4

I am setting up a mail server on my VPS and in order to prevent spam and being marked as spam I have enabled SPF, DKIM and DMARC. However, I do not want to host my own mailbox, so I forward the incoming mail to external mail accounts, e.g. Gmail. The problem with forwarding is that it breaks the SPF check. This can be fixed by using SRS, which rewrites the senders address to match the mail server's.

When sending mail, I have configured Gmail to send the mail through my mail server. In that case SPF, DKIM and DMARC will pass, but only if SRS is disabled, otherwise SRS will cause the sending address domain to no longer match with the FROM header domain, which is a requirement for DMARC to pass.

So my question is, how can I enable SRS when forwarding, but prevent it from being enabled when sending?

Here is some more context. The mail server is running Ubuntu 12.04 LTS and is using the following software:

  • Postfix 2.9.6
  • OpenDKIM 2.6.8
  • OpenDMARC 1.3.1
  • PostSRSD (latest master from GitHub)

As I understood it, there are mail clients out there that require the PTR, MX, EHLO, and mail banner to refer to the same domain. And because I use my VPS for more than just a mail server I have chosen to set these to the hostname of my VPS, let's say vps.tld.

To enable PostSRSD you have to add the following lines to /etc/postfix/main.cf:

sender_canonical_maps = tcp:127.0.0.1:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:127.0.0.1:10002
recipient_canonical_classes = envelope_recipient, header_recipient

But that would enable SRS in the general case, not only when forwarding. It seems that this is a common use case of a mail server, so I hope there is a solution for this.

EDIT:

Here is the output of postconf -n as requested:

alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
milter_default_action = accept
mydestination = vps.tld, localhost
mydomain = vps.tld
myhostname = vps.tld
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
non_smtpd_milters = $smtpd_milters
recipient_canonical_classes = envelope_recipient, header_recipient
recipient_canonical_maps = tcp:127.0.0.1:10002
recipient_delimiter = +
sender_canonical_classes = envelope_sender
sender_canonical_maps = tcp:127.0.0.1:10001
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
virtual_alias_domains = domain1.tld domain2.tld domain3.tld
virtual_alias_maps = hash:/etc/postfix/virtual
Matthijs Steen
  • 221
  • 2
  • 6

2 Answers2

5

A solution to my problem is to have the SRS_EXCLUDE_DOMAINS setting of PostSRSD contain all the domains from which I send mail. I already tried this before, even before posting this question, but after having defined this setting PostSRSD would not start anymore, so I hoped there was a different solution. Apparently PostSRSD has a bug regarding this setting because the comment above it clearly states that the domains can be separated using spaces: Separate multiple domains by space or comma. But doing so will make it fail to start. Replacing the spaces with commas fixes this.

I leave this question unresolved, because I am very interested in other solutions.

Matthijs Steen
  • 221
  • 2
  • 6
3

Instead of (or in addition to) SRS_EXCLUDE_DOMAINS you can dynamically exclude domains if you go this way:

sender_canonical_maps = mysql:/etc/postfix/no-srs.cf,tcp:127.0.0.1:10001
recipient_canonical_maps = mysql:/etc/postfix/no-srs.cf, tcp:127.0.0.1:10002

I found this very useful information with more details and examples here: https://github.com/roehling/postsrsd/issues/42#issuecomment-149690471

Mike Fiedler
  • 2,152
  • 1
  • 17
  • 33
  • I will try that. But note that in the discussion the user called `roehling` says that the MySQL configuration in `recipient_canonical_maps` can be omitted «since it will only reverse-rewrite addresses which have been rewritten previously. Therefore, anything that would match with the MySQL query would be left unchanged anyway.» – Valerio Bozzolan Sep 05 '22 at 20:04