Loading ...
Sorry, an error occurred while loading the content.

When milter (opendkim) is behind a proxy/relay, how to give it the original client IP?

Expand Messages
  • Thomas R.
    Hello, OpenDKIM bases its decision whether mail can be signed on, among other things, the connecting IP. However this only works if there has been no SMTP
    Message 1 of 6 , Jun 24, 2014
    • 0 Attachment
      Hello,

      OpenDKIM bases its decision whether mail can be signed on, among other
      things, the connecting IP. However this only works if there has been no
      SMTP relay or proxy prior to the mail reaching the milter. If there has
      been, OpenDKIM sees the IP address of the relay/proxy and treats it as
      "trusted". This leads to it signing some incoming mail (if the From:
      has been forged to use my domain name).

      My setup for incoming smtpd mail currently has proxsmtp acting as an
      SMTP proxy - this scans mail using bogofilter.

      Setup:

      Incoming mail -> postfix (25) -> proxsmtp (10025) -> postfix
      (10026) + opendkim milter -> cleanup, queue, etc.

      XFORWARD is verified to be working through proxsmtp - this is confirmed
      in the log files which show Postfix giving the correct "orig_client"
      value right through to queuing. I have verified that OpenDKIM is basing
      its decision to sign based on the client IP being 127.0.0.1 (it's coming
      from the proxy).

      Questions:

      1. When Postfix sends the {client_addr} macro to the milter, is that
      the originating client from XFORWARD? Can it send that?

      2. If not, is there any other way to provide a macro to the milter,
      that contains the originating client ID from XFORWARD?

      3. Is there an alternative solution to my problem that does not involve
      removing the SMTP proxy, or using Amavisd-milter (I'm on low memory)?

      Surely people who use secondary MX servers encounter this same issue,
      because the secondary MX relays to the first and OpenDKIM would see its
      IP address instead of the connecting client?
    • lists@rhsoft.net
      ... why not change the order? a contentfilter is anyways expensive and should be the last one nad so only face messages which made it trough all the cheaper
      Message 2 of 6 , Jun 25, 2014
      • 0 Attachment
        Am 25.06.2014 03:01, schrieb Thomas R.:
        > OpenDKIM bases its decision whether mail can be signed on, among other things, the connecting IP. However this
        > only works if there has been no SMTP relay or proxy prior to the mail reaching the milter. If there has been,
        > OpenDKIM sees the IP address of the relay/proxy and treats it as "trusted". This leads to it signing some incoming
        > mail (if the From: has been forged to use my domain name).
        >
        > My setup for incoming smtpd mail currently has proxsmtp acting as an SMTP proxy - this scans mail using bogofilter.
        >
        > Setup:
        >
        > Incoming mail -> postfix (25) -> proxsmtp (10025) -> postfix (10026) + opendkim milter -> cleanup, queue, etc

        why not change the order?

        a contentfilter is anyways expensive and should be the last one
        nad so only face messages which made it trough all the cheaper
        tests and filters
      • Wietse Venema
        ... Use XCLIENT! XFORWARD is for LOGGING. XCLIENT is for IMPERSONATION. Wietse
        Message 3 of 6 , Jun 25, 2014
        • 0 Attachment
          Thomas R.:
          > Hello,
          >
          > OpenDKIM bases its decision whether mail can be signed on, among other
          > things, the connecting IP. However this only works if there has been no
          > SMTP relay or proxy prior to the mail reaching the milter. If there has
          > been, OpenDKIM sees the IP address of the relay/proxy and treats it as
          > "trusted". This leads to it signing some incoming mail (if the From:
          > has been forged to use my domain name).
          >
          > My setup for incoming smtpd mail currently has proxsmtp acting as an
          > SMTP proxy - this scans mail using bogofilter.
          >
          > Setup:
          >
          > Incoming mail -> postfix (25) -> proxsmtp (10025) -> postfix
          > (10026) + opendkim milter -> cleanup, queue, etc.
          >
          > XFORWARD is verified to be working through proxsmtp - this is confirmed

          Use XCLIENT!

          XFORWARD is for LOGGING.

          XCLIENT is for IMPERSONATION.

          Wietse
        • lists@rhsoft.net
          why respond off-list? not able to handle a MUA but maintain mailservers..... ... *both* are before-queue and so only the order matters
          Message 4 of 6 , Jun 25, 2014
          • 0 Attachment
            why respond off-list? not able to handle a MUA but maintain mailservers.....

            Am 25.06.2014 13:27, schrieb Thomas R.:
            >> why not change the order?
            >>
            >> a contentfilter is anyways expensive and should be the last one
            >> nad so only face messages which made it trough all the cheaper
            >> tests and filters
            >
            > I'm not aware of any way of having a before-queue filter run *after* a milter

            *both* are before-queue and so only the order matters
            http://www.postfix.org/MILTER_README.html

            > and still have it run before-queue. I think the only way to do that is to have
            > it as an after-queue filter and then lose the ability to REJECT during the
            > SMTP transaction without creating backscatter.

            *any* filter has to be before-queue
            noweher did i say anything else

            > That is the situation I'm currently in though. I just feel as if rejecting spam at the SMTP transaction is more
            > responsible than blackholing it after. Opinions differ on this.

            where did i say anything else?

            > Other suggestions welcome.
            >
            > Aside, bogofilter is actually a remarkably lightweight and fast spam filter. It can scan and classify a folder of
            > over 2000 mails in a couple of seconds. Of course there will be overhead because it doesn't run as a daemon.

            in any case it's more expensive compared to non-content-filters
          • Thomas R.
            ... mailservers..... An accident. You re quite rude. Your email looked like a list email and I didn t catch my mistake. ... I don t know how to change the
            Message 5 of 6 , Jun 25, 2014
            • 0 Attachment
              On 25/06/2014 9:41 PM, lists@... wrote:
              > why respond off-list? not able to handle a MUA but maintain
              mailservers.....

              An accident. You're quite rude. Your email looked like a list email
              and I didn't catch my mistake.

              > *both* are before-queue and so only the order matters
              > http://www.postfix.org/MILTER_README.html

              I don't know how to change the order between a before-queue filter and a
              milter. How is it done?

              I was under the impression that it is not possible to run milters
              "before" before-queue filters (if you even run a milter in the same
              process that hands off to an SMTP proxy, the milter cannot modify/access
              the message body). So instead you need to run before-queue filter which
              passes back to postfix, then run the milter in the second postfix process.

              > *any* filter has to be before-queue
              > noweher did i say anything else

              Filters specified with content_filter are run after-queue, and that's
              what I have now, along with the disadvantage of not being able to REJECT
              during initial SMTP transaction, which is why I'm keen to move this to a
              before-queue filter while ensuring it doesn't compromise the milter's
              ability to know the client IP.

              Wietse's tip for using XCLIENT instead of XFORWARD looks like a
              promising one which I will try.

              T
            • Wietse Venema
              ... Postfix supports client IP address forwarding with haproxy (uses their protocol) and with nginx (uses XCLIENT). Wietse
              Message 6 of 6 , Jun 25, 2014
              • 0 Attachment
                Thomas Rutter:
                > > Use XCLIENT!
                > >
                > > XFORWARD is for LOGGING.
                > >
                > > XCLIENT is for IMPERSONATION.
                >
                > Thank you! I don't know why I haven't looked into this already.

                Postfix supports client IP address forwarding with haproxy (uses
                their protocol) and with nginx (uses XCLIENT).

                Wietse
              Your message has been successfully submitted and would be delivered to recipients shortly.