Amavisd-new policy banks and sasl_username in the returning smtpd instance

Dominic Raferd dominic at
Thu May 20 12:53:56 CEST 2021

On 20/05/2021 10:29, Egoitz Aurrekoetxea wrote:
> I think I have been confusing XCLIENT with XFORWARD. I saw, that 
> Amavis entered in different policy banks depending in the connecting 
> ip to Postfix and I though it was ... I don't distinguish between 
> XFORWARD and XCLIENT really :)
> I have been confusing concepts I assume...
> So, there is no way of receiving original sasl_username from Amavis, 
> in order to have it available using a Postfix policy in the returning 
> back from Amavis smtpd instance?. It would be valid for me too... if 
> for instance:
> Postfix auth -> Amavis auth  -> Returning Postfix auth instance
> If in some manner amavis smtp feed, should had to auth always against 
> final returning smtpd instance being Amavis some sort of proxy in that 
> moment¿?.
> Any ideas about how could I achieve my goal? :)
A workaround is to set 'smtpd_sasl_authenticated_header = yes' in the 
first (pre-Amavis) Postfix instance to add the sasl_username info to the 
new Received: header, then (after this information has been used in some 
way) strip it from the header in the second (post-Amavis) Postfix 
instance, so it does not pass to third parties. Latter action can be 
done by header_checks e.g.

if /^Received: from .*by myserver\.tld/
/^(.*)\s*\(Authenticated sender:[^)]*\)\s*(.*)/ REPLACE $1$2

More information about the amavis-users mailing list