Mail forwarding through a relay

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Mail forwarding through a relay

John Regan
Hi,

I have a postfix-3.2.6 system that acts as a mail server and pop/imap using dovecot for a small domain. The problem is that people are increasingly using it as a relay to a personal account, such as Gmail and Yahoo.

This is resulting in the receiving system rejecting the message due to SPF failing. 

Sep 11 22:03:06 email postfix/smtp[1187]: 33AA3962A9648: to=<[hidden email]>, orig_to=<[hidden email]>, relay=mx0.digitalwest.net[72.29.183.105]:25, delay=2.7, delays=0.05/0/1.5/1.1, dsn=5.0.0, status=bounced (host mx0.digitalwest.net[72.29.183.105] said: 550-[SPF] 44.104.18.100 is not allowed to send mail from mchat.booking.com. 550-Message blocked - Please check settings. See 550 http://support.digitalwest.net/KB/a163/550-spf-not-allowed-to-send-mail.aspx (in reply to RCPT TO command))

Is my only option here to do something like SRS or can this be fixed another way?


Reply | Threaded
Open this post in threaded view
|

Re: Mail forwarding through a relay

Dominic Raferd


On Thu, 12 Sep 2019 at 05:14, John Regan <[hidden email]> wrote:
Hi,

I have a postfix-3.2.6 system that acts as a mail server and pop/imap using dovecot for a small domain. The problem is that people are increasingly using it as a relay to a personal account, such as Gmail and Yahoo.

This is resulting in the receiving system rejecting the message due to SPF failing. 

Sep 11 22:03:06 email postfix/smtp[1187]: 33AA3962A9648: to=<[hidden email]>, orig_to=<[hidden email]>, relay=mx0.digitalwest.net[72.29.183.105]:25, delay=2.7, delays=0.05/0/1.5/1.1, dsn=5.0.0, status=bounced (host mx0.digitalwest.net[72.29.183.105] said: 550-[SPF] 44.104.18.100 is not allowed to send mail from mchat.booking.com. 550-Message blocked - Please check settings. See 550 http://support.digitalwest.net/KB/a163/550-spf-not-allowed-to-send-mail.aspx (in reply to RCPT TO command))

Is my only option here to do something like SRS or can this be fixed another way?

I'm puzzled - you mention gmail and yahoo but the example you give is for digitalwest. They appear to be blocking based purely on SPF (their information link does not seem to work) - gmail does not do this and I doubt yahoo do it either. The situation which will cause problems when relaying to gmail or to yahoo is blocking based on DMARC where the sender domain has set a p=reject policy but doesn't add a DKIM signature header. Another problem you may face is that if you are relaying too much spam into gmail your server might be blacklisted.
Reply | Threaded
Open this post in threaded view
|

Re: Mail forwarding through a relay

Chris Wedgwood
In reply to this post by John Regan
> I have a postfix-3.2.6 system that acts as a mail server and
> pop/imap using dovecot for a small domain. The problem is that
> people are increasingly using it as a relay to a personal account,
> such as Gmail and Yahoo.

perhaps i misunderstand

they are sending email from gmail/yahoo addresses from your MTA?  if
so those will get blocked in many cases and marked as spam in many
others


for example with gmail:

  _dmarc.gmail.com.       596     IN      TXT     "v=DMARC1; p=none; sp=quarantine; rua=mailto:[hidden email]"

  gmail.com.              205     IN      TXT     "v=spf1 redirect=_spf.google.com"

  _spf.google.com.        176     IN      TXT     "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

...

you MTA is not going to be included in any of those records, so you're
MTA isn't a valid origin for @gmail.com

and you're not going to be able to sign messages with a valid (dkim)
signature either


this is how spf/dmarc works

there is in some sense nothing to fix, if you want to send as
[hidden email] you have to do it through a gmail smtp relay (which
they provide)
Reply | Threaded
Open this post in threaded view
|

Re: Mail forwarding through a relay

Dominic Raferd
On Thu, 12 Sep 2019 at 10:24, Chris Wedgwood <[hidden email]> wrote:

>
> > I have a postfix-3.2.6 system that acts as a mail server and
> > pop/imap using dovecot for a small domain. The problem is that
> > people are increasingly using it as a relay to a personal account,
> > such as Gmail and Yahoo.
>
> perhaps i misunderstand
>
> they are sending email from gmail/yahoo addresses from your MTA?  if
> so those will get blocked in many cases and marked as spam in many
> others
>
>
> for example with gmail:
>
>   _dmarc.gmail.com.       596     IN      TXT     "v=DMARC1; p=none; sp=quarantine; rua=mailto:[hidden email]"
>
>   gmail.com.              205     IN      TXT     "v=spf1 redirect=_spf.google.com"
>
>   _spf.google.com.        176     IN      TXT     "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
>
> ...
>
> you MTA is not going to be included in any of those records, so you're
> MTA isn't a valid origin for @gmail.com and you're not going to be able to sign messages with a valid (dkim)
> signature either. this is how spf/dmarc works


but note in the DMARC record that you quote: ' p=none': Gmail is
telling other servers *not* to block (or quarantine) emails from
@gmail.com that do not obey SPF or DKIM rules. Yahoo by contrast:

# dig +short _dmarc.yahoo.com TXT
"v=DMARC1; p=reject; pct=100; rua=mailto:[hidden email];"
Reply | Threaded
Open this post in threaded view
|

Re: Mail forwarding through a relay

Matus UHLAR - fantomas
In reply to this post by John Regan
On 11.09.19 22:12, John Regan wrote:
>I have a postfix-3.2.6 system that acts as a mail server and pop/imap using
>dovecot for a small domain. The problem is that people are increasingly
>using it as a relay to a personal account, such as Gmail and Yahoo.

do you mean, they use gmail and yahoo From: addresses, while sending through
your server? Or fdo they simply forward their incoming mail to their
gmail/yahoo addresses?

>This is resulting in the receiving system rejecting the message due to SPF
>failing.
>
>Sep 11 22:03:06 email postfix/smtp[1187]: 33AA3962A9648: to=<
>[hidden email]>, orig_to=<[hidden email]>,
>relay=mx0.digitalwest.net[72.29.183.105]:25,
>delay=2.7, delays=0.05/0/1.5/1.1, dsn=5.0.0, status=bounced (host
>mx0.digitalwest.net[72.29.183.105] said: 550-[SPF] 44.104.18.100 is not
>allowed to send mail from mchat.booking.com. 550-Message blocked - Please
>check settings. See 550
>http://support.digitalwest.net/KB/a163/550-spf-not-allowed-to-send-mail.aspx
>(in reply to RCPT TO command))
>
>Is my only option here to do something like SRS or can this be fixed
>another way?

use SRS when forwarding mail. look for postsrsd or postforward
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
Reply | Threaded
Open this post in threaded view
|

Re: Mail forwarding through a relay

Christos Chatzaras


>
> use SRS when forwarding mail. look for postsrsd or postforward --
> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Despite the cost of living, have you noticed how popular it remains?

Using SRS will cause reputation issues (if spam pass) as the e-mail is forwarded with his domain, right?
Reply | Threaded
Open this post in threaded view
|

Re: Mail forwarding through a relay

Matus UHLAR - fantomas
>> use SRS when forwarding mail. look for postsrsd or postforward --
>> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> Despite the cost of living, have you noticed how popular it remains?

On 12.09.19 11:14, Christos Chatzaras wrote:
>Using SRS will cause reputation issues (if spam pass) as the e-mail is
> forwarded with his domain, right?

he can disable forwarding to avoid any issues...

or install spam filter that won't allow spam being forwarded.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
Reply | Threaded
Open this post in threaded view
|

Re: Mail forwarding through a relay

Chris Wedgwood
In reply to this post by Dominic Raferd
> but note in the DMARC record that you quote: ' p=none': Gmail is
> telling other servers *not* to block (or quarantine) emails from
> @gmail.com that do not obey SPF or DKIM rules. Yahoo by contrast:
>
> # dig +short _dmarc.yahoo.com TXT
> "v=DMARC1; p=reject; pct=100; rua=mailto:[hidden email];"

IME some sites will still block or quarantine.
Reply | Threaded
Open this post in threaded view
|

Re: Mail forwarding through a relay

John Regan
In reply to this post by Chris Wedgwood
Hi,

On Thu, Sep 12, 2019 at 3:14 AM Chris Wedgwood <[hidden email]> wrote:
> I have a postfix-3.2.6 system that acts as a mail server and
> pop/imap using dovecot for a small domain. The problem is that
> people are increasingly using it as a relay to a personal account,
> such as Gmail and Yahoo.

perhaps i misunderstand

they are sending email from gmail/yahoo addresses from your MTA?  if
so those will get blocked in many cases and marked as spam in many
others

No, the issue is with people sending them email to their address on our system which is then forwarded on to some remote system - a digitalwest system in my example, but I'm also concerned with other systems, including gmail and yahoo, of course.

Do mail providers like digitalwest typically allow forwarding from their accounts through to other providers? With no easy solution, what do most providers do?

Is SRS in practical use? Is the general recommendation that it should be implemented in situations like this, or is disabling forwarding more common? Is the policy of most systems to reject on SPF fail?

Thanks so much for everyone's help.