[Dovecot] Dovecot LDA/LMTP vs postfix virtual delivery agent and the x-original-to header
Tanstaafl
tanstaafl at libertytrek.org
Fri Apr 12 19:17:22 EEST 2019
I'm resurrecting this again because I'm getting pretty close to possibly
being ready to install a brand new dovecot server (finally), but I still
need for dovecots LMTP to add the x-original-to header.
So... was this completed quietly, or is support for it still not there?
Thanks,
Charles
On Tue Apr 28 2015 15:27:07 GMT-0400 (Eastern Standard Time), Charles
Marcus <CMarcus at Media-Brokers.com> wrote:
> On 4/28/2015 1:40 PM, Tobias Franzén <lists.zxinn at otaking.se> wrote:
>> On 2014-01-08 14:32, Charles Marcus wrote:
>>> On 2012-04-09 8:53 AM, Timo Sirainen <tss at iki.fi> wrote:
>>>> On 9.4.2012, at 15.50, Charles Marcus wrote:
>>>>>> LMTP adds a new Delivered-To:<rcpt-to at address> header when there is
>>>>>> a single RCPT TO. You can force a single RCPT TO from Postfix side by
>>>>>> setting lmtp_destination_recipient_limit=1. LMTP doesn't
>>>>>> add/remove/change X-Original-To: header.
>>>>> Ok, thanks Timo... but...
>>>>>
>>>>> Are you saying that this 'Delivered-To:' header can somehow be
>>>>> leveraged to provide the same info as the x-original-to header?
>>>> I guess X-Original-To is the same address as what Postfix sees as the
>>>> original RCPT TO address before alias expansion and such? In that
>>>> case, see my today's mail in Postfix list..
>>> Hi Timo,
>>>
>>> I just tried to find your email from that day, but don't see it in the
>>> archives...
>>>
>>> Was this ever resolved (getting x-original-to support in LMTP, like it
>>> is for the LDA)?
>>>
>>> If not, since it seemed like it wasn't going to be much work, any
>>> chance you can revisit it soon?
>> Hello,
>>
>> I have tried to keep tabs on the various discussions going on related to
>> the X-Original-To header when using Dovecot LMTP. Until now I have not
>> needed a solution, but I am now finally about to migrate my old server.
>>
>> Old setup: Postfix + SpamAssassin (after-queue content filter via pipe)
>> + virtual transport, and Courier-IMAP.
>> New setup: Postfix + amavisd-new (after-queue content filter via smtp,
>> with ClamAV and SpamAssassin) + Dovecot LMTP, and Dovecot for IMAP.
>>
>> Charles, have you found a way that works for you?
>
> No, and I simply haven't switched to LMTP yet, for this and one other
> reason (political, not technical)...
>
> As for the rest below... wow... all I can say is, it sure would be nice
> if Timo/Wietse could just add the few lines of code that Timo said would
> be needed to properly support it natively.
>
>> I was experimenting some with my test server and came up with a way that
>> utilizes some additional internal smtp content filter forwarding, which
>> produces some overhead. It should be light compared with the load from
>> ClamAV and SpamAssassin, however.
>>
>> I'm not yet sure how amavisd-new funneling would handle multiple local
>> recipients with different settings without passing the mail through
>> multiple time, at least once per local user, let alone without first
>> performing address mapping in postfix (for alias expansion). I have
>> configured per-user SpamAssassin bayes filtering, and may introduce a
>> whitelist based on address book entries (Roundcube.)
>>
>>
>> This solution I'm currently testing will pass each message through
>> amavisd-new one time each per local and remote recipient, and will only
>> add the X-Original-To header to the specific local recipient each
>> envelope is intended for. No external users will receive the header, and
>> no local user will see which other local users (e.g. via BCC) have
>> potentially received the same message.
>>
>> Flow:
>> all mail in (both external and tls-authenticated internal) -> smtp (1)
>> -> smtp-split (2) -> smtp-to-me (3a) | smtp-to-external (3b) ->
>> smtp-amavis (4) -> dovecot-lmtp (5)
>>
>> 1) I rely on default_destination_recipient_limit=1 in main.cf to split
>> each incoming mail into one stream per recipient.
>> 2) smtp-split will receive one stream per recipient. Default
>> content_filter=smtp-to-me, followed by option
>> "smtpd_recipient_restrictions=permit_auth_destination,check_recipient_access,pcre:/usr/local/etc/postfix/filter-to-external.pcre,permit_mynetworks,reject"
>> means I stop processing restrictions if my server is the destination. If
>> my server is not the destination, the FILTER in check_recipient_access
>> will override the preceding smtp-to-me filter.
>>
>> Both 1) and 2) smtpd instances include option
>> receive_override_options=no_address_mappings, to wait with mapping to
>> internal recipient until we can add X-Original-To header for my server's
>> users only.
>>
>> 3a) For mail to my server, smtp-to-me will add X-Original-To using a
>> pcre script, in a similar fashion to step 2's filter. This step also
>> expands the address mapping (by not specifying any
>> receive_override_options).
>> -o
>> smtpd_recipient_restrictions=check_recipient_access,pcre:/usr/local/etc/postfix/recipient_access_x-orig.pcre,permit_mynetworks,reject
>>
>> 3b) For mail leaving my server, smtp-to-external will not add any
>> processing besides implied expanding of the address mapping.
>>
>> 4) Mail is funneled through amavisd-new, once per final recipient. Mails
>> leaving the server (sent from smtp-to-external) will be scanned by ClamV
>> only. Mails with my server as the destination (sent from smtp-to-me)
>> will go through ClamV, and SpamAssassin (together with per-user bayes
>> filtering).
>>
>> 5) Nothing special is done here. The final destination address is sent
>> to LMTP for delivery.
>>
>> Contents of /usr/local/etc/postfix/recipient_access_x-orig.pcre:
>> /(.+)/ prepend X-Original-To: <$1>
>>
>> Contents of /usr/local/etc/postfix/filter-to-external.pcre:
>> /^/ FILTER smtp-to-external:[127.0.0.1]:<port>
>>
>>
>> Room for improvement:
>> Postfix seem to know the orig_to even after processing in amavisd-new,
>> however I have yet to find a way to use this option.
>> I can move the amavisd-new filter to before the X-Original-To header
>> addition, however for amavisd-new to utilize per-user bayes, I currently
>> need to do the address mapping in postfix before sending the content to
>> amavisd-new. This may be possible to circumvent either with alias lookup
>> in amavisd-new, or if I can find another way to use the
>> postfix-available "orig_to" to populate X-Original-To header after
>> scanning in amavisd-new.
>>
>> I've tried to split the mails into one per recipient after address
>> mapping and amavisd-new, instead of before as my solution above, without
>> default_destination_recipient_limit=1 in main.cf. Instead I tried the
>> options as part of smtp (and even smtpd) services in master.cf,
>> unfortunately without success. I keep ending up with multiple
>> X-Original-To with all local recipients (including BCC) in all internal
>> copies delivered.
>>
>>
>> Have anyone successfully tackled this conundrum with other solutions?
>>
>> Regards,
>> Tobias
>>
>
More information about the dovecot
mailing list