Forward SRS with postfix

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Forward SRS with postfix

Marek Kozlowski-2
:-)

Numerous users of my system use forward to external MTAs. From time to
time it causes some issues with SPF on those MTAs. SRS could resolve those.
I'm wondering if you could recommend any SRS software which nicely
integrates with postfix and doesn't interfere with canonicals (postsrsd
does[*]).


[*]I need to rewrite both senders' addresses (`MAIL FROM:' and `From:')
for all outgoing mail with canonicals before SRS is applied. Moreover:
canonical should rewrite both addresses and SRS - only envelopes, so the
should not rely on the same settings (sender_canonical_classes).

Best regards,
Marek
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward SRS with postfix

Benny Pedersen-2
Marek Kozlowski skrev den 2017-06-08 11:55:

> [*]I need to rewrite both senders' addresses (`MAIL FROM:' and `From:')
> for all outgoing mail with canonicals before SRS is applied. Moreover:
> canonical should rewrite both addresses and SRS - only envelopes, so
> the
> should not rely on the same settings (sender_canonical_classes).

this will break dkim

join OpenARC maillists for more robust solution

drop libsrs and libspf
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward SRS with postfix

Marek Kozlowski-2


On 06/08/2017 12:04 PM, Benny Pedersen wrote:

> Marek Kozlowski skrev den 2017-06-08 11:55:
>
>> [*]I need to rewrite both senders' addresses (`MAIL FROM:' and `From:')
>> for all outgoing mail with canonicals before SRS is applied. Moreover:
>> canonical should rewrite both addresses and SRS - only envelopes, so the
>> should not rely on the same settings (sender_canonical_classes).
>
> this will break dkim
>
> join OpenARC maillists for more robust solution
>
> drop libsrs and libspf


Such address rewrite with canonicals? No, it doesn't (it works fine).

Best regards,
Marek
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward SRS with postfix

Dominic Raferd
In reply to this post by Marek Kozlowski-2
On 08/06/2017 10:55, Marek Kozlowski wrote:
> :-)
>
> Numerous users of my system use forward to external MTAs. From time to
> time it causes some issues with SPF on those MTAs. SRS could resolve those.
> I'm wondering if you could recommend any SRS software which nicely
> integrates with postfix and doesn't interfere with canonicals (postsrsd
> does[*])...
>

We forward our users' incoming mails through our postfix servers to
external MTAs (almost always Gmail). Yes it breaks SPF but it is not
usually a problem, because it doesn't break DKIM. It would of course be
a problem if the external MTAs chose to enforce rejection based purely
on SPF; a very unwise practice IMO, but there may not be much you can do
about it.

In our case (with Gmail as the external MTA) it is only a problem if the
source domain has a 'reject' DMARC policy and the original message,
though passing SPF, fails DKIM (probably because it is unsigned). Our
system monitors the log for such a rejection (by Gmail) and if found
will then encapsulate the original message and re-send it to recipient
(with an explanatory text). In my experience such instances are very rare.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward SRS with postfix

Marek Kozlowski-2
:-)

On 06/08/2017 12:38 PM, Dominic Raferd wrote:

> On 08/06/2017 10:55, Marek Kozlowski wrote:
>> :-)
>>
>> Numerous users of my system use forward to external MTAs. From time to
>> time it causes some issues with SPF on those MTAs. SRS could resolve
>> those.
>> I'm wondering if you could recommend any SRS software which nicely
>> integrates with postfix and doesn't interfere with canonicals (postsrsd
>> does[*])...
>>
>
> We forward our users' incoming mails through our postfix servers to
> external MTAs (almost always Gmail). Yes it breaks SPF but it is not
> usually a problem, because it doesn't break DKIM. It would of course be
> a problem if the external MTAs chose to enforce rejection based purely
> on SPF; a very unwise practice IMO, but there may not be much you can do
> about it.
>
> In our case (with Gmail as the external MTA) it is only a problem if the
> source domain has a 'reject' DMARC policy and the original message,
> though passing SPF, fails DKIM (probably because it is unsigned). Our
> system monitors the log for such a rejection (by Gmail) and if found
> will then encapsulate the original message and re-send it to recipient
> (with an explanatory text). In my experience such instances are very rare.

I've recently implemented opendkim. As far as I understand your
explanation if the message is DKIM-signed I should not worry too much
about SRS?


Best regards,
Marek
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward SRS with postfix

Dominic Raferd


On 8 June 2017 at 12:20, Marek Kozlowski <[hidden email]> wrote:
:-)

On 06/08/2017 12:38 PM, Dominic Raferd wrote:
> On 08/06/2017 10:55, Marek Kozlowski wrote:
>> :-)
>>
>> Numerous users of my system use forward to external MTAs. From time to
>> time it causes some issues with SPF on those MTAs. SRS could resolve
>> those.
>> I'm wondering if you could recommend any SRS software which nicely
>> integrates with postfix and doesn't interfere with canonicals (postsrsd
>> does[*])...
>>
>
> We forward our users' incoming mails through our postfix servers to
> external MTAs (almost always Gmail). Yes it breaks SPF but it is not
> usually a problem, because it doesn't break DKIM. It would of course be
> a problem if the external MTAs chose to enforce rejection based purely
> on SPF; a very unwise practice IMO, but there may not be much you can do
> about it.
>
> In our case (with Gmail as the external MTA) it is only a problem if the
> source domain has a 'reject' DMARC policy and the original message,
> though passing SPF, fails DKIM (probably because it is unsigned). Our
> system monitors the log for such a rejection (by Gmail) and if found
> will then encapsulate the original message and re-send it to recipient
> (with an explanatory text). In my experience such instances are very rare.

I've recently implemented opendkim. As far as I understand your
explanation if the message is DKIM-signed I should not worry too much
about SRS?

To be honest ​I haven't tried SRS; but if it doesn't break DKIM I would expect it to break DMARC (because of alignment concept). Maybe someone knows different?

Our servers use openDMARC; openDKIM and python-policyd-spf are used but only to add informational headers for openDMARC. We enforce p=reject DMARC policy but (in another coded workaround) any mail placed by openDMARC in the postfix hold queue (p=quarantine DMARC policy) is released​ and sent onward so that the end MTA (Gmail) can receive and quarantine it (i.e. put into Gmail 'Spam' folder).
Loading...