Postfix – Replace Sender Address and Add Reply-to Header

We have a network in which a bunch of servers send out lots of notification emails and all these emails are relayed to the outside world through a single Postifx server (by setting relayhost variable in main.cf on the servers). Sometimes developers don’t pay enough attention and address the emails as from some domain that is not of our network, and such emails tend to be classified as spam by the receivers’ email provider.

A straight-forward solution is of course to replace the sender address with a valid one. Since these are mostly automatic notification emails sent by machines and the machines don’t expect a reply, we can set the sender address to be no-reply@mydomain.com, with a simple rule:

# In /etc/postfix/main.cf, add this if sender_canonical_maps isn't already defined:
sender_canonical_maps = regexp:/etc/postfix/sender_canonical

# In /etc/postfix/sender_canonical, add this.
# please note - this also applies to Reply-to header if the email already has one:
/@invalid-domain.tld/ no-reply@valid-domain.tld

But what if the developers do expect replies to the email address they set as sender? To address this we add an additional header “Reply-to:” to the email, so that when the receiver hits reply button in their email client, the To: address is filled in with the expected email address, instead of no-reply@mydomain.com. Here’s the way to do this:

# In /etc/postfix/main.cf, add this if header_checks isn't already defined:
header_checks = regexp:/etc/postfix/header_checks

# In /etc/postfix/header_checks, add this:
/^From: (.*@invalid-domain.tld)/ PREPEND Reply-to: $1

Postfix applies header_checks before sender_canonical_maps so at the time of prepending Reply-to header, From field is not changed yet.

Wait! Looks like this works only when I send emails directly from the relay server? You need this in /etc/postfix/main.cf:

local_header_rewrite_clients = static:all

Leave a Reply

Your email address will not be published. Required fields are marked *

Prove your intelligence before hitting * Time limit is exhausted. Please reload CAPTCHA.