Forward mail and obey SPF and DKIM

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Forward mail and obey SPF and DKIM

ilyak
Hello.
I have postfix running on linux box.

I setup OpenDKIM with both smtpd and non_smtp milters.
I also set my address in DNS as permitted IP for SPF.

So far, so good.

But I want all my mail to be forwarded to gmail.

Some user sends me email from user@some_sender_domain.

If I use .forward or alias, then postfix doesn't change "From" header,
so gmail believes email was sent from @some_sender_domain.
This domain doesn't have my box IP as permitted in DNS, so SPF failed.

I can change header using headers_check. But then DKIM signature
would be broken because some_sender_domain signed email and I changed it.

It seems that I need to:
* Change headers
* Sign email with my DKIM
* Forward it to gmail

But milters are not applied on forwarded emails because they aren't locally generated (or I failed to configure it correctly?)

I can fix it using custom script that reads my local email
and sends it to gmail.

But how can I do that with postfix?

Ilya.  
Reply | Threaded
Open this post in threaded view
|

Re: Forward mail and obey SPF and DKIM

Dominic Raferd
On 14/09/2020 14:31, IL Ka wrote:

> Hello.
> I have postfix running on linux box.
>
> I setup OpenDKIM with both smtpd and non_smtp milters.
> I also set my address in DNS as permitted IP for SPF.
>
> So far, so good.
>
> But I want all my mail to be forwarded to gmail.
>
> Some user sends me email from user@some_sender_domain.
>
> If I use .forward or alias, then postfix doesn't change "From" header,
> so gmail believes email was sent from @some_sender_domain.
> This domain doesn't have my box IP as permitted in DNS, so SPF failed.
>
> I can change header using headers_check. But then DKIM signature
> would be broken because some_sender_domain signed email and I changed it.
>
> It seems that I need to:
> * Change headers
> * Sign email with my DKIM
> * Forward it to gmail
>
> But milters are not applied on forwarded emails because they aren't
> locally generated (or I failed to configure it correctly?)
>
> I can fix it using custom script that reads my local email
> and sends it to gmail.
>
> But how can I do that with postfix?

The short answer is that SPF failures do not normally matter when
forwarding to gmail. They only matter if sender uses DMARC with p=reject
*and* has not signed their email with DKIM, which is a poor and rare
practice (though not forbidden). (Forwarding to gmail should not break
the original sender's DKIM signature.)

Reply | Threaded
Open this post in threaded view
|

Re: Forward mail and obey SPF and DKIM

ilyak
Thank you.
I see "SPF: SOFTFAIL" in my gmail message.

Authentication results:
spf=softfail (google.com: domain of transitioning some_user@sender_domain does not designate MY_IP_ADDR as permitted sender)

While the message is not blocked, it is still not good to have SPF failure. Even when failure is soft.

It seems that I can't fix it, right?



On Mon, Sep 14, 2020 at 4:53 PM Dominic Raferd <[hidden email]> wrote:
On 14/09/2020 14:31, IL Ka wrote:
> Hello.
> I have postfix running on linux box.
>
> I setup OpenDKIM with both smtpd and non_smtp milters.
> I also set my address in DNS as permitted IP for SPF.
>
> So far, so good.
>
> But I want all my mail to be forwarded to gmail.
>
> Some user sends me email from user@some_sender_domain.
>
> If I use .forward or alias, then postfix doesn't change "From" header,
> so gmail believes email was sent from @some_sender_domain.
> This domain doesn't have my box IP as permitted in DNS, so SPF failed.
>
> I can change header using headers_check. But then DKIM signature
> would be broken because some_sender_domain signed email and I changed it.
>
> It seems that I need to:
> * Change headers
> * Sign email with my DKIM
> * Forward it to gmail
>
> But milters are not applied on forwarded emails because they aren't
> locally generated (or I failed to configure it correctly?)
>
> I can fix it using custom script that reads my local email
> and sends it to gmail.
>
> But how can I do that with postfix?

The short answer is that SPF failures do not normally matter when
forwarding to gmail. They only matter if sender uses DMARC with p=reject
*and* has not signed their email with DKIM, which is a poor and rare
practice (though not forbidden). (Forwarding to gmail should not break
the original sender's DKIM signature.)

Reply | Threaded
Open this post in threaded view
|

Re: Forward mail and obey SPF and DKIM

Dominic Raferd
On 14/09/2020 15:09, IL Ka wrote:

> On Mon, Sep 14, 2020 at 4:53 PM Dominic Raferd
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     On 14/09/2020 14:31, IL Ka wrote:
>     > Hello.
>     > I have postfix running on linux box.
>     >
>     > I setup OpenDKIM with both smtpd and non_smtp milters.
>     > I also set my address in DNS as permitted IP for SPF.
>     >
>     > So far, so good.
>     >
>     > But I want all my mail to be forwarded to gmail.
>     >
>     > Some user sends me email from user@some_sender_domain.
>     >
>     > If I use .forward or alias, then postfix doesn't change "From"
>     header,
>     > so gmail believes email was sent from @some_sender_domain.
>     > This domain doesn't have my box IP as permitted in DNS, so SPF
>     failed.
>     >
>     > I can change header using headers_check. But then DKIM signature
>     > would be broken because some_sender_domain signed email and I
>     changed it.
>     >
>     > It seems that I need to:
>     > * Change headers
>     > * Sign email with my DKIM
>     > * Forward it to gmail
>     >
>     > But milters are not applied on forwarded emails because they aren't
>     > locally generated (or I failed to configure it correctly?)
>     >
>     > I can fix it using custom script that reads my local email
>     > and sends it to gmail.
>     >
>     > But how can I do that with postfix?
>
>     The short answer is that SPF failures do not normally matter when
>     forwarding to gmail. They only matter if sender uses DMARC with
>     p=reject
>     *and* has not signed their email with DKIM, which is a poor and rare
>     practice (though not forbidden). (Forwarding to gmail should not
>     break
>     the original sender's DKIM signature.)
>
 > Thank you.
 > I see "SPF: SOFTFAIL" in my gmail message.
 >
 > Authentication results:
 > spf=softfail (google.com <http://google.com>: domain of transitioning
some_user@sender_domain does not designate MY_IP_ADDR as permitted sender)
 >
 > While the message is not blocked, it is still not good to have SPF
failure. Even when failure is soft.
 >
 > It seems that I can't fix it, right?

Don't worry about it. There are enough real problems to worry about.

Reply | Threaded
Open this post in threaded view
|

Re: Forward mail and obey SPF and DKIM

Nick Tait
> > Thank you.
> > I see "SPF: SOFTFAIL" in my gmail message.
> >
> > Authentication results:
> > spf=softfail (google.com <http://google.com>: domain of
> transitioning some_user@sender_domain does not designate MY_IP_ADDR as
> permitted sender)
> >
> > While the message is not blocked, it is still not good to have SPF
> failure. Even when failure is soft.
> >
> > It seems that I can't fix it, right?
>
> Don't worry about it. There are enough real problems to worry about.
>
Not that I'm recommending it (or in fact have any experience with it
myself), but theoretically at least, you could probably use the
"smtpd_command_filter" option to modify the RFC5321.MailFrom address to
substitute your own domain in place of the sender's domain (e.g. change
"sender@senderdomain" to "sender+senderdomain@yourdomain"), before you
relay the message to Google (but after you've done your own incoming
checks, which probably entails setting up a separate smtpd service on a
loopback interface)? Doing so would alleviate the SPF failure, although
I should highlight that it won't actually make any practical difference
to the DMARC result because the RFC5321.MailFrom address will be out of
alignment with the RFC5322.From address. Plus it may also create other
issues with bounce messages... You'd probably need a mechanism to
reverse the translation for a non-delivery report received from GMail
(e.g. change "sender+senderdomain@yourdomain" back to
"sender@senderdomain", so that the original sender can be notified if
your mailbox is full), but at the same time avoid creating an open-relay
type of vulnerability (e.g. allowing an attacker to use
"user+targetdomain@mydomain" to trick your server into forwarding emails
to "user@targetdomain").

Of course the real cost of implementing something like this is the
increased effort required to figure out what went wrong when something
isn't working properly. :-P

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Forward mail and obey SPF and DKIM

Michael D. Sofka

On 9/16/20 6:18 AM, Nick Tait wrote:

>> > Thank you.
>> > I see "SPF: SOFTFAIL" in my gmail message.
>> >
>> > Authentication results:
>> > spf=softfail (google.com <http://google.com>: domain of
>> transitioning some_user@sender_domain does not designate MY_IP_ADDR
>> as permitted sender)
>> >
>> > While the message is not blocked, it is still not good to have SPF
>> failure. Even when failure is soft.
>> >
>> > It seems that I can't fix it, right?
>>
>> Don't worry about it. There are enough real problems to worry about.
>>
> Not that I'm recommending it (or in fact have any experience with it
> myself), but theoretically at least, you could probably use the
> "smtpd_command_filter" option to modify the RFC5321.MailFrom address
> to substitute your own domain in place of the sender's domain (e.g.
> change "sender@senderdomain" to

This is called Sender Rewriting Scheme (SRS). There are milters for it.
Our gateway uses a sub-domain in the rewrite, then rewrite's it back.


> "sender+senderdomain@yourdomain"), before you relay the message to
> Google (but after you've done your own incoming checks, which probably
> entails setting up a separate smtpd service on a loopback interface)?
> Doing so would alleviate the SPF failure, although I should highlight
> that it won't actually make any practical difference to the DMARC
> result because the RFC5321.MailFrom address will be out of alignment
> with the RFC5322.From address. Plus it may also create other issues
> with bounce messages... You'd probably need a mechanism to reverse the
> translation for a non-delivery report received from GMail (e.g. change
> "sender+senderdomain@yourdomain" back to "sender@senderdomain", so
> that the original sender can be notified if your mailbox is full), but
> at the same time avoid creating an open-relay type of vulnerability
> (e.g. allowing an attacker to use "user+targetdomain@mydomain" to
> trick your server into forwarding emails to "user@targetdomain").
>
> Of course the real cost of implementing something like this is the
> increased effort required to figure out what went wrong when something
> isn't working properly. :-P
>
> Nick.
>
--
--
Michael D. Sofka               [hidden email]
ITI Software Architect,   Email, TeX, Epistemology
Rensselaer Polytechnic Institute, Troy, NY.  http://www.rpi.edu/~sofkam/