I do not have nearly your footprint or users, but I do setup
DKIM/SPF/DMARC by default. Also, google has an escalation process for
emails. You submit the request along with the complete email (with
headers). Work through the process at this URL and you might have some
luck.
https://support.google.com/mail/?p=UnsolicitedIPError
On 8/6/19 6:36 PM, John Regan wrote:
Hi,
I have a postfix-3.2.6 with fedora30 configured as an imap system for
a subdomain that also relays mail for a few thousand users. Many users
simply create a ~/.forward entry that forwards their mail through the
system to a GMail account.
I believe this has created some issues with reputation, as the mail
from remote addresses appear to be coming from this system without
authorization. The MX for this host is a few other postfix relays at
the top-level for this domain. This system handles outbound mail for
this sub-domain.
I'm seeing messages in the logs similar to this:
Aug 6 07:50:54 email postfix-turtle/smtp[9559]: 1C10782EEB804: host
gmail-smtp-in.l.google.COM
<http://gmail-smtp-in.l.google.COM>[173.194.205.26] said: 421-4.7.0
This message does not have authentication information or fails to pass
421-4.7.0 authentication checks. To best protect our users from spam,
the 421-4.7.0 message has been blocked. Please visit 421-4.7.0
https://support.google.com/mail/answer/81126#authentication for more
421 4.7.0 information. f13si33047783qve.55 - gsmtp (in reply to end of
DATA command)
Aug 6 07:50:12 email postfix-turtle/smtp[6759]: 067CD83070987: host
gmail-smtp-in.l.google.COM
<http://gmail-smtp-in.l.google.COM>[173.194.205.26] said: 421-4.7.0 This
message does not have authentication information or fails to pass
421-4.7.0 authentication checks. To best protect our users from spam, the
421-4.7.0 message has been blocked. Please visit 421-4.7.0
https://support.google.com/mail/answer/81126#authentication for more
421 4.7.0 i
nformation. 46si51756936qtn.363 - gsmtp (in reply to end of DATA command)
The postfix-turtle transport is used for hosts that require or have
requested mail to be delivered more slowly to prevent being
blacklisted (like gmail,com and domains managed by Google). When the
main office sends email to all or a majority of the few thousand
recipients at a time, we needed a way to throttle the delivery with so
many of the recipients forwarding mail off the system to their gmail
accounts without being blacklisted.
These two examples above are mail that originated on this server,
destined for gmail.com <http://gmail.com> recipients. Is the fix to
these problems to create an SPF record for this host? We had discussed
this some time ago, but what affect does that have on relayed mail
that doesn't originate from this domain? And it will break with
mailing list email, correct? We had also discussed SRS, but that
doesn't seem to be utilized any longer? That looks to be a huge
undertaking.
Of course I've read the Google support link above. I'm just curious
about the implications of doing this with my specific environment as
I've described. What am I in for when doing this?
Should we be signing all outgoing messages with DKIM?
