Home / server / Questions / 1098044
In Process
gertvdijk
Asked: 2022-04-08 05:03:25 +0800 CST

How to add a single header for any incoming mail with Postfix?

  • 772

I have Postfix running with a number of smtpd processes configured in master.cf like this:

# Internet facing one
1.2.3.4:25      inet  n       -       y       -       -       smtpd
  -o ...   # internet-only overrides

# Internal facing one
10.0.0.1:10026      inet  n       -       y       -       -       smtpd
  -o ...   # internal-only overrides

Now, I'd like to add a single header, with static name and value, to incoming mail depending on which smtpd it was received on.

Example:

X-Gert-Postfix-Received-From: the evil internet

My options considered:

  1. Add the header_checks option and use the PREPEND action in the file.

    Nearly there, but:

    • It requires to match an existing header and will then add one more on subsequent matches.
    • I don't always have a certain header present already, perhaps even a From is missing, for example.
    • In case you have existing header_checks, there's no easy way to stack two header_check files, I think.

  2. Build a custom app that uses the Milter protocol and hook that up to Postfix with smtpd_milters.

    Of course, this will work. I can inspect the mail in my own app, then inject the header there. Seems over-engineering for a simple task like adding a header. Additionally, it requires extra maintenance with the need to run another daemon app, quite some boilerplate code, etc.

  3. As suggested in a comment, use check_recipient_access (related Q).

    Same downsides as header_checks (see 1).

I feel like I'm missing something simple. Anyone got a better idea?

postfix milter

2 Answers

  1. In case you have existing header_checks, there's no easy way to stack two header_check files, I think.

    There actually is a way to have multiple independent header_checks files per daemon.

    each -o option in you master.cf overrides a default value or any postfix configuration parameter in main.cf. To have a different header_checks per daemon (say /etc/postfix/header_checks1 and /etc/postfix/header_checks2), you have to override each header_checks parameter:

    # Internet facing one
1.2.3.4:25      inet  n       -       y       -       -       smtpd
-o header_checks = regexp:/etc/postfix/header_checks1

# Internal facing one
10.0.0.1:10026      inet  n       -       y       -       -       smtpd
-o header_checks = regexp:/etc/postfix/header_checks2

    This way you will have completely independent header_checks files per smtpd daemon. From there you can add rules that PREPENDs the tag you were talking about.

    • 0

  2. To workaround the limitations of smtpd_*_restrictions:

    A message - even one with "null" sender - has exactly one envelope sender. So use check_sender_access instead of check_recipient_access. The used lookup type can be static: because we do not care about the specifics of the return path. Add it in your list of smtpd_sender_restrictions before any checks generating ACCEPT results (postfix would not query additional lookups beyond).

    # in main.cf
common_sender_restrictions =
  reject_non_fqdn_sender
  reject_unknown_sender_domain
  ..
internet_sender_restrictions =
  $common_sender_restrictions
  check_sender_access static:{PREPEND X-Gert-Postfix-Received-From: the evil internet}

# in master.cf
192.0.2.0:25        inet  n       -       y       -       -       smtpd
 -o smtpd_sender_restrictions=$internet_sender_restrictions
10.0.0.1:10026      inet  n       -       y       -       -       smtpd
 -o smtpd_sender_restrictions=$common_sender_restrictions
    • 0