Question regarding Postfix virtual domains and SPF

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Question regarding Postfix virtual domains and SPF

J Doe
Hi,

I have two questions regarding using SPF when I am using Postfix with virtual domain hosting.

I currently have an SPF record in my DNS:

example.com    TXT    “v=spf1 ip4:1.2.3.4/32 ip6:1:2:3::4/128 ?all”

I virtually host a domain (in this example case, example.com), that is set to forward mail to recipients on Gmail.  As an example case, if I send an e-mail from a Hotmail account to an address on my server it then forwards that mail to the user’s GMail e-mail address.

Path:   [hidden email] —> example.com (virtual domain) —> [hidden email]

When examining the e-mail details on GMail, I receive a “SOFTFAIL” for either the IPv4 or IPv6 of my server.  Farther down in the mail I see:

(google.com: domain of transitioning [hidden email] does not designate 1:2:3::4 as permitted sender)

Testing mail that actually originates from the server (not forwarded through virtual hosting), with the “mail” program shows a PASS of SPF on GMail.

My questions are:

1.  When using Postfix and virtual domain hosting in this fashion, is there any way to pass SPF when mail from a sending account is forwarded to another host (ie: Gmail) ?

2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same message generates a pass for DKIM (I have OpenDKIM configured and running correctly), and DMARC ?  In this case, does a SPF SOFTAIL but a DKIM and DMARC pass mean that SPF is always discounted and the mail won’t be quarantined ?

Thanks for your help,

- J
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding Postfix virtual domains and SPF

Harald Koch-2
I solved this particular problem (forwarding third-party email to google) using "postsrsd" https://github.com/roehling/postsrsd. SRS (Sender Rewriting Scheme) rewrites the envelope sender address so that it appears to be from your domain (allowing SPF to work). This is the scheme used by forwarders like pobox.com (which is how I learned about it :)

It has drawbacks - for example, it rewrites all email (even messages that are already from your domain). You might be able to configure around it ; I run it on a dedicated VPS so I didn't have to investigate that part.

-- 
Harald


On 16 October 2017 at 22:05, J Doe <[hidden email]> wrote:
Hi,

I have two questions regarding using SPF when I am using Postfix with virtual domain hosting.

I currently have an SPF record in my DNS:

example.com    TXT    “v=spf1 ip4:1.2.3.4/32 ip6:1:2:3::4/128 ?all”

I virtually host a domain (in this example case, example.com), that is set to forward mail to recipients on Gmail.  As an example case, if I send an e-mail from a Hotmail account to an address on my server it then forwards that mail to the user’s GMail e-mail address.

Path:   [hidden email] — > example.com (virtual domain) — > [hidden email]

When examining the e-mail details on GMail, I receive a “SOFTFAIL” for either the IPv4 or IPv6 of my server.  Farther down in the mail I see:

(google.com: domain of transitioning [hidden email] does not designate 1:2:3::4 as permitted sender)

Testing mail that actually originates from the server (not forwarded through virtual hosting), with the “mail” program shows a PASS of SPF on GMail.

My questions are:

1.  When using Postfix and virtual domain hosting in this fashion, is there any way to pass SPF when mail from a sending account is forwarded to another host (ie: Gmail) ?

2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same message generates a pass for DKIM (I have OpenDKIM configured and running correctly), and DMARC ?  In this case, does a SPF SOFTAIL but a DKIM and DMARC pass mean that SPF is always discounted and the mail won’t be quarantined ?

Thanks for your help,

- J

Reply | Threaded
Open this post in threaded view
|

Re: Question regarding Postfix virtual domains and SPF

Viktor Dukhovni
In reply to this post by J Doe
On Mon, Oct 16, 2017 at 10:05:07PM -0400, J Doe wrote:

> My questions are:
>
> 1.  When using Postfix and virtual domain hosting in this fashion, is
> there any way to pass SPF when mail from a sending account is forwarded
> to another host (ie: Gmail) ?

This requires SRS, and fairly effective anti-spam filters.  Much
simpler to not support forwarding.

> 2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same
> message generates a pass for DKIM (I have OpenDKIM configured and running
> correctly), and DMARC ?  In this case, does a SPF SOFTAIL but a DKIM and
> DMARC pass mean that SPF is always discounted and the mail won�t be
> quarantined ?

When the sending domain has both SPF and DKIM, you may be fine, as
Google should be able to figure out that the message is a real
hotmail message relayed through your system.  However, much depends
on the details of the upstream DKIM signature and how it is processed
by Gmail.

Domains that only publish SPF pose a more significant issue.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding Postfix virtual domains and SPF

Dominic Raferd


On 17 October 2017 at 03:40, Viktor Dukhovni <[hidden email]> wrote:
On Mon, Oct 16, 2017 at 10:05:07PM -0400, J Doe wrote:

> My questions are:
>
> 1.  When using Postfix and virtual domain hosting in this fashion, is
> there any way to pass SPF when mail from a sending account is forwarded
> to another host (ie: Gmail) ?

This requires SRS, and fairly effective anti-spam filters.  Much
simpler to not support forwarding.

​or just don't worry about it

> 2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same
> message generates a pass for DKIM (I have OpenDKIM configured and running
> correctly), and DMARC ?  In this case, does a SPF SOFTAIL but a DKIM and
> DMARC pass mean that SPF is always discounted and the mail won�t be
> quarantined ?

When the sending domain has both SPF and DKIM, you may be fine, as
Google should be able to figure out that the message is a real
hotmail message relayed through your system.  However, much depends
on the details of the upstream DKIM signature and how it is processed
by Gmail.

Domains that only publish SPF pose a more significant issue.

With DMARC, either an SPF pass or a DKIM pass will result in overall pass (subject to alignment). If there is no DMARC, or DMARC p=none, neither SPF nor DKIM failure should lead to rejection by Gmail. With DMARC p=quarantine, Gmail puts an email that fails SPF and DKIM into spam.

So it is only really an issue if the sender domain has DMARC p=reject policy and uses SPF without DKIM​, but in my experience (with almost identical setup to OP) this is very rare.

Also, as Viktor's reply hints, there can be edge cases where an incoming mail passes DKIM at our server but fails DKIM at Gmail - again these are very rare (I am aware of one domain - with DMARC p=reject policy - some of whose marketing emails, but nothing important, fall into this category). Why this happens I don't know, presumably as Viktor says there is some difference between opendkim and Gmail's dkim implementation.

For forwarding to Gmail I recommend opendmarc (as well as opendkim) on your server, this can block some 'bad' incoming emails before they get sent on to Gmail and damage your server's reputation.  And decent spam filtering - I use lots of rbls as well as amavis-newd (which uses spamassassin but with bayesian tests disabled because there can be no ham/spam learning).
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding Postfix virtual domains and SPF

/dev/rob0
In reply to this post by J Doe
On Mon, Oct 16, 2017 at 10:05:07PM -0400, J Doe wrote:
> I have two questions regarding using SPF when I am using Postfix
> with virtual domain hosting.
>
> I currently have an SPF record in my DNS:
>
> example.com    TXT    “v=spf1 ip4:1.2.3.4/32 ip6:1:2:3::4/128 ?all”
.............^no dot?   ^ ...... non-ASCII quote characters ....... ^

Yes, probably just copy/paste errors, but attention to detail is
important.

> I virtually host a domain (in this example case, example.com),
> that is set to forward mail to recipients on Gmail.

Usually "virtual" means "using the Postfix virtual(8) delivery
agent," but clearly in this case you means something else, like a
relay domain or virtual alias domain.

I don't get why, if you're wanting to read the mail via gmail, you
don't just pay Google to host the domain?  That would be MUCH
simpler.

> As an example case, if I send an e-mail from a Hotmail account to
> an address on my server it then forwards that mail to the user’s
> GMail e-mail address.

Another example to consider is when spam gets through your lines of
defense, and you forward that spam on to gmail.  El Goog thinks
you're the spam source, and they might block you!

(I'm leaving the SPF/DKIM/DMARC questions for others, but holding
to the point that forwarding spam *will* cause big problems.)
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding Postfix virtual domains and SPF

J Doe
In reply to this post by Viktor Dukhovni
Hi Viktor,

On Oct 16, 2017, at 10:40 PM, Viktor Dukhovni <[hidden email]> wrote:

1.  When using Postfix and virtual domain hosting in this fashion, is
there any way to pass SPF when mail from a sending account is forwarded
to another host (ie: Gmail) ?

This requires SRS, and fairly effective anti-spam filters.  Much
simpler to not support forwarding.

I did a quick search on Wikipedia and found the SRS article [1] which is fairly detailed - I will read through this over the next few days.

Thanks for the tip about effective anti-spam filters.

2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same
message generates a pass for DKIM (I have OpenDKIM configured and running
correctly), and DMARC ?  In this case, does a SPF SOFTAIL but a DKIM and
DMARC pass mean that SPF is always discounted and the mail won�t be
quarantined ?

When the sending domain has both SPF and DKIM, you may be fine, as
Google should be able to figure out that the message is a real
hotmail message relayed through your system.  However, much depends
on the details of the upstream DKIM signature and how it is processed
by Gmail.

In the diagnostic messages in the message source, it appears that Google is doing that - determining that Hotmail is a valid source.  It still SOFTFAILS SPF but scores DKIM OK and thus concludes DMARC is ok.

Thanks,

- J

Sources:

Reply | Threaded
Open this post in threaded view
|

Re: Question regarding Postfix virtual domains and SPF

J Doe
In reply to this post by /dev/rob0
Hi /dev/rob0,

> On Oct 17, 2017, at 10:26 AM, /dev/rob0 <[hidden email]> wrote:

>> As an example case, if I send an e-mail from a Hotmail account to
>> an address on my server it then forwards that mail to the user’s
>> GMail e-mail address.
>
> Another example to consider is when spam gets through your lines of
> defense, and you forward that spam on to gmail.  El Goog thinks
> you're the spam source, and they might block you!

For the volume of mail that this server processes and the amount of spam that gets forwarded to Google I haven’t run into being blocked outright.  Instead I receive an SMTP diagnostic message advising me of being rate limited.

Thanks,

- J