Hi, I have a postfix-3.2.6 with fedora30 configured as an imap system for a subdomain that also relays mail for a few thousand users. Many users simply create a ~/.forward entry that forwards their mail through the system to a GMail account.
I believe this has created some issues with reputation, as the mail from remote addresses appear to be coming from this system without authorization. The MX for this host is a few other postfix relays at the top-level for this domain. This system handles outbound mail for this sub-domain. I'm seeing messages in the logs similar to this: Aug 6 07:50:54 email postfix-turtle/smtp[9559]: 1C10782EEB804: host gmail-smtp-in.l.google.COM[173.194.205.26] said: 421-4.7.0 This message does not have authentication information or fails to pass 421-4.7.0 authentication checks. To best protect our users from spam, the 421-4.7.0 message has been blocked. Please visit 421-4.7.0 https://support.google.com/mail/answer/81126#authentication for more 421 4.7.0 information. f13si33047783qve.55 - gsmtp (in reply to end of DATA command) Aug 6 07:50:12 email postfix-turtle/smtp[6759]: 067CD83070987: host gmail-smtp-in.l.google.COM[173.194.205.26] said: 421-4.7.0 This message does not have authentication information or fails to pass 421-4.7.0 authentication checks. To best protect our users from spam, the 421-4.7.0 message has been blocked. Please visit 421-4.7.0 https://support.google.com/mail/answer/81126#authentication for more 421 4.7.0 i nformation. 46si51756936qtn.363 - gsmtp (in reply to end of DATA command) The postfix-turtle transport is used for hosts that require or have requested mail to be delivered more slowly to prevent being blacklisted (like gmail,com and domains managed by Google). When the main office sends email to all or a majority of the few thousand recipients at a time, we needed a way to throttle the delivery with so many of the recipients forwarding mail off the system to their gmail accounts without being blacklisted. These two examples above are mail that originated on this server, destined for gmail.com recipients. Is the fix to these problems to create an SPF record for this host? We had discussed this some time ago, but what affect does that have on relayed mail that doesn't originate from this domain? And it will break with mailing list email, correct? We had also discussed SRS, but that doesn't seem to be utilized any longer? That looks to be a huge undertaking. Of course I've read the Google support link above. I'm just curious about the implications of doing this with my specific environment as I've described. What am I in for when doing this? Should we be signing all outgoing messages with DKIM?
