Hi >Hi guys, > >I've been running OpenSMTPD for a long time now forwarding mail to my >gmail account. It's a pretty basic rig - there are just a series of >forwarding rules, and different @somedomain.com emails get forwarded >to different @gmail.com emails. I have DKIM, SPF, and even DMARC all >set up correctly. Outgoing emails that an authorized user on the MTA >sends are DKIM signed. Forwarding emails aren't, which is the correct >behavior. > >It turns out this all is a lot harder than I initially thought. Gmail >often blocks spam at the SMTP level. My server tries to deliver to my >gmail account a piece of spam email, gmail's SMTP servers say "no way >josé here's error 502", and then my server generates a bounce email. >This bounce email contains the spam contents of the email that was >initially sent, meaning now my server is sending spam across the >Internet! My fix for this was to patch [1] OpenSMTPD not to include >the body of the email, but rather only the headers. This prevents my >IP from being blacklisted _too_ quickly. But still, bounce messages >are sent, and sometimes my IP does get banned by an organization I >send email to, and I have to apply for whitelisting and it's a >tremendous PITA. The other issue is that Google is now in the habit of >replying "you're forwarding spam; don't do that; bye" to my server, >and it doesn't know that my server is just forwarding the message. As >such, my IP's reputation with Google is steadily becoming horrible >over time. > >Is there a good one-stop fix for this? The whole reason I'm still >using Gmail is because I like its spam filter! I certainly don't want >to run an additional spam filter on my OpenSMTPD machine. Are there >other configuration things I can do to make the situation better?
I feel your pain. AFAIK there is no perfect solution - you cannot fix this completely. There are a couple of things you can do (that I do) 1) Run spamd or equivalent on your MTA to cut down on the amount of spam you accept. The less you accept the less you forward. Spamd (as shipped with openbsd) setup is a whole different subject outside the scope of this email - I ended up with a chunk of python monitoring what it does and giving it hints. 1b) Opensmtpd filters may also be your friend for filtering spam but I haven't tried them yet. 2) Rewrite the sender of anything you forward to be [email protected]. That way the bounce DSNs get routed to your MTA and you stop sending to the outside world. this does mean that any legit bounces also come to you but by this stage you are expecting teh delivery to work and getting early notification that it isn't might be valuable. # Forwarding # No destination as everything in <fwd-users> should be reworked by <fwd-table> accept from any for domain <localdomains> recipient <fwd-users> virtual <fwd-table> # Outgoing accept from local for any recipient <fwd-dest> relay as "[email protected]" pki mymta.com tls (Messages are from local by the time they have been rewritten) Hope that helps JC -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
