1

I have recently started to look after a mail system where users can host their email with a web mail front end. One of the features provided is a function to set up forwarding.

The problem I am facing, and which people before me have faced, is that when users forward mail to another mailbox, such as their own gmail address, Google sees the email as coming from an unauthorized IP address.

I understand that this is due to the sender domain have set up SPF records with a "-all" flag, and my IP address clearly does not belong there.

Gmail, and other providers, as far as I understand it, then cannot tell the difference between an actual forwarded message, and a spoofed spam message, and then subsequently greylists the address of my server.

I cannot help but think someone else must have solved this before.

The forwarding is done using exim, so what I am looking for is a guide, or even just the right keywords to use to search for, for an answer to this issue.

VagrantPaladin
  • 15
  • 4
  • If the problem is SPF, the only way to fix that is to update that SPF in the sender domain. There is no other way. SPF is designed exactly for such relaying to be impossible. It doesn't matter which software does forwarding and the problem certainly couldn't be solved by its configuration. Although, you can think of *masquerading* the mail, so forwarder will use "envelope from" address from *another* domain during SMTP session, this way you can still forward mail. The "From", "Reply-To" headers could be left as they were. Think also about DKIM. – Nikita Kipriyanov Oct 05 '21 at 07:22
  • The SPF belongs to the original senders, and obviously there is no way for every possible sending domain to add my IP to their SPF records. I fear that changing the envelope From header will cause gmail to blacklist my IP. I believe DKIM also needs to be done at the original sender's side, unless there is a way for me to add DKIM or some such verification. – VagrantPaladin Oct 05 '21 at 10:39
  • I meant you can't change From and Reply-To headers in the original mail, because those are likely to be protected by DKIM signature; but envelope from address you can change, and that is the addres which gets checked against SPF. So, when you relay mail to Google, you can use "synthetic" envelope address from your domain for which SPF will check, but don't change contents of the message for DKIM to verify. It is possible to configure Postfix to do so, it is called "address masquerading", but I don't know about Exim. – Nikita Kipriyanov Oct 05 '21 at 10:50
  • @NikitaKipriyanov- please make an answer to this so that I can accept it. – VagrantPaladin Jun 10 '22 at 05:16

1 Answers1

0

Someone else has indeed solved this before, and "there is no way other than updating SPF in the sender domain" is not true.

The answer is SRS, Sender Rewriting Scheme: http://www.open-spf.org/SRS/ and https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme .

If you have control over the mail server that is doing the forwarding, then in principle, you could implement SRS. (See exim4 configuration with SRS daemon )

Unfortunately, looking at things the other way round, Google does not itself implement SRS when it is set to forward, so your email server would reject an email from a strict SPF sender which is forwarded to you via GMail or Google Workspace. In that case, you could make an exception for mails with the X-Gm-Original-To header, but that then undermines the intention of SPF: if this were routinely done, then a forger would just add that header.

user1247280
  • 146
  • 1
  • 3