1

We send e-mail on behalf of our customers, via our own SMTP services. It's always been a problem for us because usually our "spoofing" of their source address results in the mails being caught in spam traps. This hasn't been a problem in the past due to the small volume and low importance of these mails that we sent. However this requirement has recently changed and we need to fix this issue.

We realise that fundamentally our application is sending e-mail incorrectly, as per this post: Send email on behalf of clients

However, we would like to resolve the problem at the SMTP server level. We have deployed a server running Postfix.

Is it possible to have Postfix automatically adjust the mail headers so that we get this "Sent on behalf of" behaviour? I figure it should just be a case of Postfix noticing that the FROM address is the spoofed (i.e. a domain that is not mentioned in its config anywhere) and therefore inject/replace the appropriate headers to get the desired effect.

Thanks.

nbevans
  • 742
  • 1
  • 6
  • 13

1 Answers1

3

You wont be spoofing anything if you setup that postfix instance properly.

Since you are sending mails with approval of customer and both you and they want it done properly I see no reason why you couldn't set it up to be as valid and legit as it could be.

  • Ensure your mail servers IP is same to reverse DNS.
  • Publish SPF record for your domains, and for customer domains that will state your mail server is legit source of mails.
  • Disable relaying, and for parties connecting from internet require authentication for sending mail
  • Consider using DKIM to sign mails, as many large mail operators like yahoo and gmail check if mails are signed.

Once it's all configured properly mails will be as legit as they can be and there wont be any spoofing involved.

Hrvoje Špoljar
  • 5,162
  • 25
  • 42
  • Unfortunately our customers are not very technically minded. So asking them to modify their DNS SPF records is likely to make them glaze over. – nbevans Feb 20 '11 at 13:44
  • You make the SPF recrod and tell them, add this line to your DNS zone if you wan't it done properly; or setup transport tables so mails are relayed from your postfix to some mailserver that is legitimate to send mails from their domains. – Hrvoje Špoljar Feb 20 '11 at 13:51
  • So the SPF record is the key to all this then? Add that, and 95% of our problems go away? I didn't realise to be honest that SPF had such wide adoption. – nbevans Feb 20 '11 at 14:02
  • Well none of those things will ensure you don't get listed as SPAM, but they will improve your looks. SPF and DKIM are checks that are done by big mail providers as I said, and by many others. On top of that there are some standard things to be configured so your mailserver 'introduces' itself properly to others while communicating , and last but not least the body of mail which plays a big role on whether mail will be tagged as spam or not. – Hrvoje Špoljar Feb 20 '11 at 14:25
  • OK so how do I that? Get the mail server to introduce itself properly to others? – nbevans Feb 20 '11 at 15:15
  • myhostname = what server resolves to, and reverse DNS set to same thing. ; enable smtp_tls_* ; for SPF and DKIM there are wizards that will simply generating keys you need to add to DNS... it's really from scratch few hours work tops if you need to google around for details. – Hrvoje Špoljar Feb 20 '11 at 15:25
  • I still believe what I outlined in the original question is the key issue here. If we can get Postfix to structure the headers (`Sender`, `Return-Path`, `From`, etc) so that we aren't actually appearing as an attempted spoof in the first place then the problem goes away. I get the impression that the SPF / DKIM stuff are just "nice to haves". The DNS setup is a-okay, both the MX and PTR records. – nbevans Feb 20 '11 at 15:50
  • Postfix is MTA, postfix does not set sender, return-path and from fields your mail client that generates mails does that. – Hrvoje Špoljar Feb 20 '11 at 16:28
  • Fair enough. That's all I needed to know really. Looks like we need to modify our application's behaviour to output these additional headers. – nbevans Feb 20 '11 at 17:26