I’m trying to configure a sieve filter to forward emails to Gmail, and as per latest guidance from Google here

support.google.com
Best practices for forwarding email to Gmail - Google Workspace Admin Help
This article has recommendations for email administrators and Gmail users who forward messages from other accounts or services to Gmail. Forwarding email messages can affect email authentication. Foll
support.google.com
I am trying to add the X-Forwarded-For and X-Forwarded-To headers to the redirected messages. The filter validates and looks OK, but these headers don’t appear in the forwarded messages.

Sieve filter details below. Note I’m trying to avoid forwarding messages with DMARC reject policy which Gmail doesn’t seem to like even with ARC validation and signing.

require "editheader";
if allof (
not header :contains "X-Spam-Flag" "YES",
not header :contains "ARC-Authentication-Results" "(policy=reject)"
)
{
addheader :last "X-Forwarded-For" "me@example.com";
addheader :last "X-Forwarded-To" "mygmailaddress@gmail.com";
redirect "mygmailaddress@gmail.com";
}

Doing some digging around, it looks like any X-Forward* headers are being removed by postfix smtp cleanup via this line in anonymize_headers.pcre:
/^\s*X-Forward/ IGNORE

I assume there must be a good reason for this behaviour, can anyone explain why it is configured this way? Is there an easy way to “whitelist” the X-Forwarded-For and X-Forwarded-To headers in anonymize_headers.pcre?

I guess the reason is hiding internal IP addresses and client IP addresses.
You could comment out the line or the one which loads this file.
Or make /^\s*X-Forward/ IGNORE more specific. CHeck the postfix documentation.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

I can see that hiding IP addresses makes sense. However the use of X-Forwarded-For and X-Forwarded-To is for email addresses rather than IP addresses, and so I think these need to be retained in the headers since they are intended for use by the receiving MTA.

Reading the action options in more detail here

postfix.org
Postfix manual - header_checks(5)
I think using either DUNNO or INFO actions with specific patterns to match X-Forwarded-For and X-Forwarded-To on lines before the more general match for other X-Forward* headers may work. I’ll test this out.

No one is typing