On Wed, 7 Aug 2019 at 01:48, John Dale <j...@growingbusinesssolutions.com> wrote:
> I do not have nearly your footprint or users, but I do setup > DKIM/SPF/DMARC by default. Also, google has an escalation process for > emails. You submit the request along with the complete email (with > headers). Work through the process at this URL and you might have some > luck. > > https://support.google.com/mail/?p=UnsolicitedIPError > > > On 8/6/19 6:36 PM, John Regan wrote: > > Hi, > > > > I have a postfix-3.2.6 with fedora30 configured as an imap system for > > a subdomain that also relays mail for a few thousand users. Many users > > simply create a ~/.forward entry that forwards their mail through the > > system to a GMail account. > > > > I believe this has created some issues with reputation, as the mail > > from remote addresses appear to be coming from this system without > > authorization. The MX for this host is a few other postfix relays at > > the top-level for this domain. This system handles outbound mail for > > this sub-domain. > > > > I'm seeing messages in the logs similar to this: > > > > Aug 6 07:50:54 email postfix-turtle/smtp[9559]: 1C10782EEB804: host > > gmail-smtp-in.l.google.COM > > <http://gmail-smtp-in.l.google.COM>[173.194.205.26] said: 421-4.7.0 > > This message does not have authentication information or fails to pass > > 421-4.7.0 authentication checks. To best protect our users from spam, > > the 421-4.7.0 message has been blocked. Please visit 421-4.7.0 > > https://support.google.com/mail/answer/81126#authentication for more > > 421 4.7.0 information. f13si33047783qve.55 - gsmtp (in reply to end of > > DATA command) > > > > Aug 6 07:50:12 email postfix-turtle/smtp[6759]: 067CD83070987: host > > gmail-smtp-in.l.google.COM > > <http://gmail-smtp-in.l.google.COM>[173.194.205.26] said: 421-4.7.0 This > > message does not have authentication information or fails to pass > > 421-4.7.0 authentication checks. To best protect our users from spam, the > > 421-4.7.0 message has been blocked. Please visit 421-4.7.0 > > https://support.google.com/mail/answer/81126#authentication for more > > 421 4.7.0 i > > nformation. 46si51756936qtn.363 - gsmtp (in reply to end of DATA command) > > > > The postfix-turtle transport is used for hosts that require or have > > requested mail to be delivered more slowly to prevent being > > blacklisted (like gmail,com and domains managed by Google). When the > > main office sends email to all or a majority of the few thousand > > recipients at a time, we needed a way to throttle the delivery with so > > many of the recipients forwarding mail off the system to their gmail > > accounts without being blacklisted. > > > > These two examples above are mail that originated on this server, > > destined for gmail.com <http://gmail.com> recipients. Is the fix to > > these problems to create an SPF record for this host? We had discussed > > this some time ago, but what affect does that have on relayed mail > > that doesn't originate from this domain? And it will break with > > mailing list email, correct? We had also discussed SRS, but that > > doesn't seem to be utilized any longer? That looks to be a huge > > undertaking. > > > > Of course I've read the Google support link above. I'm just curious > > about the implications of doing this with my specific environment as > > I've described. What am I in for when doing this? > > > > Should we be signing all outgoing messages with DKIM? > We do relay into Gmail from our (very small scale) mail servers and we use SPF, DKIM and (for our business domains, not the one I am emailing from) DMARC with p=reject. We see such responses from Gmail occasionally (in response to relayed, not our own originated, emails) - and our servers react to them in real time. But they are only temporary blocks so not in themselves a massive problem. The big concern is that Gmail can impose a 5xx permanent block on incoming emails from an ip they deem a repeat offender. We've never had this I am pleased to say. Another problem is relayed emails where the From domain has a DMARC p=reject policy and sender has relied on SPF and not bothered with DKIM: such emails will be blocked (quite correctly) by Gmail. Overall they are rare - but, for instance, Her Majesty's Revenue and Customs often does this (including with some important emails).
