On 1/2/24 17:51, Andy Smith wrote:
Hi Thomas,
On Tue, Jan 02, 2024 at 04:24:37PM -0600, Thomas Cameron via users wrote:
I built email servers for a non-profit I volunteer for. If email comes into
the server for presid...@myassociation.org, I would normally just create an
alias in /etc/aliases so that emails to president@ get forwarded to the
president's "real" email address, say presidents_real_em...@gmail.com.
This causes your server to pass on email without changing envelope
sender, so your server is purporting to be whoever the email is
originally from. Any email authentication measure working on the
envelope sender, such as SPF, will then fail, as your server is
indistinguishable from a random host forging the original sender's
domain.
Yup, that's exactly what's happening. Email from an association member
may come in from u...@otherdomain.com and when it gets forwarded to
GMail, they reject it because the mail server isn't otherdomain.com's
email server. I get *why* it's failing, I was just hoping someone had a
better idea.
How can I make this work? Is there a good way to use something like
/etc/aliases to forward emails to the domain I manage to another recipient?
Or is there something better I can do?
You need to give up on /etc/aliases for external routing of email
unless you control all the original sender domains and can for
example add your server IPs to its authentication mechanisms (e.g.
SPF).
Since you probably can't do that for any recipient domain that
expects to receive Internet email, you need to either:
- Implement Sender Rewriting Scheme (SRS) so that your server takes
responsibility for forwarded emails with its own envelope sender.
https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme
This is excellent, I was not aware of it. I'm digging into it now. I was
playing around with using a procmail recipe to munch the "from" address,
but SRS looks like a MUCH better plan. Thank you so much!
Or:
- Have your users collect their your-org email by some means other
than SMTP, such as running an IMAP server and having them view
both their gmail mailbox and their your-org inbox in one place (I
have no idea if that is feasible with gmail).
This is what *I* would do, for sure. But the members of the association
are incredibly non-technical, and trying to walk them through setting up
an email client like Thunderbird or Outlook is a recipe for disaster. I
really like the SRS idea, I'm digging into that now.
Thanks,
Andy
Thanks a bunch!
Thomas
