Re: Sender Rewriting Scheme and backup MX
"Matus" == Matus UHLAR <- fantomas > writes: Matus> is it not. To be precise: Matus> SRS is to be used when you accept mail for one address and re-send to Matus> another address (in different domain/on different server). Matus> this is not the case for backup MX. On 18.11.21 18:28, Togan Muftuoglu wrote: Thanks for the clarification. One more thing having the backup MX listed in the SPF records of the domain and opendkim signing the relayed mails does not break the validations in the primary MX when it receives mail from the backup, correct ? there's no reason why backup MX should be listed in SPF record. Backup MX received mail for your domain, you'd need to list it in all other domains. ...unless it rewrites mail sender, but that's not a good idea - in that case it's not backup MX but mail forwarder :-) The backup MX should be listed in local exemptions for SPF checking. DKIM has nothing to do with it, unless backup MX modifies headers or body of the mail, in which case the backup should be exempted from DKIM checks as long. In standard case, backup MX should do the SPF/DKIM/DMARC checks itself, and output from backup MX should be trusted by your mailserer. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: Sender Rewriting Scheme and backup MX
> "Viktor" == Viktor Dukhovni writes: >> On 18 Nov 2021, at 12:28 pm, Togan Muftuoglu wrote: >> >> Thanks for the clarification. One more thing having the backup MX listed in >> the SPF records of the domain and opendkim signing the relayed mails does >> not break the validations in the primary MX when it receives mail from the >> backup, correct ? Viktor> Any receiving system that elects to use a backup MX must whitelist Viktor> mail from the backup MX: Viktor> * Not apply any SPF checks Both Backup and Primary MX runs openDMARC with the following settings RejectFailures true SPFIgnoreResults false They also run opendkim in signing/verifying mode ## ## Causes the filter to perform a fallback SPF check itself when ## it can find no SPF results in the message header. If SPFIgnoreResults ## is also set, it never looks for SPF results in headers and ## always performs the SPF check itself when this is set. # SPFSelfValidate true ## TrustedAuthservIDs string ## default HOSTNAME ## ## Specifies one or more "authserv-id" values to trust as relaying true ## upstream DKIM and SPF results. The default is to use the name of ## the MTA processing the message. To specify a list, separate each entry ## with a comma. The key word "HOSTNAME" will be replaced by the name of ## the host running the filter as reported by the gethostname(3) function. # Both backup and primary have their fqdn listed as TrustedAuthservIDs Viktor> * Not greylist Both primary and backup are running postscreen with identical allowlisted cidr Viktor> * Not reject messages other than to invalid recipients Both of them reject all mail for non-existent recipients. Backup MX has relay_recipients that is synced with Primary MX recipients list They both have spamass-milter running and they both reject with a spam score of 8 In addition I have applied the examples mentioned in the http://www.postfix.org/BACKSCATTER_README.html#real So under the above mentioned conditions anything I should not be doing or should be doing instead ? Thanks
Re: Sender Rewriting Scheme and backup MX
Viktor Dukhovni: > > On 18 Nov 2021, at 12:28 pm, Togan Muftuoglu wrote: > > > > Thanks for the clarification. One more thing having the backup MX listed in > > the SPF records of the domain and opendkim signing the relayed mails does > > not > > break the validations in the primary MX when it receives mail from the > > backup, > > correct ? > > Any receiving system that elects to use a backup MX must whitelist mail from > the backup MX: > > * Not apply any SPF checks > * Not greylist > * Not reject messages other than to invalid recipients A backup MX that can't reject invalid recipients is a backscatter source when a spammer generates recipients from a dictionary. Wietse
Re: Sender Rewriting Scheme and backup MX
> On 18 Nov 2021, at 12:28 pm, Togan Muftuoglu wrote: > > Thanks for the clarification. One more thing having the backup MX listed in > the SPF records of the domain and opendkim signing the relayed mails does not > break the validations in the primary MX when it receives mail from the backup, > correct ? Any receiving system that elects to use a backup MX must whitelist mail from the backup MX: * Not apply any SPF checks * Not greylist * Not reject messages other than to invalid recipients -- Viktor.
Re: Sender Rewriting Scheme and backup MX
> "Matus" == Matus UHLAR <- fantomas > writes: Matus> is it not. To be precise: Matus> SRS is to be used when you accept mail for one address and re-send to Matus> another address (in different domain/on different server). Matus> this is not the case for backup MX. Thanks for the clarification. One more thing having the backup MX listed in the SPF records of the domain and opendkim signing the relayed mails does not break the validations in the primary MX when it receives mail from the backup, correct ? Thanks
Re: Sender Rewriting Scheme and backup MX
On 18.11.21 17:10, Togan Muftuoglu wrote: Should Sender Rewriting Scheme be enabled for a server acting as backup MX. no, SRS is supposed to be implemented for outgoing. not incoming mail. My understanding is SRS is needed if the mail server acts as forwarder. But in the case of a backup MX it is not a forwarder. (or is it ?) is it not. To be precise: SRS is to be used when you accept mail for one address and re-send to another address (in different domain/on different server). this is not the case for backup MX. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor.
Sender Rewriting Scheme and backup MX
Hi, Should Sender Rewriting Scheme be enabled for a server acting as backup MX. Just to be specific I want one of my servers to solely act as a backup MX for the domain. My understanding is SRS is needed if the mail server acts as forwarder. But in the case of a backup MX it is not a forwarder. (or is it ?) Postfix documentation regarding Backup MX doesn't mention anything about this http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup and the address rewriting documentation also doesn't mention such a thing http://www.postfix.org/ADDRESS_REWRITING_README.html or am I not seeing it? Thanks