Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On Fri, 2024-01-19 at 15:15 +0100, Benny Pedersen wrote: > Byung-Hee HWANG skrev den 2024-01-19 11:12: > > > I rely on DNSWL for the reputable MX. > > if repution is 100% needed we all have to make local rescore on all > local mails, since repution is to be local, not external just > > i consider dnswl level 0 to be possitive scored, and let the other > levels be negative, this fits nicely, but was not designed to be so > in > mta stage > I think "reputation" is a somewhat political term. And each person has different standards. So it's quite difficult to give a detailed response to your feedback. Happy new year, Benny! Sincerely, Byung-Hee -- ^고맙습니다 _布德天下_ 감사합니다_^))//
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On Fri, 19 Jan 2024, Thomas Cameron wrote: On 1/19/24 16:32, Byung-Hee HWANG wrote: There is a filtering rule in Gmail: *Never send it to Spam* I apply that rule to extremely important emails such as debian-bugs- dist and debian-devel-announce. You know that. I know that. But trying to explain to the board members I'm helping out is... painful. Very simply worded step by step instructions, with screenshots amended with arrows, outlines, highlights and so forth as needed. ...the .sigmonster agrees. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- News flash: Lowest Common Denominator down 50 points --- 4 days until John Moses Browning's 169th Birthday
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/19/24 16:32, Byung-Hee HWANG wrote: There is a filtering rule in Gmail: *Never send it to Spam* I apply that rule to extremely important emails such as debian-bugs- dist and debian-devel-announce. You know that. I know that. But trying to explain to the board members I'm helping out is... painful. Thomas
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Hellow Thomas, > But it drops it into the spam folder every time. So when I'm sending > emails to someone's alias, they have to check their spam folder. Even > when they mark it as "not spam," GMail still drops it into the spam > folder. It's very frustrating. > There is a filtering rule in Gmail: *Never send it to Spam* I apply that rule to extremely important emails such as debian-bugs- dist and debian-devel-announce. Sincerely, Byung-Hee -- ^고맙습니다 _布德天下_ 감사합니다_^))//
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/19/24 14:33, Matija Nalis wrote: You would need to encourage at least several of the recepients (the more the better) to click on "Not spam" button on GMail on such mails. Then it will (eventually) start accepting them normally. Yup, that's basically what I've been doing. see e.g. https://serverfault.com/questions/953486/repairing-e-mail-domain-reputation-on-google I suspect that Google might even doing it on purpose, in order to "encourage" even more users to be locked in their e-mail walled-garden ecosystem. Google being anti-competitive? I'm shocked! SHOCKED, I say! -- Thomas
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On Fri, Jan 19, 2024 at 10:37:13AM -0600, Thomas Cameron wrote: > The forwarded email is being *accepted* by GMail. My issue now is that GMail > drops it into the recipient's spam folder. I suspect it's a reputation > thing. Once the server is up and running for a while, I'm hoping that GMail > will stop flagging the emails from the server as spam. You would need to encourage at least several of the recepients (the more the better) to click on "Not spam" button on GMail on such mails. Then it will (eventually) start accepting them normally. see e.g. https://serverfault.com/questions/953486/repairing-e-mail-domain-reputation-on-google I suspect that Google might even doing it on purpose, in order to "encourage" even more users to be locked in their e-mail walled-garden ecosystem. -- Opinions above are GNU-copylefted.
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/7/24 05:40, Matus UHLAR - fantomas wrote: I built email servers for a non-profit I volunteer for. If email comes into the server for presid...@myassociation.org, I would normally just create an alias in /etc/aliases so that emails to president@ get forwarded to the president's "real" email address, say presidents_real_em...@gmail.com. postfix supports expand_owner_alias, which, when you are sending to al...@example.com, will set sender to owner-al...@example.com. That way SPF should pass. The problem is, when I send email to presid...@myassociation.org, gmail rejects the forwarded email because it appears to come from my personal domain, not the mythical myassociation.org domain. DKIM, DMARC, and SPF all fail, which I totally understand. How can I make this work? DKIM should not fail, unless you modify the message. Do you modify the message? On 07.01.24 19:07, Byung-Hee HWANG wrote: See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88 Cite: If your dkim signature is OK, then Gmail does accept all mails. So never use SRS. DKIM is enough. This is not a good advice. Whoever filters SPF at SMTP time will reject that message. Gmail is not the only mail service available. Initially, I was seeing errors where GMail didn't list SPF as "passed." But after about an hour, it started passing. I think it was an old DNS record that finally expired. The forwarded email is being *accepted* by GMail. My issue now is that GMail drops it into the recipient's spam folder. I suspect it's a reputation thing. Once the server is up and running for a while, I'm hoping that GMail will stop flagging the emails from the server as spam. Thomas
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/7/24 04:07, Byung-Hee HWANG wrote: Hellow Thomas, See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88 Sincerely, Byung-Hee The issue is not so much that GMail doesn't accept the email. It does, since I have DKIM, DMARC, and SPF set up. But it drops it into the spam folder every time. So when I'm sending emails to someone's alias, they have to check their spam folder. Even when they mark it as "not spam," GMail still drops it into the spam folder. It's very frustrating. Thomas
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Byung-Hee HWANG skrev den 2024-01-19 11:12: I rely on DNSWL for the reputable MX. if repution is 100% needed we all have to make local rescore on all local mails, since repution is to be local, not external just i consider dnswl level 0 to be possitive scored, and let the other levels be negative, this fits nicely, but was not designed to be so in mta stage
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Marc skrev den 2024-01-19 09:34: Hi Byung and Benny, are you having a nice MX party? :) not needed yet, hehe
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Byung-Hee HWANG skrev den 2024-01-19 06:16: Actually i used Google MX for 10 years. Recently, i created dedicated MXs and am continuing to operate them. Plus, the dedicated MXs run on Google Cloud and RimuHosting. it was to vierd for me to figure out how to get it working, and posible in the long run also too expansive, one of the problems i spoted is no dnssec, who will accept this in 2024 ? i have considered also prothonmail and fastmail, just to name other, i lost prothon with loosed the mails on the account, lost the private key, so learned in the hard way for me host own servers is best for me with gentoo, no precompiled problems at all I terminated my Google Workspace commercial account. 2 years ago. not needed anymore ?, or just too expansive ?, minimal one could have a own mta, and then relay with sasl auth to gmail, so this way gmail is just mailstorage, and the reverse is in gmail to use external mta, if i do anything, i might try it
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On Fri, 2024-01-19 at 08:34 +, Marc wrote: > > > Byung-Hee HWANG skrev den 2024-01-08 12:27: > > > > > > > Gmail is my last INBOX. That's enough for me. > > > > > > +1, so you are ready to setup google mx ? :) > > > > > > > Hellow Benny, > > > > Actually i used Google MX for 10 years. Recently, i created > > dedicated > > MXs and am continuing to operate them. Plus, the dedicated MXs run > > on > > Google Cloud and RimuHosting. > > > > I terminated my Google Workspace commercial account. 2 years ago. > > > > Hi Byung and Benny, are you having a nice MX party? :) > Hellow Marc, I rely on DNSWL for the reputable MX. Sincerely, Byung-Hee -- ^고맙습니다 _布德天下_ 감사합니다_^))//
RE: Question about forwarding email (not specifically SA, pointers greatly appreciated)
> > Byung-Hee HWANG skrev den 2024-01-08 12:27: > > > > > Gmail is my last INBOX. That's enough for me. > > > > +1, so you are ready to setup google mx ? :) > > > > Hellow Benny, > > Actually i used Google MX for 10 years. Recently, i created dedicated > MXs and am continuing to operate them. Plus, the dedicated MXs run on > Google Cloud and RimuHosting. > > I terminated my Google Workspace commercial account. 2 years ago. > Hi Byung and Benny, are you having a nice MX party? :)
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On Mon, 2024-01-08 at 17:17 +0100, Benny Pedersen wrote: > Byung-Hee HWANG skrev den 2024-01-08 12:27: > > > Gmail is my last INBOX. That's enough for me. > > +1, so you are ready to setup google mx ? :) > Hellow Benny, Actually i used Google MX for 10 years. Recently, i created dedicated MXs and am continuing to operate them. Plus, the dedicated MXs run on Google Cloud and RimuHosting. I terminated my Google Workspace commercial account. 2 years ago. Sincerely, Byung-Hee -- ^고맙습니다 _布德天下_ 감사합니다_^))//
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Byung-Hee HWANG skrev den 2024-01-08 12:27: Gmail is my last INBOX. That's enough for me. +1, so you are ready to setup google mx ? :) https://support.google.com/a/answer/140034?hl=en i don't like it yet, missing dnssec and dane, tlsa, google is not friendly there if google wants my money its required payment for me
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
This is not a good advice. Whoever filters SPF at SMTP time will reject that message. Gmail is not the only mail service available. On 08.01.24 20:27, Byung-Hee HWANG wrote: Gmail is my last INBOX. That's enough for me. that's what I wanted to say - enough for someone, but not generally enough. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
> > This is not a good advice. Whoever filters SPF at SMTP time will > reject that > message. Gmail is not the only mail service available. Hellow Matus, Gmail is my last INBOX. That's enough for me. Sincerely, Byung-Hee -- ^고맙습니다 _布德天下_ 감사합니다_^))//
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
I built email servers for a non-profit I volunteer for. If email comes into the server for presid...@myassociation.org, I would normally just create an alias in /etc/aliases so that emails to president@ get forwarded to the president's "real" email address, say presidents_real_em...@gmail.com. postfix supports expand_owner_alias, which, when you are sending to al...@example.com, will set sender to owner-al...@example.com. That way SPF should pass. The problem is, when I send email to presid...@myassociation.org, gmail rejects the forwarded email because it appears to come from my personal domain, not the mythical myassociation.org domain. DKIM, DMARC, and SPF all fail, which I totally understand. How can I make this work? DKIM should not fail, unless you modify the message. Do you modify the message? On 07.01.24 19:07, Byung-Hee HWANG wrote: See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88 Cite: If your dkim signature is OK, then Gmail does accept all mails. So never use SRS. DKIM is enough. This is not a good advice. Whoever filters SPF at SMTP time will reject that message. Gmail is not the only mail service available. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
> > I built email servers for a non-profit I volunteer for. If email > comes > into the server for presid...@myassociation.org, I would normally > just > create an alias in /etc/aliases so that emails to president@ get > forwarded to the president's "real" email address, say > presidents_real_em...@gmail.com. > > The problem is, when I send email to presid...@myassociation.org, > gmail > rejects the forwarded email because it appears to come from my > personal > domain, not the mythical myassociation.org domain. DKIM, DMARC, and > SPF > all fail, which I totally understand. > > How can I make this work? Hellow Thomas, See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88 Sincerely, Byung-Hee -- ^고맙습니다 _布德天下_ 감사합니다_^))//
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Hello, On Wed, Jan 03, 2024 at 01:24:02PM -0600, Thomas Cameron via users wrote: > On 1/2/24 17:51, Andy Smith wrote: > > - Have your users collect their your-org email by some means other > >than SMTP, such as running an IMAP server and having them view > >both their gmail mailbox and their your-org inbox in one place (I > >have no idea if that is feasible with gmail). > > This is what *I* would do, for sure. But the members of the association are > incredibly non-technical, and trying to walk them through setting up an > email client like Thunderbird or Outlook is a recipe for disaster. I understand their point of view but maybe it needs putting to them from the angle that the org is like any other workplace. They would not expect their employer's internal emails to be forwarded to them at $freemail. Though then that does invite them to ask if they can have a dedicated device to manage org email then. (Which in many ways in not unreasonable either…) Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/4/24 06:35, Matus UHLAR - fantomas wrote: On 03.01.24 20:36, Thomas Cameron wrote: Fair point. But I'm guessing that because it has two DKIM signatures, it's not passing the DKIM check. only one of those DKIM dignatures needs to pass, with the domain in From: Yup, and it seems to be working now. After about an hour, it suddenly started working as expected. GMail doesn't flag it as "passed" for DKIM. I am looking to see if PostSRSd has any sort configuration option to delete the DKIM of the original sending server so that it will "pass" DKIM checks. Not sure why pass is in quotes. But again if you don't change headers the original signature should be valid. Well, it's not marked as failed, and it's not marked as passed, but I am looking at the OpenDKIM headers. It's in a weird limbo where I can see the email got marked but GMail is not marking it either way. can we see headers From: and Authentication-Results as they were seen on your server? I absolutely can send them, but since it's working now, I'm going to blame this on Google and run. :-D -- Thanks! Thomas
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/4/24 06:31, Matus UHLAR - fantomas wrote: On 03.01.24 19:30, Thomas Cameron wrote: Thanks for the advice on SRS - I have set it up and it's mostly working. At least GMail accepts the emails, although it seems to be failing DKIM and DMARC tests. I'm digging into what, if anything, can be done to make PostSRSd fix this issue. DKIM fails if the message is modified in your server (or, if DKIM failed already when it came to it) DMARC fails if neither DKIM nor SPF succeed, where DKIM signature or the SPF record must be from the domain in From: When you forward e-mail, SRS makes sure SPF record is from your domain, but the DKIM signature must be made by sending server, so forwarded messages without valid DKIM signature will not pass. The weird thing is, after a little while, everything seems to be working just fine. When I send an email to one of the aliases on the server, it sends it to the "real" email address at GMail. It now passes SPF, DMARC, and DKIM tests. Looking in the headers on GMail, I see both DKIM signatures, from the server which sent the original email, and the one on our mail server. I have no idea why GMail was saying it didn't pass checks earlier. I saw the same DKIM signatures in the headers before. Anyway, SRS is very cool, and I appreciate all the folks who pointed me to it. -- Thanks for the advice, Matus! Thomas
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Thomas Cameron writes: Yeah, the weird thing is, when I check the forwarded email on GMail, I see in the headers that both the original sending email server (call it mail.somedomain.com) and the relay server (call it mail.myassociation.org) put DKIM signatures in the message. On 1/3/24 19:45, Greg Troxel wrote: That's more or less broken in my opinion. I think an MTA should only DKIM-sign messages that it is responsible for in the sense of origination, because it is from an authenticated sender. On 03.01.24 20:36, Thomas Cameron wrote: Fair point. But I'm guessing that because it has two DKIM signatures, it's not passing the DKIM check. only one of those DKIM dignatures needs to pass, with the domain in From: GMail doesn't flag it as "passed" for DKIM. I am looking to see if PostSRSd has any sort configuration option to delete the DKIM of the original sending server so that it will "pass" DKIM checks. Not sure why pass is in quotes. But again if you don't change headers the original signature should be valid. Well, it's not marked as failed, and it's not marked as passed, but I am looking at the OpenDKIM headers. It's in a weird limbo where I can see the email got marked but GMail is not marking it either way. can we see headers From: and Authentication-Results as they were seen on your server? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself.
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/3/24 15:44, Bill Cole wrote: Indeed: your solution is known as "SRS" (Sender Rewriting Scheme) and it has multiple implementations. If you forward mail, you will break SPF unless you fix the envelope sender so that it uses a domain that permits the example.org server to send for it. OR, you could instead deliver to a POP mailbox locally and have users fetch from there instead of simply forwarding mail to them. This also avoids a completely distinct problem of places like GMail deciding that your org's mail server is a spamming service because it is forwarding spam. If users POP their mail instead of having it forwarded via SMTP, that does not happen. On 03.01.24 19:30, Thomas Cameron wrote: Thanks for the advice on SRS - I have set it up and it's mostly working. At least GMail accepts the emails, although it seems to be failing DKIM and DMARC tests. I'm digging into what, if anything, can be done to make PostSRSd fix this issue. DKIM fails if the message is modified in your server (or, if DKIM failed already when it came to it) DMARC fails if neither DKIM nor SPF succeed, where DKIM signature or the SPF record must be from the domain in From: When you forward e-mail, SRS makes sure SPF record is from your domain, but the DKIM signature must be made by sending server, so forwarded messages without valid DKIM signature will not pass. Many thanks for your help, it's genuinely appreciated! -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/3/24 19:45, Greg Troxel wrote: Thomas Cameron writes: Yeah, the weird thing is, when I check the forwarded email on GMail, I see in the headers that both the original sending email server (call it mail.somedomain.com) and the relay server (call it mail.myassociation.org) put DKIM signatures in the message. That's more or less broken in my opinion. I think an MTA should only DKIM-sign messages that it is responsible for in the sense of origination, because it is from an authenticated sender. Fair point. But I'm guessing that because it has two DKIM signatures, it's not passing the DKIM check. GMail doesn't flag it as "passed" for DKIM. I am looking to see if PostSRSd has any sort configuration option to delete the DKIM of the original sending server so that it will "pass" DKIM checks. Not sure why pass is in quotes. But again if you don't change headers the original signature should be valid. Well, it's not marked as failed, and it's not marked as passed, but I am looking at the OpenDKIM headers. It's in a weird limbo where I can see the email got marked but GMail is not marking it either way. Thomas
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Thomas Cameron writes: > Yeah, the weird thing is, when I check the forwarded email on GMail, I > see in the headers that both the original sending email server (call > it mail.somedomain.com) and the relay server (call it > mail.myassociation.org) put DKIM signatures in the message. That's more or less broken in my opinion. I think an MTA should only DKIM-sign messages that it is responsible for in the sense of origination, because it is from an authenticated sender. > GMail doesn't flag it as "passed" for DKIM. I am looking to see if > PostSRSd has any sort configuration option to delete the DKIM of the > original sending server so that it will "pass" DKIM checks. Not sure why pass is in quotes. But again if you don't change headers the original signature should be valid.
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/3/24 17:41, Greg Troxel wrote: You are overlooking that DKIM from the original From: is the responsibility of that domain and that if you do not modify the message then it should still pass. Domains sending without DKIM are going to be a mess. Yeah, the weird thing is, when I check the forwarded email on GMail, I see in the headers that both the original sending email server (call it mail.somedomain.com) and the relay server (call it mail.myassociation.org) put DKIM signatures in the message. GMail doesn't flag it as "passed" for DKIM. I am looking to see if PostSRSd has any sort configuration option to delete the DKIM of the original sending server so that it will "pass" DKIM checks. Thomas
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/3/24 15:44, Bill Cole wrote: Indeed: your solution is known as "SRS" (Sender Rewriting Scheme) and it has multiple implementations. If you forward mail, you will break SPF unless you fix the envelope sender so that it uses a domain that permits the example.org server to send for it. OR, you could instead deliver to a POP mailbox locally and have users fetch from there instead of simply forwarding mail to them. This also avoids a completely distinct problem of places like GMail deciding that your org's mail server is a spamming service because it is forwarding spam. If users POP their mail instead of having it forwarded via SMTP, that does not happen. Thanks for the advice on SRS - I have set it up and it's mostly working. At least GMail accepts the emails, although it seems to be failing DKIM and DMARC tests. I'm digging into what, if anything, can be done to make PostSRSd fix this issue. Many thanks for your help, it's genuinely appreciated! Thomas
[SOLVED] Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/3/24 18:16, Michael Grant wrote: Here's what I have done in the past from my server to get around this situation you are having: 1. In my .procmailrc file :0c: !exam...@gmail.com This sends a copy (the c flag in first line) of the message to the gmail account and leaves a copy in your inbox. 2. From your exam...@gmail.com acct, go to Settings -> Accounts and Import. Under the section 'Check email from other accounts', Add an email account. Then add your server's account and use POP to suck over emails as they arrive. Have it delete the emails once they are sucked over. What this does is it causes messages to be forwarded to gmail, but some small number of them bounce because of whatever decision gmail makes. But those messages are popped in later, so there's no lost mail. Gmail de-duplicates the messages so you don't get messages twice, and it never refuses to pop the messages in. Popping in messages is slow, so when the forward works (which seems to be most of the time), mail comes in quick, unless it bounces, in which case, it's popped in a few minutes, sometimes 10s of minutes, later. If you are concerned about the bounce messages going back into your mailbox (gmail doesn't loop here fortunately), you can write a procmail rule to siphon those off into another folder or into /dev/null. (Left as exercise for the reader...) 3. You *may* need to do one further thing, you may need to go back into gmail's Account and Import settings and set up 'Send mail as' and set up to send mail as your email address on your server. I can't remember if gmail does this automatically for you in step 2 above or not. 4. You probably want to then click the radio button "Reply from the same address to which the message was sent". Otherwise, when you reply, it'll come from your gmail address and not your server's email address. These radio buttons only appear once you have at least one Send As address set up. Michael Grant This is super helpful, thank you very much! I was not aware you could configure GMail to pull from another account, that's incredibly helpful! I wound up installing PostSRSd (https://github.com/roehling/postsrsd/tree/main). Now, when I send email to one of the officers in the non-profit, I have their actual email address set up in /etc/aliases, and SRSd rewrites the headers so that GMail at least accepts them now. Before, it was just flat out rejecting them. The annoying thing is that when I send email from the mail server I set up, even though it *passes* SPF, DKIM, and DMARC (https://imgur.com/a/FuA6HiK), GMail is still dumping into the Spam folder. It's incredibly irritating. After I marked a handful of them "not spam," it stopped doing it, but we're going to be sending emails to the members of the association (and I know several use GMail). I really don't know what the heck I am supposed to do to get GMail to stop dropping the messages into the spam folder. I thought you could set up some sort of DNS TXT record for Google to show that you're a legit sender, but I can't find documentation for it except for Google Workplaces. Anyway, thanks everyone for the great suggestions! I learned a lot doing this, and I was unaware of SRS... That's fantastic info! -- Thomas
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Here's what I have done in the past from my server to get around this situation you are having: 1. In my .procmailrc file :0c: !exam...@gmail.com This sends a copy (the c flag in first line) of the message to the gmail account and leaves a copy in your inbox. 2. From your exam...@gmail.com acct, go to Settings -> Accounts and Import. Under the section 'Check email from other accounts', Add an email account. Then add your server's account and use POP to suck over emails as they arrive. Have it delete the emails once they are sucked over. What this does is it causes messages to be forwarded to gmail, but some small number of them bounce because of whatever decision gmail makes. But those messages are popped in later, so there's no lost mail. Gmail de-duplicates the messages so you don't get messages twice, and it never refuses to pop the messages in. Popping in messages is slow, so when the forward works (which seems to be most of the time), mail comes in quick, unless it bounces, in which case, it's popped in a few minutes, sometimes 10s of minutes, later. If you are concerned about the bounce messages going back into your mailbox (gmail doesn't loop here fortunately), you can write a procmail rule to siphon those off into another folder or into /dev/null. (Left as exercise for the reader...) 3. You *may* need to do one further thing, you may need to go back into gmail's Account and Import settings and set up 'Send mail as' and set up to send mail as your email address on your server. I can't remember if gmail does this automatically for you in step 2 above or not. 4. You probably want to then click the radio button "Reply from the same address to which the message was sent". Otherwise, when you reply, it'll come from your gmail address and not your server's email address. These radio buttons only appear once you have at least one Send As address set up. Michael Grant signature.asc Description: PGP signature
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
"Thomas Cameron via users" writes: > I actually set up SPF, DMARC, and DKIM on the non-profit's email > server. It works fine if I send email from the server. > > The rub is, I want all emails to presid...@example.org to be forwarded > to presidents_real_addr...@gmail.com. Since the forward happens at > mail.example.org, the "from" is from some other domain from > example.org, so it fails all the tests. You are overlooking that DKIM from the original From: is the responsibility of that domain and that if you do not modify the message then it should still pass. Domains sending without DKIM are going to be a mess.
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Hello Thomas, This might help too: These failures are often due to SPFs that have a hard fail (meaning they end with ‘-all’). When I dealt with this in the past, the original sending domain was one where we could modify the SPF. So we had the email sender change “-all” to “~all” and since that makes it a soft fail, the email forwards started operating again. And it sounds like you already know this but: SPFs are basically TXT records attached to a domain’s DNS that specifies which mail server IPs have permission to send that domain’s emails. Hence the issue with email forwarding; Domain A sends to B which sends to C which makes C grumpy since B isn’t on A’s list of approved IPs. > On Jan 3, 2024, at 1:46 PM, Bill Cole > wrote: > > On 2024-01-03 at 14:17:11 UTC-0500 (Wed, 3 Jan 2024 13:17:11 -0600) > Thomas Cameron via users > is rumored to have said: > >> The rub is, I want all emails to presid...@example.org to be forwarded to >> presidents_real_addr...@gmail.com. Since the forward happens at >> mail.example.org, the "from" is from some other domain from example.org, so >> it fails all the tests. > > Indeed: your solution is known as "SRS" (Sender Rewriting Scheme) and it has > multiple implementations. If you forward mail, you will break SPF unless you > fix the envelope sender so that it uses a domain that permits the > example.org server to send for it. > > OR, you could instead deliver to a POP mailbox locally and have users fetch > from there instead of simply forwarding mail to them. This also avoids a > completely distinct problem of places like GMail deciding that your org's > mail server is a spamming service because it is forwarding spam. If users POP > their mail instead of having it forwarded via SMTP, that does not happen. > > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire > >
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 2024-01-03 at 14:17:11 UTC-0500 (Wed, 3 Jan 2024 13:17:11 -0600) Thomas Cameron via users is rumored to have said: The rub is, I want all emails to presid...@example.org to be forwarded to presidents_real_addr...@gmail.com. Since the forward happens at mail.example.org, the "from" is from some other domain from example.org, so it fails all the tests. Indeed: your solution is known as "SRS" (Sender Rewriting Scheme) and it has multiple implementations. If you forward mail, you will break SPF unless you fix the envelope sender so that it uses a domain that permits the example.org server to send for it. OR, you could instead deliver to a POP mailbox locally and have users fetch from there instead of simply forwarding mail to them. This also avoids a completely distinct problem of places like GMail deciding that your org's mail server is a spamming service because it is forwarding spam. If users POP their mail instead of having it forwarded via SMTP, that does not happen. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/2/24 17:51, Andy Smith wrote: Hi Thomas, On Tue, Jan 02, 2024 at 04:24:37PM -0600, Thomas Cameron via users wrote: I built email servers for a non-profit I volunteer for. If email comes into the server for presid...@myassociation.org, I would normally just create an alias in /etc/aliases so that emails to president@ get forwarded to the president's "real" email address, say presidents_real_em...@gmail.com. This causes your server to pass on email without changing envelope sender, so your server is purporting to be whoever the email is originally from. Any email authentication measure working on the envelope sender, such as SPF, will then fail, as your server is indistinguishable from a random host forging the original sender's domain. Yup, that's exactly what's happening. Email from an association member may come in from u...@otherdomain.com and when it gets forwarded to GMail, they reject it because the mail server isn't otherdomain.com's email server. I get *why* it's failing, I was just hoping someone had a better idea. How can I make this work? Is there a good way to use something like /etc/aliases to forward emails to the domain I manage to another recipient? Or is there something better I can do? You need to give up on /etc/aliases for external routing of email unless you control all the original sender domains and can for example add your server IPs to its authentication mechanisms (e.g. SPF). Since you probably can't do that for any recipient domain that expects to receive Internet email, you need to either: - Implement Sender Rewriting Scheme (SRS) so that your server takes responsibility for forwarded emails with its own envelope sender. https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme This is excellent, I was not aware of it. I'm digging into it now. I was playing around with using a procmail recipe to munch the "from" address, but SRS looks like a MUCH better plan. Thank you so much! Or: - Have your users collect their your-org email by some means other than SMTP, such as running an IMAP server and having them view both their gmail mailbox and their your-org inbox in one place (I have no idea if that is feasible with gmail). This is what *I* would do, for sure. But the members of the association are incredibly non-technical, and trying to walk them through setting up an email client like Thunderbird or Outlook is a recipe for disaster. I really like the SRS idea, I'm digging into that now. Thanks, Andy Thanks a bunch! Thomas
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/3/24 01:21, Jared Hall wrote: On 1/2/2024 5:24 PM, Thomas Cameron via users wrote: The problem is, when I send email to presid...@myassociation.org, gmail rejects the forwarded email because it appears to come from my personal domain, not the mythical myassociation.org domain. DKIM, DMARC, and SPF all fail, which I totally understand. How can I make this work? Is there a good way to use something like /etc/aliases to forward emails to the domain I manage to another recipient? Or is there something better I can do? You will probably find that forwarding Emails to most systems, including MSN/Live/Hotmail/Outlook and Yahoo/AOL works OK (for now). But if you want Vacation/Out-Of-Office/Autoresponders to work to Gmail addresses, you MUST run DKIM on your managed domain. Even valid SPF alone will NOT do. I actually set up SPF, DMARC, and DKIM on the non-profit's email server. It works fine if I send email from the server. The rub is, I want all emails to presid...@example.org to be forwarded to presidents_real_addr...@gmail.com. Since the forward happens at mail.example.org, the "from" is from some other domain from example.org, so it fails all the tests. Implementing DKIM w/ DMARC is a good, if not the best, practice. Considering present trends, SPF/DKIM/DMARC Auth-neutral will become the new "bad". Oh, I firmly agree with you. I have all three services configured, and I wouldn't deploy a mail server without them. This is just an odd corner case where the easiest thing to do is just redirect emails to the non-profit's president's real email address. Instead of using /etc/aliases, I'm playing around with a procmail recipe to munge the "from." We'll see if it works. I apologize this isn't strictly SA related, I am just hoping someone can give me advice or provide I link to follow on how to make this work. package: opendkim + access to your managed domain's DNS records. I agree, and that's already done. Thanks, sir! Thomas
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/2/2024 5:24 PM, Thomas Cameron via users wrote: The problem is, when I send email to presid...@myassociation.org, gmail rejects the forwarded email because it appears to come from my personal domain, not the mythical myassociation.org domain. DKIM, DMARC, and SPF all fail, which I totally understand. How can I make this work? Is there a good way to use something like /etc/aliases to forward emails to the domain I manage to another recipient? Or is there something better I can do? You will probably find that forwarding Emails to most systems, including MSN/Live/Hotmail/Outlook and Yahoo/AOL works OK (for now). But if you want Vacation/Out-Of-Office/Autoresponders to work to Gmail addresses, you MUST run DKIM on your managed domain. Even valid SPF alone will NOT do. Implementing DKIM w/ DMARC is a good, if not the best, practice. Considering present trends, SPF/DKIM/DMARC Auth-neutral will become the new "bad". I apologize this isn't strictly SA related, I am just hoping someone can give me advice or provide I link to follow on how to make this work. package: opendkim + access to your managed domain's DNS records. $0.02, -- Jared Hall
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
"Thomas Cameron via users" writes: > I built email servers for a non-profit I volunteer for. If email comes > into the server for presid...@myassociation.org, I would normally just > create an alias in /etc/aliases so that emails to president@ get > forwarded to the president's "real" email address, say > presidents_real_em...@gmail.com. > > The problem is, when I send email to presid...@myassociation.org, > gmail rejects the forwarded email because it appears to come from my > personal domain, not the mythical myassociation.org domain. DKIM, > DMARC, and SPF all fail, which I totally understand. Why does DKIM fail? You said there is an /etc/aliases alias, but you did not say that you modified the message. Basically you should never modify messages. > How can I make this work? Is there a good way to use something like > /etc/aliases to forward emails to the domain I manage to another > recipient? Or is there something better I can do? I think the advice to set up IMAP and submission is wise. I realize this may be a small non-profit, but company mail belongs on company servers, and personal mail on personal servers. With IMAP and submission, your president can have their outgoing email be presid...@myassociation.org, DKIM signed, with an SPF record, and even DMARC. If someone writes and gets a reply from a random gmail account, that is at best confusing.
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Hi Thomas, On Tue, Jan 02, 2024 at 04:24:37PM -0600, Thomas Cameron via users wrote: > I built email servers for a non-profit I volunteer for. If email comes into > the server for presid...@myassociation.org, I would normally just create an > alias in /etc/aliases so that emails to president@ get forwarded to the > president's "real" email address, say presidents_real_em...@gmail.com. This causes your server to pass on email without changing envelope sender, so your server is purporting to be whoever the email is originally from. Any email authentication measure working on the envelope sender, such as SPF, will then fail, as your server is indistinguishable from a random host forging the original sender's domain. > How can I make this work? Is there a good way to use something like > /etc/aliases to forward emails to the domain I manage to another recipient? > Or is there something better I can do? You need to give up on /etc/aliases for external routing of email unless you control all the original sender domains and can for example add your server IPs to its authentication mechanisms (e.g. SPF). Since you probably can't do that for any recipient domain that expects to receive Internet email, you need to either: - Implement Sender Rewriting Scheme (SRS) so that your server takes responsibility for forwarded emails with its own envelope sender. https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme Or: - Have your users collect their your-org email by some means other than SMTP, such as running an IMAP server and having them view both their gmail mailbox and their your-org inbox in one place (I have no idea if that is feasible with gmail). Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Question about forwarding email (not specifically SA, pointers greatly appreciated)
Howdy, all - This is not strictly SpamAssassin related, but y'all probably know where to point me to make this work. I built email servers for a non-profit I volunteer for. If email comes into the server for presid...@myassociation.org, I would normally just create an alias in /etc/aliases so that emails to president@ get forwarded to the president's "real" email address, say presidents_real_em...@gmail.com. The problem is, when I send email to presid...@myassociation.org, gmail rejects the forwarded email because it appears to come from my personal domain, not the mythical myassociation.org domain. DKIM, DMARC, and SPF all fail, which I totally understand. How can I make this work? Is there a good way to use something like /etc/aliases to forward emails to the domain I manage to another recipient? Or is there something better I can do? I apologize this isn't strictly SA related, I am just hoping someone can give me advice or provide I link to follow on how to make this work. Thanks, Thomas
