Proper Forwarding Procedure?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Proper Forwarding Procedure?

Steve Jenkins-2
I've got a Postfix server hosting a lastname.org domain name for family members. 

I use virtual aliasing to forward inbound mail for family members to third-pary mail providers (mostly gmail, but a few yahoo and aol, too). 

I've also created user accounts on the server for a very small handful of immediate family members (4 people) so they can authenticate (via TLS) send email as [hidden email] (which is properly DKIM signed and will pass an SPF check).

I do not provide any mail storage or retrieval on the server (no POP or IMAP) for any family members.

This has worked fine for years, but now I'm starting to see warnings in the Postfix log from Gmail, stating that the server is being rate-limited because of unsolicited messages. I presume that Gmail is sensing SPAM being sent to the @lastname.org accounts, which gets forwarded to the family member's Gmail account. I don't do any spam checking or filtering on the Postfix server.

So my questions are:

1) What's the best way to forward family members' incoming mail to Gmail (and other mailers)?

2) My Postscreen and main.cf sender restrictions are rejecting a fair amount of inbound spam, but apparently not enough to keep Gmail happy.

3) Should I consider setting up SpamAssassin with some very low thresholds to pick up the obvious stuff?

Thanks in advance,

Steve
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proper Forwarding Procedure?

Dominic Raferd


On 9 June 2017 at 20:45, Steve Jenkins <[hidden email]> wrote:
I've got a Postfix server hosting a lastname.org domain name for family members. 

I use virtual aliasing to forward inbound mail for family members to third-pary mail providers (mostly gmail, but a few yahoo and aol, too). 

I've also created user accounts on the server for a very small handful of immediate family members (4 people) so they can authenticate (via TLS) send email as [hidden email] (which is properly DKIM signed and will pass an SPF check).

I do not provide any mail storage or retrieval on the server (no POP or IMAP) for any family members.

This has worked fine for years, but now I'm starting to see warnings in the Postfix log from Gmail, stating that the server is being rate-limited because of unsolicited messages. I presume that Gmail is sensing SPAM being sent to the @lastname.org accounts, which gets forwarded to the family member's Gmail account. I don't do any spam checking or filtering on the Postfix server.

So my questions are:

1) What's the best way to forward family members' incoming mail to Gmail (and other mailers)?

2) My Postscreen and main.cf sender restrictions are rejecting a fair amount of inbound spam, but apparently not enough to keep Gmail happy.

3) Should I consider setting up SpamAssassin with some very low thresholds to pick up the obvious stuff?

​I have a not-dissimilar setup and I have various fixes to minimise Gmail's upset. But I guess the first q is whether you need to be worried about the 'rate-limited' messages. If you have a low volume of incoming emails anyway a bit of rate-limiting is hardly likely to be a problem.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proper Forwarding Procedure?

Matthew McGehrin
Gmail will also display that error message when you attempt to forward
them spam as well. It will eventually let the messages pass after a
short delay.

You can increase your: smtp_mx_session_limit. The default is 2, by
increasing it to 5 it will try more gmail SMTP servers.
smtp_mx_session_limit=5

Also, I increased my flush delay from 1000 to 1800 so it runs every 30
minutes. Gmail doesn't complain as often with a longer retry it seems.

flush     unix  n       -       n       1800?   0       flush

-- Matthew


Dominic Raferd wrote:

>
> On 9 June 2017 at 20:45, Steve Jenkins <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     I've got a Postfix server hosting a lastname.org
>     <http://lastname.org> domain name for family members.
>
>     I use virtual aliasing to forward inbound mail for family members
>     to third-pary mail providers (mostly gmail, but a few yahoo and
>     aol, too).
>
>     1) What's the best way to forward family members' incoming mail to
>     Gmail (and other mailers)?
>
>     2) My Postscreen and main.cf <http://main.cf> sender restrictions
>     are rejecting a fair amount of inbound spam, but apparently not
>     enough to keep Gmail happy.
>
>     3) Should I consider setting up SpamAssassin with some very low
>     thresholds to pick up the obvious stuff?
>
>
> ​I have a not-dissimilar setup and I have various fixes to minimise
> Gmail's upset. But I guess the first q is whether you need to be
> worried about the 'rate-limited' messages. If you have a low volume of
> incoming emails anyway a bit of rate-limiting is hardly likely to be a
> problem.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proper Forwarding Procedure?

Philip Paeps
In reply to this post by Steve Jenkins-2
On 2017-06-09 12:45:31 (-0700), Steve Jenkins <[hidden email]> wrote:

>I've got a Postfix server hosting a lastname.org domain name for family
>members.
>
>I use virtual aliasing to forward inbound mail for family members to
>third-pary mail providers (mostly gmail, but a few yahoo and aol, too).
>
>I've also created user accounts on the server for a very small handful
>of immediate family members (4 people) so they can authenticate (via
>TLS) send email as [hidden email] (which is properly DKIM
>signed and will pass an SPF check).
>
>I do not provide any mail storage or retrieval on the server (no POP or
>IMAP) for any family members.
>
>This has worked fine for years, but now I'm starting to see warnings in
>the Postfix log from Gmail, stating that the server is being
>rate-limited because of unsolicited messages. I presume that Gmail is
>sensing SPAM being sent to the @lastname.org accounts, which gets
>forwarded to the family member's Gmail account. I don't do any spam
>checking or filtering on the Postfix server.
>
>So my questions are:
>
>1) What's the best way to forward family members' incoming mail to
>Gmail (and other mailers)?

There really isn't any "best" way to do this.  Reportedly, Google can
retrieve email over POP3 or IMAP.  Perhaps you can set up accounts for
your users?

>2) My Postscreen and main.cf sender restrictions are rejecting a fair
>amount of inbound spam, but apparently not enough to keep Gmail happy.
>
>3) Should I consider setting up SpamAssassin with some very low
>thresholds to pick up the obvious stuff?

Yes.  Google gets increasingly cranky if you relay spam to them and
ultimately your users will blame you when Google eventually files all
their mail coming from your server as junk.

But you really want users to pull mail from you.  Unfortunately,
forwarding is no longer a viable option in the current world of email.  
The spammers have broken that for everyone.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proper Forwarding Procedure?

Philip Paeps
In reply to this post by Dominic Raferd
On 2017-06-09 21:10:12 (+0100), Dominic Raferd <[hidden email]> wrote:

>On 9 June 2017 at 20:45, Steve Jenkins <[hidden email]> wrote:
>>I've got a Postfix server hosting a lastname.org domain name for
>>family members.
>>
>>I use virtual aliasing to forward inbound mail for family members to
>>third-pary mail providers (mostly gmail, but a few yahoo and aol,
>>too).
>>
>>I've also created user accounts on the server for a very small handful
>>of immediate family members (4 people) so they can authenticate (via
>>TLS) send email as [hidden email] (which is properly DKIM
>>signed and will pass an SPF check).
>>
>>I do not provide any mail storage or retrieval on the server (no POP
>>or IMAP) for any family members.
>>
>>This has worked fine for years, but now I'm starting to see warnings
>>in the Postfix log from Gmail, stating that the server is being
>>rate-limited because of unsolicited messages. I presume that Gmail is
>>sensing SPAM being sent to the @lastname.org accounts, which gets
>>forwarded to the family member's Gmail account. I don't do any spam
>>checking or filtering on the Postfix server.
>>
>>So my questions are:
>>
>>1) What's the best way to forward family members' incoming mail to
>>Gmail (and other mailers)?
>>
>>2) My Postscreen and main.cf sender restrictions are rejecting a fair
>>amount of inbound spam, but apparently not enough to keep Gmail happy.
>>
>>3) Should I consider setting up SpamAssassin with some very low
>>thresholds to pick up the obvious stuff?
>
>I have a not-dissimilar setup and I have various fixes to minimise
>Gmail's upset. But I guess the first q is whether you need to be
>worried about the 'rate-limited' messages. If you have a low volume of
>incoming emails anyway a bit of rate-limiting is hardly likely to be a
>problem.

The rate-limiting may not be a big problem long-term but eventually all
email coming from you will be filed as spam.  And then users will blame
you for that ...

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proper Forwarding Procedure?

Dominic Raferd
On 10/06/2017 20:03, Philip Paeps wrote:

> On 2017-06-09 21:10:12 (+0100), Dominic Raferd
> <[hidden email]> wrote:
>> On 9 June 2017 at 20:45, Steve Jenkins <[hidden email]> wrote:
>>> I've got a Postfix server hosting a lastname.org domain name for
>>> family members.
>>>
>>> I use virtual aliasing to forward inbound mail for family members to
>>> third-pary mail providers (mostly gmail, but a few yahoo and aol, too).
>>>
>>> I've also created user accounts on the server for a very small
>>> handful of immediate family members (4 people) so they can
>>> authenticate (via TLS) send email as [hidden email] (which
>>> is properly DKIM signed and will pass an SPF check).
>>>
>>> I do not provide any mail storage or retrieval on the server (no POP
>>> or IMAP) for any family members.
>>>
>>> This has worked fine for years, but now I'm starting to see warnings
>>> in the Postfix log from Gmail, stating that the server is being
>>> rate-limited because of unsolicited messages. I presume that Gmail
>>> is sensing SPAM being sent to the @lastname.org accounts, which gets
>>> forwarded to the family member's Gmail account. I don't do any spam
>>> checking or filtering on the Postfix server.
>>>
>>> So my questions are:
>>>
>>> 1) What's the best way to forward family members' incoming mail to
>>> Gmail (and other mailers)?
>>>
>>> 2) My Postscreen and main.cf sender restrictions are rejecting a
>>> fair amount of inbound spam, but apparently not enough to keep Gmail
>>> happy.
>>>
>>> 3) Should I consider setting up SpamAssassin with some very low
>>> thresholds to pick up the obvious stuff?
>>
>> I have a not-dissimilar setup and I have various fixes to minimise
>> Gmail's upset. But I guess the first q is whether you need to be
>> worried about the 'rate-limited' messages. If you have a low volume
>> of incoming emails anyway a bit of rate-limiting is hardly likely to
>> be a problem.
>
> The rate-limiting may not be a big problem long-term but eventually
> all email coming from you will be filed as spam.  And then users will
> blame you for that ...

I certainly assumed the same when designing my system, which takes a
range of measures to minimise such emails - both spam/virus blocking of
its own, and reacting swiftly to any messages received back from Gmail.

I was not brave enough to ignore Gmail's rate-limiting (and other)
messages and see what if anything happened next (like the OP we have
very low volumes of legitimate incoming mail). All I can say is that
during the several months it took me to 'perfect' the system, we weren't
blocked by Gmail nor were our forwarded emails filed by Gmail as spam.
(Gmail continues to provide a good 'final spam filter' service for us
after the more egregious rubbish has been filtered out by our own system.)

If someone has direct experience of uniform blocking and/or spam-filing
by Gmail (against an 'innocent' forwarder) then I would be interested
(and feel that my work was not after all a waste of time...)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proper Forwarding Procedure?

Peter Ajamian
On 11/06/17 19:01, Dominic Raferd wrote:
> I certainly assumed the same when designing my system, which takes a
> range of measures to minimise such emails - both spam/virus blocking of
> its own, and reacting swiftly to any messages received back from Gmail.

The thing you need to be aware of is that it is impossible for you to
actually stop all mail that google might consider SPAM.  Even if you run
really strict SPAM filtering and you can find everything that google's
own filters would find, there is still the issue of the "Spam" button in
gmail.  What can happen is a user may recognize a message that slipped
past your filters as SPAM and flag it, and then google would assume that
you're the source.  An end user might flag legitimate ham as spam by
accident and they don't think much of it.  Heck there are even users out
there that use the Spam button as a "delete" button!

So at the end of the day, it doesn't matter how aggressive you are,
there is at least some chance that google will flag your server as a
source of SPAM.


Peter
pbw
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proper Forwarding Procedure?

pbw
And from Google’s point of view, this spam-fighting service to the public might even have the terrible consequence that Gmail be forced to accommodate even more users. An awful result for Google.

Peter

> On 11 Jun 2017, at 6:35 pm, Peter <[hidden email]> wrote:
>
> On 11/06/17 19:01, Dominic Raferd wrote:
>> I certainly assumed the same when designing my system, which takes a
>> range of measures to minimise such emails - both spam/virus blocking of
>> its own, and reacting swiftly to any messages received back from Gmail.
>
> The thing you need to be aware of is that it is impossible for you to
> actually stop all mail that google might consider SPAM.  Even if you run
> really strict SPAM filtering and you can find everything that google's
> own filters would find, there is still the issue of the "Spam" button in
> gmail.  What can happen is a user may recognize a message that slipped
> past your filters as SPAM and flag it, and then google would assume that
> you're the source.  An end user might flag legitimate ham as spam by
> accident and they don't think much of it.  Heck there are even users out
> there that use the Spam button as a "delete" button!
>
> So at the end of the day, it doesn't matter how aggressive you are,
> there is at least some chance that google will flag your server as a
> source of SPAM.
>
>
> Peter


signature.asc (242 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proper Forwarding Procedure?

Dusan Obradovic-2
In reply to this post by Steve Jenkins-2

> On Jun 9, 2017, at 21:45, Steve Jenkins <[hidden email]> wrote:
>
> I've got a Postfix server hosting a lastname.org domain name for family members.
>
> I use virtual aliasing to forward inbound mail for family members to third-pary mail providers (mostly gmail, but a few yahoo and aol, too).
>
> I've also created user accounts on the server for a very small handful of immediate family members (4 people) so they can authenticate (via TLS) send email as [hidden email] (which is properly DKIM signed and will pass an SPF check).
>
> I do not provide any mail storage or retrieval on the server (no POP or IMAP) for any family members.
>
> This has worked fine for years, but now I'm starting to see warnings in the Postfix log from Gmail, stating that the server is being rate-limited because of unsolicited messages. I presume that Gmail is sensing SPAM being sent to the @lastname.org accounts, which gets forwarded to the family member's Gmail account. I don't do any spam checking or filtering on the Postfix server.
>
> So my questions are:
>
> 1) What's the best way to forward family members' incoming mail to Gmail (and other mailers)?
>
> 2) My Postscreen and main.cf sender restrictions are rejecting a fair amount of inbound spam, but apparently not enough to keep Gmail happy.
>
> 3) Should I consider setting up SpamAssassin with some very low thresholds to pick up the obvious stuff?
>
> Thanks in advance,
>
> Steve

When forwarding without SRS - Sender Rewriting Scheme you'll need to account for SPF failures.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proper Forwarding Procedure?

Dominic Raferd


On 2 July 2017 at 14:31, Dusan Obradovic <[hidden email]> wrote:

> On Jun 9, 2017, at 21:45, Steve Jenkins <[hidden email]> wrote:
>
> I've got a Postfix server hosting a lastname.org domain name for family members.
>
> I use virtual aliasing to forward inbound mail for family members to third-pary mail providers (mostly gmail, but a few yahoo and aol, too).
>
> I've also created user accounts on the server for a very small handful of immediate family members (4 people) so they can authenticate (via TLS) send email as [hidden email] (which is properly DKIM signed and will pass an SPF check).
>
> I do not provide any mail storage or retrieval on the server (no POP or IMAP) for any family members.
>
> This has worked fine for years, but now I'm starting to see warnings in the Postfix log from Gmail, stating that the server is being rate-limited because of unsolicited messages. I presume that Gmail is sensing SPAM being sent to the @lastname.org accounts, which gets forwarded to the family member's Gmail account. I don't do any spam checking or filtering on the Postfix server.
>
> So my questions are:
>
> 1) What's the best way to forward family members' incoming mail to Gmail (and other mailers)?
>
> 2) My Postscreen and main.cf sender restrictions are rejecting a fair amount of inbound spam, but apparently not enough to keep Gmail happy.
>
> 3) Should I consider setting up SpamAssassin with some very low thresholds to pick up the obvious stuff?
>
> Thanks in advance,
>
> Steve

When forwarding without SRS - Sender Rewriting Scheme you'll need to account for SPF failures.

True, but provided your own server is enforcing DMARC (e.g. using opendmarc) it is only a problem for legitimate incoming mails from a domain with p=reject DMARC policy and which are incorrectly DKIM-signed (or are unsigned), and thus depend on SPF (which is broken by relaying) for delivery. Fortunately such instances are rare.

My (automated) solution in such a case is to rewrite the response code from the onward server's 550 5.7.1 to 250 2.0.0 and to forward the original email to the original recipient *as an attachment* with an explanatory cover message.

Loading...