I manage a site that has a number of mail forwarding addresses. They use it as a simple way to distribute information to various groups of people. Problem: Some mail servers reject the forwarded email. This happens when the forwarder receives a DKIM signed email and forwards it out. I understand SRS will correct this issue (the people are quite non-technical. Mailman would mean it would be quite possible that none of those using these Mailman will readily grasp the change). Running Postfix under Debian Wheezy installed following: The Perfect Server - Debian Wheezy (Apache2, BIND, Dovecot, ISPConfig 3).
Have located a possible solution, however my technical knowledge of postfix is too limited to evalulate the security effects of this solution. Should anyone with knowledge in this area also be interested in SRS and review it, any comments on your thoughts would be most welcome. SRS article: https://www.mind-it.info/forward-postfix-spf-srs/ GitHub link: https://github.com/roehling/postsrsd
I used this tutorial for a while then ran into unrelated problems and turned it off while debugging. I am also wondering if there are any drawbacks to using SRS according to that tutorial.
I'm looking at this on debian jessie and not sure it's completely right yet, but if you have jessie-backports, it seems to be something along the lines of: Code: # apt-get install postsrsd # sed -i "s/^SRS_DOMAIN=.*/SRS_DOMAIN=`hostname -f`/" /etc/default/postsrsd # service postsrsd stop # service postsrsd start # postconf -e "sender_canonical_maps = tcp:localhost:10001" # postconf -e "sender_canonical_classes = envelope_sender" # postconf -e "recipient_canonical_maps = tcp:localhost:10002" # postconf -e "recipient_canonical_classes= envelope_recipient,header_recipient" # postfix reload Note that this sets the server's hostname as the outgoing 'domain' to which sender addresses are rewritten - make sure there is an MX record for that hostname, or replies will fail. I have this disabled right at the moment till I can do a bit more testing, particularly in mailbox Cc: addrs (which appear to use sieve redirect rather than a postfix-level forward). But that's a start to play with, and seems to have some initial functionality working in initial tests.
This thread was linked within the bug report 2551 on git.ispconfig.org . I wonder if there is any progress or recent exprience with this setup over the last two years.
I've been running with the above config for some time, with pretty good results, though at this point I don't know how thorough my testing was. Issue 2551 mentions that the "outgoing bcc" fails (and includes a fix which I've not tried), which I probably did not test and possibly don't use anywhere. I just tested delivery to a mailbox which has a Cc: handled by sieve, and it worked fine - the envelope sender of the forwarded message was the rewritten srs address, so passes SPF checks.
Thank you for the howto, I've set up SRS with it and it works. I can confirm that the ISPConfig "Send outgoing BCC to" won't work anymore with PostSRSd but the fix you mentionned works: https://blog.dob.sk/2019/06/07/fixing-postfix-sender_bcc_maps-not-working-with-postsrsd/ The only problem after setting all this up is that PostSRSd now rewrites all emails so I looked at Postforward: https://github.com/zoni/postforward But I was not able to make it work with ISPConfig, do you have any solution? Thank you,
Anyone has solution for this in 2023 ? (i cant make "Send copy to" work, due to SPF troubles , so need SRS to be implemented, but cant find clear solution )
There is postsrsd which added expirimental milter support in the latest version. You may want to have a look there and try it. No one here will give you a step by step guide on how to set it up, because the expirience with this is limited. Try it on a testsystem, see if it works for you.
FYI: There now is a shell script that does the setup for postsrsd in https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2551