Re: Question regarding Postfix virtual domains and SPF
Hi /dev/rob0, > On Oct 17, 2017, at 10:26 AM, /dev/rob0wrote: >> As an example case, if I send an e-mail from a Hotmail account to >> an address on my server it then forwards that mail to the user’s >> GMail e-mail address. > > Another example to consider is when spam gets through your lines of > defense, and you forward that spam on to gmail. El Goog thinks > you're the spam source, and they might block you! For the volume of mail that this server processes and the amount of spam that gets forwarded to Google I haven’t run into being blocked outright. Instead I receive an SMTP diagnostic message advising me of being rate limited. Thanks, - J
Re: Question regarding Postfix virtual domains and SPF
Hi Viktor, > On Oct 16, 2017, at 10:40 PM, Viktor Dukhovni> wrote: > >> 1. When using Postfix and virtual domain hosting in this fashion, is >> there any way to pass SPF when mail from a sending account is forwarded >> to another host (ie: Gmail) ? > > This requires SRS, and fairly effective anti-spam filters. Much > simpler to not support forwarding. I did a quick search on Wikipedia and found the SRS article [1] which is fairly detailed - I will read through this over the next few days. Thanks for the tip about effective anti-spam filters. >> 2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same >> message generates a pass for DKIM (I have OpenDKIM configured and running >> correctly), and DMARC ? In this case, does a SPF SOFTAIL but a DKIM and >> DMARC pass mean that SPF is always discounted and the mail won�t be >> quarantined ? > > When the sending domain has both SPF and DKIM, you may be fine, as > Google should be able to figure out that the message is a real > hotmail message relayed through your system. However, much depends > on the details of the upstream DKIM signature and how it is processed > by Gmail. In the diagnostic messages in the message source, it appears that Google is doing that - determining that Hotmail is a valid source. It still SOFTFAILS SPF but scores DKIM OK and thus concludes DMARC is ok. Thanks, - J Sources: [1] https://en.m.wikipedia.org/wiki/Sender_Rewriting_Scheme
Re: Question regarding Postfix virtual domains and SPF
On Mon, Oct 16, 2017 at 10:05:07PM -0400, J Doe wrote: > I have two questions regarding using SPF when I am using Postfix > with virtual domain hosting. > > I currently have an SPF record in my DNS: > > example.comTXT“v=spf1 ip4:1.2.3.4/32 ip6:1:2:3::4/128 ?all” .^no dot? ^ .. non-ASCII quote characters ... ^ Yes, probably just copy/paste errors, but attention to detail is important. > I virtually host a domain (in this example case, example.com), > that is set to forward mail to recipients on Gmail. Usually "virtual" means "using the Postfix virtual(8) delivery agent," but clearly in this case you means something else, like a relay domain or virtual alias domain. I don't get why, if you're wanting to read the mail via gmail, you don't just pay Google to host the domain? That would be MUCH simpler. > As an example case, if I send an e-mail from a Hotmail account to > an address on my server it then forwards that mail to the user’s > GMail e-mail address. Another example to consider is when spam gets through your lines of defense, and you forward that spam on to gmail. El Goog thinks you're the spam source, and they might block you! (I'm leaving the SPF/DKIM/DMARC questions for others, but holding to the point that forwarding spam *will* cause big problems.) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: Question regarding Postfix virtual domains and SPF
On 17 October 2017 at 03:40, Viktor Dukhovniwrote: > On Mon, Oct 16, 2017 at 10:05:07PM -0400, J Doe wrote: > > > My questions are: > > > > 1. When using Postfix and virtual domain hosting in this fashion, is > > there any way to pass SPF when mail from a sending account is forwarded > > to another host (ie: Gmail) ? > > This requires SRS, and fairly effective anti-spam filters. Much > simpler to not support forwarding. > or just don't worry about it > > > 2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same > > message generates a pass for DKIM (I have OpenDKIM configured and running > > correctly), and DMARC ? In this case, does a SPF SOFTAIL but a DKIM and > > DMARC pass mean that SPF is always discounted and the mail won�t be > > quarantined ? > > When the sending domain has both SPF and DKIM, you may be fine, as > Google should be able to figure out that the message is a real > hotmail message relayed through your system. However, much depends > on the details of the upstream DKIM signature and how it is processed > by Gmail. > > Domains that only publish SPF pose a more significant issue. > With DMARC, either an SPF pass or a DKIM pass will result in overall pass (subject to alignment). If there is no DMARC, or DMARC p=none, neither SPF nor DKIM failure should lead to rejection by Gmail. With DMARC p=quarantine, Gmail puts an email that fails SPF and DKIM into spam. So it is only really an issue if the sender domain has DMARC p=reject policy and uses SPF without DKIM, but in my experience (with almost identical setup to OP) this is very rare. Also, as Viktor's reply hints, there can be edge cases where an incoming mail passes DKIM at our server but fails DKIM at Gmail - again these are very rare (I am aware of one domain - with DMARC p=reject policy - some of whose marketing emails, but nothing important, fall into this category). Why this happens I don't know, presumably as Viktor says there is some difference between opendkim and Gmail's dkim implementation. For forwarding to Gmail I recommend opendmarc (as well as opendkim) on your server, this can block some 'bad' incoming emails before they get sent on to Gmail and damage your server's reputation. And decent spam filtering - I use lots of rbls as well as amavis-newd (which uses spamassassin but with bayesian tests disabled because there can be no ham/spam learning).
Re: Question regarding Postfix virtual domains and SPF
On Mon, Oct 16, 2017 at 10:05:07PM -0400, J Doe wrote: > My questions are: > > 1. When using Postfix and virtual domain hosting in this fashion, is > there any way to pass SPF when mail from a sending account is forwarded > to another host (ie: Gmail) ? This requires SRS, and fairly effective anti-spam filters. Much simpler to not support forwarding. > 2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same > message generates a pass for DKIM (I have OpenDKIM configured and running > correctly), and DMARC ? In this case, does a SPF SOFTAIL but a DKIM and > DMARC pass mean that SPF is always discounted and the mail won�t be > quarantined ? When the sending domain has both SPF and DKIM, you may be fine, as Google should be able to figure out that the message is a real hotmail message relayed through your system. However, much depends on the details of the upstream DKIM signature and how it is processed by Gmail. Domains that only publish SPF pose a more significant issue. -- Viktor.
Re: Question regarding Postfix virtual domains and SPF
I solved this particular problem (forwarding third-party email to google) using "postsrsd" https://github.com/roehling/postsrsd. SRS (Sender Rewriting Scheme) rewrites the envelope sender address so that it appears to be from your domain (allowing SPF to work). This is the scheme used by forwarders like pobox.com (which is how I learned about it :) It has drawbacks - for example, it rewrites all email (even messages that are already from your domain). You might be able to configure around it ; I run it on a dedicated VPS so I didn't have to investigate that part. -- Harald On 16 October 2017 at 22:05, J Doewrote: > Hi, > > I have two questions regarding using SPF when I am using Postfix with > virtual domain hosting. > > I currently have an SPF record in my DNS: > > example.comTXT“v=spf1 ip4:1.2.3.4/32 ip6:1:2:3::4/128 ?all” > > I virtually host a domain (in this example case, example.com), that is > set to forward mail to recipients on Gmail. As an example case, if I send > an e-mail from a Hotmail account to an address on my server it then > forwards that mail to the user’s GMail e-mail address. > > Path: u...@hotmail.com — > example.com (virtual domain) — > > u...@gmail.com > > When examining the e-mail details on GMail, I receive a “SOFTFAIL” for > either the IPv4 or IPv6 of my server. Farther down in the mail I see: > > (google.com: domain of transitioning u...@hotmail.com does not designate > 1:2:3::4 as permitted sender) > > Testing mail that actually originates from the server (not forwarded > through virtual hosting), with the “mail” program shows a PASS of SPF on > GMail. > > My questions are: > > 1. When using Postfix and virtual domain hosting in this fashion, is > there any way to pass SPF when mail from a sending account is forwarded to > another host (ie: Gmail) ? > > 2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same > message generates a pass for DKIM (I have OpenDKIM configured and running > correctly), and DMARC ? In this case, does a SPF SOFTAIL but a DKIM and > DMARC pass mean that SPF is always discounted and the mail won’t be > quarantined ? > > Thanks for your help, > > - J >