Forwarding mail through a gateway

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Forwarding mail through a gateway

John Regan
Hi,

I have a postfix-3.2.6 with fedora30 configured as an imap system for a subdomain that also relays mail for a few thousand users. Many users simply create a ~/.forward entry that forwards their mail through the system to a GMail account.

I believe this has created some issues with reputation, as the mail from remote addresses appear to be coming from this system without authorization. The MX for this host is a few other postfix relays at the top-level for this domain. This system handles outbound mail for this sub-domain.

I'm seeing messages in the logs similar to this:

Aug  6 07:50:54 email postfix-turtle/smtp[9559]: 1C10782EEB804: host gmail-smtp-in.l.google.COM[173.194.205.26] said: 421-4.7.0 This message does not have authentication information or fails to pass 421-4.7.0 authentication checks. To best protect our users from spam, the 421-4.7.0 message has been blocked. Please visit 421-4.7.0  https://support.google.com/mail/answer/81126#authentication for more 421 4.7.0 information. f13si33047783qve.55 - gsmtp (in reply to end of DATA command)

Aug  6 07:50:12 email postfix-turtle/smtp[6759]: 067CD83070987: host gmail-smtp-in.l.google.COM[173.194.205.26] said: 421-4.7.0 This
message does not have authentication information or fails to pass 421-4.7.0 authentication checks. To best protect our users from spam, the
421-4.7.0 message has been blocked. Please visit 421-4.7.0  https://support.google.com/mail/answer/81126#authentication for more 421 4.7.0 i
nformation. 46si51756936qtn.363 - gsmtp (in reply to end of DATA command)

The postfix-turtle transport is used for hosts that require or have requested mail to be delivered more slowly to prevent being blacklisted (like gmail,com and domains managed by Google). When the main office sends email to all or a majority of the few thousand recipients at a time, we needed a way to throttle the delivery with so many of the recipients forwarding mail off the system to their gmail accounts without being blacklisted.

These two examples above are mail that originated on this server, destined for gmail.com recipients. Is the fix to these problems to create an SPF record for this host? We had discussed this some time ago, but what affect does that have on relayed mail that doesn't originate from this domain? And it will break with mailing list email, correct? We had also discussed SRS, but that doesn't seem to be utilized any longer? That looks to be a huge undertaking.

Of course I've read the Google support link above. I'm just curious about the implications of doing this with my specific environment as I've described. What am I in for when doing this?

Should we be signing all outgoing messages with DKIM?




Reply | Threaded
Open this post in threaded view
|

Re: Forwarding mail through a gateway

John Dale
I do not have nearly your footprint or users, but I do setup
DKIM/SPF/DMARC by default.  Also, google has an escalation process for
emails.  You submit the request along with the complete email (with
headers).  Work through the process at this URL and you might have some
luck.

https://support.google.com/mail/?p=UnsolicitedIPError


On 8/6/19 6:36 PM, John Regan wrote:

> Hi,
>
> I have a postfix-3.2.6 with fedora30 configured as an imap system for
> a subdomain that also relays mail for a few thousand users. Many users
> simply create a ~/.forward entry that forwards their mail through the
> system to a GMail account.
>
> I believe this has created some issues with reputation, as the mail
> from remote addresses appear to be coming from this system without
> authorization. The MX for this host is a few other postfix relays at
> the top-level for this domain. This system handles outbound mail for
> this sub-domain.
>
> I'm seeing messages in the logs similar to this:
>
> Aug  6 07:50:54 email postfix-turtle/smtp[9559]: 1C10782EEB804: host
> gmail-smtp-in.l.google.COM
> <http://gmail-smtp-in.l.google.COM>[173.194.205.26] said: 421-4.7.0
> This message does not have authentication information or fails to pass
> 421-4.7.0 authentication checks. To best protect our users from spam,
> the 421-4.7.0 message has been blocked. Please visit 421-4.7.0
> https://support.google.com/mail/answer/81126#authentication for more
> 421 4.7.0 information. f13si33047783qve.55 - gsmtp (in reply to end of
> DATA command)
>
> Aug  6 07:50:12 email postfix-turtle/smtp[6759]: 067CD83070987: host
> gmail-smtp-in.l.google.COM
> <http://gmail-smtp-in.l.google.COM>[173.194.205.26] said: 421-4.7.0 This
> message does not have authentication information or fails to pass
> 421-4.7.0 authentication checks. To best protect our users from spam, the
> 421-4.7.0 message has been blocked. Please visit 421-4.7.0
> https://support.google.com/mail/answer/81126#authentication for more
> 421 4.7.0 i
> nformation. 46si51756936qtn.363 - gsmtp (in reply to end of DATA command)
>
> The postfix-turtle transport is used for hosts that require or have
> requested mail to be delivered more slowly to prevent being
> blacklisted (like gmail,com and domains managed by Google). When the
> main office sends email to all or a majority of the few thousand
> recipients at a time, we needed a way to throttle the delivery with so
> many of the recipients forwarding mail off the system to their gmail
> accounts without being blacklisted.
>
> These two examples above are mail that originated on this server,
> destined for gmail.com <http://gmail.com> recipients. Is the fix to
> these problems to create an SPF record for this host? We had discussed
> this some time ago, but what affect does that have on relayed mail
> that doesn't originate from this domain? And it will break with
> mailing list email, correct? We had also discussed SRS, but that
> doesn't seem to be utilized any longer? That looks to be a huge
> undertaking.
>
> Of course I've read the Google support link above. I'm just curious
> about the implications of doing this with my specific environment as
> I've described. What am I in for when doing this?
>
> Should we be signing all outgoing messages with DKIM?
>
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Forwarding mail through a gateway

Dominic Raferd


On Wed, 7 Aug 2019 at 01:48, John Dale <[hidden email]> wrote:
I do not have nearly your footprint or users, but I do setup
DKIM/SPF/DMARC by default.  Also, google has an escalation process for
emails.  You submit the request along with the complete email (with
headers).  Work through the process at this URL and you might have some
luck.

https://support.google.com/mail/?p=UnsolicitedIPError


On 8/6/19 6:36 PM, John Regan wrote:
> Hi,
>
> I have a postfix-3.2.6 with fedora30 configured as an imap system for
> a subdomain that also relays mail for a few thousand users. Many users
> simply create a ~/.forward entry that forwards their mail through the
> system to a GMail account.
>
> I believe this has created some issues with reputation, as the mail
> from remote addresses appear to be coming from this system without
> authorization. The MX for this host is a few other postfix relays at
> the top-level for this domain. This system handles outbound mail for
> this sub-domain.
>
> I'm seeing messages in the logs similar to this:
>
> Aug  6 07:50:54 email postfix-turtle/smtp[9559]: 1C10782EEB804: host
> gmail-smtp-in.l.google.COM
> <http://gmail-smtp-in.l.google.COM>[173.194.205.26] said: 421-4.7.0
> This message does not have authentication information or fails to pass
> 421-4.7.0 authentication checks. To best protect our users from spam,
> the 421-4.7.0 message has been blocked. Please visit 421-4.7.0
> https://support.google.com/mail/answer/81126#authentication for more
> 421 4.7.0 information. f13si33047783qve.55 - gsmtp (in reply to end of
> DATA command)
>
> Aug  6 07:50:12 email postfix-turtle/smtp[6759]: 067CD83070987: host
> gmail-smtp-in.l.google.COM
> <http://gmail-smtp-in.l.google.COM>[173.194.205.26] said: 421-4.7.0 This
> message does not have authentication information or fails to pass
> 421-4.7.0 authentication checks. To best protect our users from spam, the
> 421-4.7.0 message has been blocked. Please visit 421-4.7.0
> https://support.google.com/mail/answer/81126#authentication for more
> 421 4.7.0 i
> nformation. 46si51756936qtn.363 - gsmtp (in reply to end of DATA command)
>
> The postfix-turtle transport is used for hosts that require or have
> requested mail to be delivered more slowly to prevent being
> blacklisted (like gmail,com and domains managed by Google). When the
> main office sends email to all or a majority of the few thousand
> recipients at a time, we needed a way to throttle the delivery with so
> many of the recipients forwarding mail off the system to their gmail
> accounts without being blacklisted.
>
> These two examples above are mail that originated on this server,
> destined for gmail.com <http://gmail.com> recipients. Is the fix to
> these problems to create an SPF record for this host? We had discussed
> this some time ago, but what affect does that have on relayed mail
> that doesn't originate from this domain? And it will break with
> mailing list email, correct? We had also discussed SRS, but that
> doesn't seem to be utilized any longer? That looks to be a huge
> undertaking.
>
> Of course I've read the Google support link above. I'm just curious
> about the implications of doing this with my specific environment as
> I've described. What am I in for when doing this?
>
> Should we be signing all outgoing messages with DKIM?

We do relay into Gmail from our (very small scale) mail servers and we use SPF, DKIM and (for our business domains, not the one I am emailing from) DMARC with p=reject. We see such responses from Gmail occasionally (in response to relayed, not our own originated, emails) - and our servers react to them in real time. But they are only temporary blocks so not in themselves a massive problem. The big concern is that Gmail can impose a 5xx permanent block on incoming emails from an ip they deem a repeat offender. We've never had this I am pleased to say. Another problem is relayed emails where the From domain has a DMARC p=reject policy and sender has relied on SPF and not bothered with DKIM: such emails will be blocked (quite correctly) by Gmail. Overall they are rare - but, for instance, Her Majesty's Revenue and Customs often does this (including with some important emails).