team alias and SPF

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

team alias and SPF

Geert Stappers
Hi,

In /etc/aliases of projecthost.my.domain I have

teamfoo:
  localcopy
  [hidden email]
  [hidden email]
  [hidden email]


Bob checks SPF on incoming messages.


Now sends Alice an e-mail to Team Foo. Domain Alice has SPF records.
That e-mail arrives the machine with the teamfoo alias.
Postfix does what it is supposed to do and e-mails the team members.

Bob's mailserver rejects and sends to Alice

<[hidden email]> (expanded from <[hidden email]>): host
    mail.domain.tld[BOB.IP.ADD.RES] said: 550-[SPF] MY.IP.ADD.RES
    allowed to send mail from alice.domain.  Please 550 see
    http://www.openspf.org/Why?scope=mfrom;identity=alice@...;ip=MY.IP.ADD.RES
    (in reply to RCPT TO command)


In the year 2017 is that all correct behaviour.
Several years earlier was a team alias best pratice.
Now I'm looking for a successor.

I think the right approach is
 * recieve the e-mail
 * rewrite some headers
 ** the Alice From should go into Reply To
 ** new From is [hidden email]
 * send the message of Alice to the foo team members


But I'm lost and in need for advice.

What I did so far

 * a websearch on "aliases SPF"
 * tried to understand which Postfix virtual covers my needs
 * /etc/alias with 'teamfoo: |/some/script'
 * wondered if it is the (good?) old procmail that I need



The /some/script
#!/bin/bash
mailx -s teamFoo \
  localcopy \
  [hidden email] \
  [hidden email] \
  [hidden email] \



Groeten
Geert Stappers
--
Leven en laten leven
Reply | Threaded
Open this post in threaded view
|

Re: team alias and SPF

Philip Paeps
On 2017-04-17 19:33:36 (+0200), Geert Stappers <[hidden email]> wrote:
>teamfoo:
>  localcopy
>  [hidden email]
>  [hidden email]
>  [hidden email]
>
>Bob checks SPF on incoming messages.

Bob should not be checking SPF from your mailserver if he knows there's
a forward / expander there.  Checking SPF breaks email forwarding.  The
easiest way to do this, is for Bob to check a list of forwarders in his
``smtpd_sender_restrictions`` if he's using Postfix.

    main.cf:
    smtpd_sender_restrictions =
        [...]
        check_client_access hash:$config_directory/access_forwarders
        [....]

    access_forwarders:
        [...]
        your_server.example.com  OK
        [...]

If Bob wants to verify SPF, he should have a table like that
whitelisting every host he knows forwards mail to him.  This is really
Bob's problem and not yours...

>In the year 2017 is that all correct behaviour.
>Several years earlier was a team alias best pratice.
>Now I'm looking for a successor.

If you check SPF, you should be prepared to whitelist known forwarders.

>I think the right approach is
> * recieve the e-mail
> * rewrite some headers
> ** the Alice From should go into Reply To
> ** new From is [hidden email]

Note that SPF checks the envelope From (5321.From) not the header From.

> * send the message of Alice to the foo team members

If bob is the only recipient who causes you grief, you should ask him
not to check SPF for your server, since this is really his problem.  

If you want to make it your problem (or it's been made your problem),
there are two options: you could run a mailing list (e.g. mailman) which
rewrites the envelopes or you could use e.g. postsrsd to rewrite the
envelopes.  Note that postsrsd will rewrite all your envelopes,
regardless of whether the address was expanded.

https://github.com/roehling/postsrsd

Mailman and postsrsd are both trivial to set up.  My preference would be
for mailman because postsrsd will but it will rewrite all envelopes,
something which I personally would find upsetting but your views may
differ.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
Reply | Threaded
Open this post in threaded view
|

Re: team alias and SPF

Benny Pedersen-2
Philip Paeps skrev den 2017-04-17 19:49:

> On 2017-04-17 19:33:36 (+0200), Geert Stappers <[hidden email]>
> wrote:
>> teamfoo:
>>  localcopy
>>  [hidden email]
>>  [hidden email]
>>  [hidden email]
>>
>> Bob checks SPF on incoming messages.
>
> Bob should not be checking SPF from your mailserver if he knows
> there's a forward / expander there.

the forwarding host ip can be added to spf whitelist in mta stage where
spf is being breaked, doing so will in case of spamassaasin check spf
for the real sender ips that is the originating ip

> Checking SPF breaks email
> forwarding.

incorrect since enveloper domain changes on the forward host

> The easiest way to do this, is for Bob to check a list of
> forwarders in his ``smtpd_sender_restrictions`` if he's using Postfix.

its not postfix job of make envelope sender fixses, since spf is not
dkim, or even sid-milter that breaks spf by checking from: header with
breaks spf, i think most users see sender-id as a spf fail there in, but
its not spf

spf is maillists safe, so why say forwarding breaks spf ?
Reply | Threaded
Open this post in threaded view
|

Re: team alias and SPF

Philip Paeps
On 2017-04-18 00:04:07 (+0200), Benny Pedersen <[hidden email]> wrote:

>Philip Paeps skrev den 2017-04-17 19:49:
>>On 2017-04-17 19:33:36 (+0200), Geert Stappers <[hidden email]>
>>wrote:
>>>teamfoo:
>>> localcopy
>>> [hidden email]
>>> [hidden email]
>>> [hidden email]
>>>
>>>Bob checks SPF on incoming messages.
>>
>>Bob should not be checking SPF from your mailserver if he knows
>>there's a forward / expander there.
>
>the forwarding host ip can be added to spf whitelist in mta stage
>where spf is being breaked, doing so will in case of spamassaasin
>check spf for the real sender ips that is the originating ip

Sure.  That's a possibility.

>>Checking SPF breaks email forwarding.
>
>incorrect since enveloper domain changes on the forward host

Only if you take steps to change the envelope.  In a normal/default
setup, the envelope will not be changed.

>>The easiest way to do this, is for Bob to check a list of
>>forwarders in his ``smtpd_sender_restrictions`` if he's using Postfix.
>
>its not postfix job of make envelope sender fixses

Correct.

>since spf is not dkim, or even sid-milter that breaks spf by checking
>from: header with breaks spf, i think most users see sender-id as a spf
>fail there in, but its not spf
>
>spf is maillists safe, so why say forwarding breaks spf ?

SPF is only "safe" for mailing lists if the mailing list takes ownership
of the message and remails it with a new envelope.  SPF is not "safe"
when you're simply forwarding the message (i.e.: without changing the
envelope).

If you check SPF, you need to whitelist every machine that forwards mail
for you.  Your backup MX for one.  But also every other host that you
know legitimately forwards mail for you.

DKIM is completely unrelated.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information