Marek Podmaka via Postfix-users <[email protected]> writes: > Hi, > > What is the current best practice for forwarded email? I am building a > new server with postfix+rspamd and want to do it the right way (and > later also migrate existing older setup to this). I have forwarding > defined via virtual_alias_maps. > > For DKIM, should it be just ARC enabled in rspamd? When is ARC > actually needed, if postfix does not alter the forwarded email (so > original DKIM should not break)? > For SPF, the fix is SRS. > > For SRS, how to configure it, so that only the forwarded email (e.g. > to gmail) is rewritten and not also the original email from SASL user > to gmail? postsrsd rewrites all emails and there are some examples to > use multiple postfix instances, but I don't fully understand the > division of work. The instance which receives mail from outside via MX > is the one which should be running postsrsd (only outgoing email from > it are the forwards?), and instance where SASL users connect should > not (so outgoing mail, and also locally delivered email - or that > should go from SASL instance via the MX instance)? > > I have also found examples with just 1 instance where the rewriting is > limited by MySQL table. If I understand, the query returns the > original sender for outgoing email (senders which are virtual > accounts/aliases) and only if the query does not return anything, > postsrsd is asked. Does this approach have any downsides? Or which one > is the preferred way? > > Something like this: sender_canonical_maps = > mysql:/etc/postfix/mysql-no-srs.cf,tcp:127.0.0.1:10001
Hellow Marek, DKIM survives forwarding by design. For years, i forward all my emails to Google (Gmail account). See below logs: /// Dec 7 07:41:12 yw-1204 postfix/smtpd[930260]: connect from yw-0919.doraji.xyz[34.138.9.181] Dec 7 07:41:13 yw-1204 postfix/smtpd[930260]: Trusted TLS connection established from yw-0919.doraji.xyz[34.138.9.181]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) client-signature RSA-PSS (2048 bits) Dec 7 07:41:13 yw-1204 postfix/smtpd[930260]: 475E76A5: client=yw-0919.doraji.xyz[34.138.9.181] Dec 7 07:41:13 yw-1204 postfix/cleanup[930263]: 475E76A5: resent-message-id=<[email protected]> Dec 7 07:41:13 yw-1204 postfix/cleanup[930263]: 475E76A5: message-id=<176509313703.1005072.10400242127085214421.reportbug@loadstone.darkstar.local> Dec 7 07:41:13 yw-1204 opendkim[655]: 475E76A5: yw-0919.doraji.xyz [34.138.9.181] not internal Dec 7 07:41:13 yw-1204 opendkim[655]: 475E76A5: not authenticated Dec 7 07:41:13 yw-1204 opendkim[655]: RFC2822.From: YOKOTA Hiroshi <[email protected]> Dec 7 07:41:13 yw-1204 opendkim[655]: RFC2822.Reply-To: YOKOTA Hiroshi <[email protected]>, [email protected] Dec 7 07:41:13 yw-1204 opendkim[655]: RFC2822.X-Mailer: reportbug 13.2.0 Dec 7 07:41:13 yw-1204 opendkim[655]: RFC2821.MailFrom: [email protected] Dec 7 07:41:13 yw-1204 opendkim[655]: RFC2821.ORCPT: [email protected] Dec 7 07:41:13 yw-1204 opendkim[655]: RFC2822.RCVD-1: from 118-83-189-41.nkno.j-cnet.jp ([118.83.189.41]:43528 helo=loadstone.darkstar.local)#012#011by buxtehude.debian.org with esmtp (Exim 4.96)#012#011(envelope-from <[email protected]>)#012#011id 1vS9MA-009QYO-0N#012#011for [email protected];#012#011Sun, 07 Dec 2025 07:38:58 +0000 Dec 7 07:41:13 yw-1204 opendkim[655]: RFC5598.ADMD (Best Guess): gmail.com Dec 7 07:41:13 yw-1204 opendkim[655]: 475E76A5: DKIM-Signature field added (s=YW, d=doraji.xyz) Dec 7 07:41:13 yw-1204 opendkim[655]: 475E76A5: no signature data Dec 7 07:41:13 yw-1204 postfix/qmgr[929665]: 475E76A5: from=<[email protected]>, size=6183, nrcpt=1 (queue active) Dec 7 07:41:13 yw-1204 postfix/smtpd[930260]: disconnect from yw-0919.doraji.xyz[34.138.9.181] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Dec 7 07:41:13 yw-1204 postfix/smtp[930264]: Verified TLS connection established to gmail-smtp-in.l.google.com[173.194.76.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 Dec 7 07:41:13 yw-1204 postfix/smtp[930264]: 475E76A5: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.76.27]:25, delay=0.57, delays=0.23/0.02/0.11/0.2, dsn=2.0.0, status=sent (250 2.0.0 OK 1765093273 ffacd0b85a97d-42f7d33cb55si4871647f8f.360 - gsmtp) Dec 7 07:41:13 yw-1204 postfix/qmgr[929665]: 475E76A5: removed /// Sincerely, _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
