Hello.
I have postfix running on linux box. I setup OpenDKIM with both smtpd and non_smtp milters. I also set my address in DNS as permitted IP for SPF. So far, so good. But I want all my mail to be forwarded to gmail. Some user sends me email from user@some_sender_domain. If I use .forward or alias, then postfix doesn't change "From" header, so gmail believes email was sent from @some_sender_domain. This domain doesn't have my box IP as permitted in DNS, so SPF failed. I can change header using headers_check. But then DKIM signature would be broken because some_sender_domain signed email and I changed it. It seems that I need to: * Change headers * Sign email with my DKIM * Forward it to gmail But milters are not applied on forwarded emails because they aren't locally generated (or I failed to configure it correctly?) I can fix it using custom script that reads my local email and sends it to gmail. But how can I do that with postfix? Ilya. |
On 14/09/2020 14:31, IL Ka wrote:
> Hello. > I have postfix running on linux box. > > I setup OpenDKIM with both smtpd and non_smtp milters. > I also set my address in DNS as permitted IP for SPF. > > So far, so good. > > But I want all my mail to be forwarded to gmail. > > Some user sends me email from user@some_sender_domain. > > If I use .forward or alias, then postfix doesn't change "From" header, > so gmail believes email was sent from @some_sender_domain. > This domain doesn't have my box IP as permitted in DNS, so SPF failed. > > I can change header using headers_check. But then DKIM signature > would be broken because some_sender_domain signed email and I changed it. > > It seems that I need to: > * Change headers > * Sign email with my DKIM > * Forward it to gmail > > But milters are not applied on forwarded emails because they aren't > locally generated (or I failed to configure it correctly?) > > I can fix it using custom script that reads my local email > and sends it to gmail. > > But how can I do that with postfix? The short answer is that SPF failures do not normally matter when forwarding to gmail. They only matter if sender uses DMARC with p=reject *and* has not signed their email with DKIM, which is a poor and rare practice (though not forbidden). (Forwarding to gmail should not break the original sender's DKIM signature.) |
Thank you. I see "SPF: SOFTFAIL" in my gmail message. Authentication results: spf=softfail (google.com: domain of transitioning some_user@sender_domain does not designate MY_IP_ADDR as permitted sender) While the message is not blocked, it is still not good to have SPF failure. Even when failure is soft. It seems that I can't fix it, right? On Mon, Sep 14, 2020 at 4:53 PM Dominic Raferd <[hidden email]> wrote: On 14/09/2020 14:31, IL Ka wrote: |
On 14/09/2020 15:09, IL Ka wrote:
> On Mon, Sep 14, 2020 at 4:53 PM Dominic Raferd > <[hidden email] <mailto:[hidden email]>> wrote: > > On 14/09/2020 14:31, IL Ka wrote: > > Hello. > > I have postfix running on linux box. > > > > I setup OpenDKIM with both smtpd and non_smtp milters. > > I also set my address in DNS as permitted IP for SPF. > > > > So far, so good. > > > > But I want all my mail to be forwarded to gmail. > > > > Some user sends me email from user@some_sender_domain. > > > > If I use .forward or alias, then postfix doesn't change "From" > header, > > so gmail believes email was sent from @some_sender_domain. > > This domain doesn't have my box IP as permitted in DNS, so SPF > failed. > > > > I can change header using headers_check. But then DKIM signature > > would be broken because some_sender_domain signed email and I > changed it. > > > > It seems that I need to: > > * Change headers > > * Sign email with my DKIM > > * Forward it to gmail > > > > But milters are not applied on forwarded emails because they aren't > > locally generated (or I failed to configure it correctly?) > > > > I can fix it using custom script that reads my local email > > and sends it to gmail. > > > > But how can I do that with postfix? > > The short answer is that SPF failures do not normally matter when > forwarding to gmail. They only matter if sender uses DMARC with > p=reject > *and* has not signed their email with DKIM, which is a poor and rare > practice (though not forbidden). (Forwarding to gmail should not > break > the original sender's DKIM signature.) > > I see "SPF: SOFTFAIL" in my gmail message. > > Authentication results: > spf=softfail (google.com <http://google.com>: domain of transitioning some_user@sender_domain does not designate MY_IP_ADDR as permitted sender) > > While the message is not blocked, it is still not good to have SPF failure. Even when failure is soft. > > It seems that I can't fix it, right? Don't worry about it. There are enough real problems to worry about. |
> > Thank you.
Not that I'm recommending it (or in fact have any experience with it
> > I see "SPF: SOFTFAIL" in my gmail message. > > > > Authentication results: > > spf=softfail (google.com <http://google.com>: domain of > transitioning some_user@sender_domain does not designate MY_IP_ADDR as > permitted sender) > > > > While the message is not blocked, it is still not good to have SPF > failure. Even when failure is soft. > > > > It seems that I can't fix it, right? > > Don't worry about it. There are enough real problems to worry about. > myself), but theoretically at least, you could probably use the "smtpd_command_filter" option to modify the RFC5321.MailFrom address to substitute your own domain in place of the sender's domain (e.g. change "sender@senderdomain" to "sender+senderdomain@yourdomain"), before you relay the message to Google (but after you've done your own incoming checks, which probably entails setting up a separate smtpd service on a loopback interface)? Doing so would alleviate the SPF failure, although I should highlight that it won't actually make any practical difference to the DMARC result because the RFC5321.MailFrom address will be out of alignment with the RFC5322.From address. Plus it may also create other issues with bounce messages... You'd probably need a mechanism to reverse the translation for a non-delivery report received from GMail (e.g. change "sender+senderdomain@yourdomain" back to "sender@senderdomain", so that the original sender can be notified if your mailbox is full), but at the same time avoid creating an open-relay type of vulnerability (e.g. allowing an attacker to use "user+targetdomain@mydomain" to trick your server into forwarding emails to "user@targetdomain"). Of course the real cost of implementing something like this is the increased effort required to figure out what went wrong when something isn't working properly. :-P Nick. |
On 9/16/20 6:18 AM, Nick Tait wrote: >> > Thank you. >> > I see "SPF: SOFTFAIL" in my gmail message. >> > >> > Authentication results: >> > spf=softfail (google.com <http://google.com>: domain of >> transitioning some_user@sender_domain does not designate MY_IP_ADDR >> as permitted sender) >> > >> > While the message is not blocked, it is still not good to have SPF >> failure. Even when failure is soft. >> > >> > It seems that I can't fix it, right? >> >> Don't worry about it. There are enough real problems to worry about. >> > Not that I'm recommending it (or in fact have any experience with it > myself), but theoretically at least, you could probably use the > "smtpd_command_filter" option to modify the RFC5321.MailFrom address > to substitute your own domain in place of the sender's domain (e.g. > change "sender@senderdomain" to This is called Sender Rewriting Scheme (SRS). There are milters for it. Our gateway uses a sub-domain in the rewrite, then rewrite's it back. > "sender+senderdomain@yourdomain"), before you relay the message to > Google (but after you've done your own incoming checks, which probably > entails setting up a separate smtpd service on a loopback interface)? > Doing so would alleviate the SPF failure, although I should highlight > that it won't actually make any practical difference to the DMARC > result because the RFC5321.MailFrom address will be out of alignment > with the RFC5322.From address. Plus it may also create other issues > with bounce messages... You'd probably need a mechanism to reverse the > translation for a non-delivery report received from GMail (e.g. change > "sender+senderdomain@yourdomain" back to "sender@senderdomain", so > that the original sender can be notified if your mailbox is full), but > at the same time avoid creating an open-relay type of vulnerability > (e.g. allowing an attacker to use "user+targetdomain@mydomain" to > trick your server into forwarding emails to "user@targetdomain"). > > Of course the real cost of implementing something like this is the > increased effort required to figure out what went wrong when something > isn't working properly. :-P > > Nick. > -- Michael D. Sofka [hidden email] ITI Software Architect, Email, TeX, Epistemology Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/ |
In reply to this post by ilyak
Thank you all. This is how I fixed it (after Bill Cole's email): I needed to substitute envelope (MAIL FROM:) to match my address, but the message (along with it's headers) shouldn't be touched. sender_canonical_classes = envelope_sender # Only change envelope, not body sender_canonical_maps = regexp:/etc/postfix/sender_canonical_map # In this file I change envelope address to my domain.Google is now perfectly happy with both SPF and DKIM. Shouldn't we add this recipe to the official postfix documentation? On Mon, Sep 14, 2020 at 4:31 PM IL Ka <[hidden email]> wrote:
|
On 18/10/20 7:10 am, IL Ka wrote:
> Thank you all. This is how I fixed it (after Bill Cole's email): I > needed to substitute envelope (MAIL FROM:) to match my address, but > the message (along with it's headers) shouldn't be touched. > > sender_canonical_classes = envelope_sender # Only change envelope, > not body > sender_canonical_maps = regexp:/etc/postfix/sender_canonical_map # In > this file I change envelope > address to my domain. > > Google is now perfectly happy with both SPF and DKIM. > > Shouldn't we add this recipe to the official postfix documentation? Don't forget about bounce notifications. So rather than rewriting addresses using sender_canonical_maps, you might be better off looking into Sender Rewriting Scheme (SRS)? Nick. |
Free forum by Nabble | Edit this page |