Forward mail and obey SPF and DKIM

> Hello.
> I have postfix running on linux box.
>
> I setup OpenDKIM with both smtpd and non_smtp milters.
> I also set my address in DNS as permitted IP for SPF.
>
> So far, so good.
>
> But I want all my mail to be forwarded to gmail.
>
> Some user sends me email from user@some_sender_domain.
>
> If I use .forward or alias, then postfix doesn't change "From" header,
> so gmail believes email was sent from @some_sender_domain.
> This domain doesn't have my box IP as permitted in DNS, so SPF failed.
>
> I can change header using headers_check. But then DKIM signature
> would be broken because some_sender_domain signed email and I changed it.
>
> It seems that I need to:
> * Change headers
> * Sign email with my DKIM
> * Forward it to gmail
>
> But milters are not applied on forwarded emails because they aren't
> locally generated (or I failed to configure it correctly?)
>
> I can fix it using custom script that reads my local email
> and sends it to gmail.
>
> But how can I do that with postfix?

> On Mon, Sep 14, 2020 at 4:53 PM Dominic Raferd
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     On 14/09/2020 14:31, IL Ka wrote:
>     > Hello.
>     > I have postfix running on linux box.
>     >
>     > I setup OpenDKIM with both smtpd and non_smtp milters.
>     > I also set my address in DNS as permitted IP for SPF.
>     >
>     > So far, so good.
>     >
>     > But I want all my mail to be forwarded to gmail.
>     >
>     > Some user sends me email from user@some_sender_domain.
>     >
>     > If I use .forward or alias, then postfix doesn't change "From"
>     header,
>     > so gmail believes email was sent from @some_sender_domain.
>     > This domain doesn't have my box IP as permitted in DNS, so SPF
>     failed.
>     >
>     > I can change header using headers_check. But then DKIM signature
>     > would be broken because some_sender_domain signed email and I
>     changed it.
>     >
>     > It seems that I need to:
>     > * Change headers
>     > * Sign email with my DKIM
>     > * Forward it to gmail
>     >
>     > But milters are not applied on forwarded emails because they aren't
>     > locally generated (or I failed to configure it correctly?)
>     >
>     > I can fix it using custom script that reads my local email
>     > and sends it to gmail.
>     >
>     > But how can I do that with postfix?
>
>     The short answer is that SPF failures do not normally matter when
>     forwarding to gmail. They only matter if sender uses DMARC with
>     p=reject
>     *and* has not signed their email with DKIM, which is a poor and rare
>     practice (though not forbidden). (Forwarding to gmail should not
>     break
>     the original sender's DKIM signature.)
>

> > Thank you.
> > I see "SPF: SOFTFAIL" in my gmail message.
> >
> > Authentication results:
> > spf=softfail (google.com <http://google.com>: domain of
> transitioning some_user@sender_domain does not designate MY_IP_ADDR as
> permitted sender)
> >
> > While the message is not blocked, it is still not good to have SPF
> failure. Even when failure is soft.
> >
> > It seems that I can't fix it, right?
>
> Don't worry about it. There are enough real problems to worry about.
>

>> > Thank you.
>> > I see "SPF: SOFTFAIL" in my gmail message.
>> >
>> > Authentication results:
>> > spf=softfail (google.com <http://google.com>: domain of
>> transitioning some_user@sender_domain does not designate MY_IP_ADDR
>> as permitted sender)
>> >
>> > While the message is not blocked, it is still not good to have SPF
>> failure. Even when failure is soft.
>> >
>> > It seems that I can't fix it, right?
>>
>> Don't worry about it. There are enough real problems to worry about.
>>
> Not that I'm recommending it (or in fact have any experience with it
> myself), but theoretically at least, you could probably use the
> "smtpd_command_filter" option to modify the RFC5321.MailFrom address
> to substitute your own domain in place of the sender's domain (e.g.
> change "sender@senderdomain" to

> "sender+senderdomain@yourdomain"), before you relay the message to
> Google (but after you've done your own incoming checks, which probably
> entails setting up a separate smtpd service on a loopback interface)?
> Doing so would alleviate the SPF failure, although I should highlight
> that it won't actually make any practical difference to the DMARC
> result because the RFC5321.MailFrom address will be out of alignment
> with the RFC5322.From address. Plus it may also create other issues
> with bounce messages... You'd probably need a mechanism to reverse the
> translation for a non-delivery report received from GMail (e.g. change
> "sender+senderdomain@yourdomain" back to "sender@senderdomain", so
> that the original sender can be notified if your mailbox is full), but
> at the same time avoid creating an open-relay type of vulnerability
> (e.g. allowing an attacker to use "user+targetdomain@mydomain" to
> trick your server into forwarding emails to "user@targetdomain").
>
> Of course the real cost of implementing something like this is the
> increased effort required to figure out what went wrong when something
> isn't working properly. :-P
>
> Nick.
>

> Thank you all. This is how I fixed it (after Bill Cole's email): I
> needed to substitute envelope (MAIL FROM:) to match my address, but
> the message (along with it's headers) shouldn't be touched.
>
> sender_canonical_classes = envelope_sender  # Only change envelope,
> not body
> sender_canonical_maps =  regexp:/etc/postfix/sender_canonical_map # In
> this file I change envelope
> address to my domain.
>
> Google is now perfectly happy with both SPF and DKIM.
>
> Shouldn't we add this recipe to the official postfix documentation?