Re: Question regarding Postfix virtual domains and SPF

2017-10-17 Thread J Doe 
Hi /dev/rob0,

> On Oct 17, 2017, at 10:26 AM, /dev/rob0  wrote:

>> As an example case, if I send an e-mail from a Hotmail account to 
>> an address on my server it then forwards that mail to the user’s 
>> GMail e-mail address.
> 
> Another example to consider is when spam gets through your lines of 
> defense, and you forward that spam on to gmail.  El Goog thinks 
> you're the spam source, and they might block you!

For the volume of mail that this server processes and the amount of spam that 
gets forwarded to Google I haven’t run into being blocked outright.  Instead I 
receive an SMTP diagnostic message advising me of being rate limited.

Thanks,

- J

Re: Question regarding Postfix virtual domains and SPF

2017-10-17 Thread J Doe 
Hi Viktor,

> On Oct 16, 2017, at 10:40 PM, Viktor Dukhovni  
> wrote:
> 
>> 1.  When using Postfix and virtual domain hosting in this fashion, is
>> there any way to pass SPF when mail from a sending account is forwarded
>> to another host (ie: Gmail) ?
> 
> This requires SRS, and fairly effective anti-spam filters.  Much
> simpler to not support forwarding.

I did a quick search on Wikipedia and found the SRS article [1] which is fairly 
detailed - I will read through this over the next few days.

Thanks for the tip about effective anti-spam filters.

>> 2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same
>> message generates a pass for DKIM (I have OpenDKIM configured and running
>> correctly), and DMARC ?  In this case, does a SPF SOFTAIL but a DKIM and
>> DMARC pass mean that SPF is always discounted and the mail won�t be
>> quarantined ?
> 
> When the sending domain has both SPF and DKIM, you may be fine, as
> Google should be able to figure out that the message is a real
> hotmail message relayed through your system.  However, much depends
> on the details of the upstream DKIM signature and how it is processed
> by Gmail.

In the diagnostic messages in the message source, it appears that Google is 
doing that - determining that Hotmail is a valid source.  It still SOFTFAILS 
SPF but scores DKIM OK and thus concludes DMARC is ok.

Thanks,

- J

Sources:

[1] https://en.m.wikipedia.org/wiki/Sender_Rewriting_Scheme

Re: Question regarding Postfix virtual domains and SPF

2017-10-17 Thread /dev/rob0 
On Mon, Oct 16, 2017 at 10:05:07PM -0400, J Doe wrote:
> I have two questions regarding using SPF when I am using Postfix 
> with virtual domain hosting.
> 
> I currently have an SPF record in my DNS:
> 
> example.comTXT“v=spf1 ip4:1.2.3.4/32 ip6:1:2:3::4/128 ?all”
.^no dot?   ^ .. non-ASCII quote characters ... ^

Yes, probably just copy/paste errors, but attention to detail is 
important.

> I virtually host a domain (in this example case, example.com),
> that is set to forward mail to recipients on Gmail.

Usually "virtual" means "using the Postfix virtual(8) delivery 
agent," but clearly in this case you means something else, like a 
relay domain or virtual alias domain.

I don't get why, if you're wanting to read the mail via gmail, you 
don't just pay Google to host the domain?  That would be MUCH 
simpler.

> As an example case, if I send an e-mail from a Hotmail account to 
> an address on my server it then forwards that mail to the user’s 
> GMail e-mail address.

Another example to consider is when spam gets through your lines of 
defense, and you forward that spam on to gmail.  El Goog thinks 
you're the spam source, and they might block you!

(I'm leaving the SPF/DKIM/DMARC questions for others, but holding 
to the point that forwarding spam *will* cause big problems.)
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Question regarding Postfix virtual domains and SPF

2017-10-17 Thread Dominic Raferd 
On 17 October 2017 at 03:40, Viktor Dukhovni 
wrote:

> On Mon, Oct 16, 2017 at 10:05:07PM -0400, J Doe wrote:
>
> > My questions are:
> >
> > 1.  When using Postfix and virtual domain hosting in this fashion, is
> > there any way to pass SPF when mail from a sending account is forwarded
> > to another host (ie: Gmail) ?
>
> This requires SRS, and fairly effective anti-spam filters.  Much
> simpler to not support forwarding.
>

​or just don't worry about it
​

>
> > 2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same
> > message generates a pass for DKIM (I have OpenDKIM configured and running
> > correctly), and DMARC ?  In this case, does a SPF SOFTAIL but a DKIM and
> > DMARC pass mean that SPF is always discounted and the mail won�t be
> > quarantined ?
>
> When the sending domain has both SPF and DKIM, you may be fine, as
> Google should be able to figure out that the message is a real
> hotmail message relayed through your system.  However, much depends
> on the details of the upstream DKIM signature and how it is processed
> by Gmail.
>
> Domains that only publish SPF pose a more significant issue.
>

With DMARC, either an SPF pass or a DKIM pass will result in overall pass
(subject to alignment). If there is no DMARC, or DMARC p=none, neither SPF
nor DKIM failure should lead to rejection by Gmail. With DMARC
p=quarantine, Gmail puts an email that fails SPF and DKIM into spam.

So it is only really an issue if the sender domain has DMARC p=reject
policy and uses SPF without DKIM​, but in my experience (with almost
identical setup to OP) this is very rare.

Also, as Viktor's reply hints, there can be edge cases where an incoming
mail passes DKIM at our server but fails DKIM at Gmail - again these are
very rare (I am aware of one domain - with DMARC p=reject policy - some of
whose marketing emails, but nothing important, fall into this category).
Why this happens I don't know, presumably as Viktor says there is some
difference between opendkim and Gmail's dkim implementation.

For forwarding to Gmail I recommend opendmarc (as well as opendkim) on your
server, this can block some 'bad' incoming emails before they get sent on
to Gmail and damage your server's reputation.  And decent spam filtering -
I use lots of rbls as well as amavis-newd (which uses spamassassin but with
bayesian tests disabled because there can be no ham/spam learning).

Re: Question regarding Postfix virtual domains and SPF

2017-10-16 Thread Viktor Dukhovni 
On Mon, Oct 16, 2017 at 10:05:07PM -0400, J Doe wrote:

> My questions are:
> 
> 1.  When using Postfix and virtual domain hosting in this fashion, is
> there any way to pass SPF when mail from a sending account is forwarded
> to another host (ie: Gmail) ?

This requires SRS, and fairly effective anti-spam filters.  Much
simpler to not support forwarding.

> 2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same
> message generates a pass for DKIM (I have OpenDKIM configured and running
> correctly), and DMARC ?  In this case, does a SPF SOFTAIL but a DKIM and
> DMARC pass mean that SPF is always discounted and the mail won�t be
> quarantined ?

When the sending domain has both SPF and DKIM, you may be fine, as
Google should be able to figure out that the message is a real
hotmail message relayed through your system.  However, much depends
on the details of the upstream DKIM signature and how it is processed
by Gmail.

Domains that only publish SPF pose a more significant issue.

-- 
Viktor.

Re: Question regarding Postfix virtual domains and SPF

2017-10-16 Thread Harald Koch 
I solved this particular problem (forwarding third-party email to google)
using "postsrsd" https://github.com/roehling/postsrsd. SRS (Sender
Rewriting Scheme) rewrites the envelope sender address so that it appears
to be from your domain (allowing SPF to work). This is the scheme used by
forwarders like pobox.com (which is how I learned about it :)

It has drawbacks - for example, it rewrites all email (even messages that
are already from your domain). You might be able to configure around it ; I
run it on a dedicated VPS so I didn't have to investigate that part.

-- 
Harald


On 16 October 2017 at 22:05, J Doe  wrote:

> Hi,
>
> I have two questions regarding using SPF when I am using Postfix with
> virtual domain hosting.
>
> I currently have an SPF record in my DNS:
>
> example.comTXT“v=spf1 ip4:1.2.3.4/32 ip6:1:2:3::4/128 ?all”
>
> I virtually host a domain (in this example case, example.com), that is
> set to forward mail to recipients on Gmail.  As an example case, if I send
> an e-mail from a Hotmail account to an address on my server it then
> forwards that mail to the user’s GMail e-mail address.
>
> Path:   u...@hotmail.com — > example.com (virtual domain) — >
> u...@gmail.com
>
> When examining the e-mail details on GMail, I receive a “SOFTFAIL” for
> either the IPv4 or IPv6 of my server.  Farther down in the mail I see:
>
> (google.com: domain of transitioning u...@hotmail.com does not designate
> 1:2:3::4 as permitted sender)
>
> Testing mail that actually originates from the server (not forwarded
> through virtual hosting), with the “mail” program shows a PASS of SPF on
> GMail.
>
> My questions are:
>
> 1.  When using Postfix and virtual domain hosting in this fashion, is
> there any way to pass SPF when mail from a sending account is forwarded to
> another host (ie: Gmail) ?
>
> 2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same
> message generates a pass for DKIM (I have OpenDKIM configured and running
> correctly), and DMARC ?  In this case, does a SPF SOFTAIL but a DKIM and
> DMARC pass mean that SPF is always discounted and the mail won’t be
> quarantined ?
>
> Thanks for your help,
>
> - J
>