked by a MUA or script... so for this purpose, a standard known header, is not the best idea I assume... Thanks a lot for your time Wietse. I’ll check the possibility of using a custom header later removed. Best regards, > > Wietse > >> Any ideas? :) >> >> Best regards, >> >> -- >> Egoitz Aurrekoetxea
