the 'Email Forward' apparently works fine as it can be seen in the logs activity. the blank sender option is enabled in the smtp rely but doesn't work. what is the alternative? Code: 2024-08-05T20:17:13.988537+00:00 server postfix/smtp[2126947]: 88FA920244: to=<[email protected]>, relay=mail.smtp2go.com[172.105.254.10]:587, delay=3.4, delays=0.01/0/3.1/0.34, dsn=5.0.0, status=bounced (host mail.smtp2go.com[172.105.254.10] said: 550 to send email from a blank sender, enable blank senders (in reply to RCPT TO command)) what does blank sender means? could it be sender as a ispconfig website's domain name? in the Email Forward Expand: main.cf # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on # fresh installs. compatibility_level = 3.6 # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_security_level = may smtp_tls_CApath=/etc/ssl/certs smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination myhostname = server.websol.biz alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = server.websol.biz, localhost, localhost.localdomain relayhost = [hidden] mynetworks = 127.0.0.0/8 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unixrivate/quota-status smtpd_use_tls = yes transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, ,reject_unknown_helo_hostname, permit smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender smtpd_reject_unlisted_sender = no smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining , permit smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_client_message_rate_limit = 100 virtual_transport = lmtp:unixrivate/dovecot-lmtp header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = [hidden] tls_preempt_cipherlist = yes address_verify_negative_refresh_time = 60s enable_original_recipient = no sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd smtp_sender_dependent_authentication = yes smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous, noplaintext smtp_sasl_tls_security_options = noanonymous authorized_flush_users = authorized_mailq_users = nagios, icinga smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS address_verify_sender_ttl = 15686s smtp_dns_support_level = dnssec smtputf8_enable = no dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_milters = inet:localhost:11332 non_smtpd_milters = inet:localhost:11332 milter_protocol = 6 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_default_action = accept message_size_limit = 0 in_flow_delay = ${stress?{3}:{1}}s smtp_connect_timeout = ${stress?{10}:{30}}s smtp_helo_timeout = ${stress?{10}:{60}}s smtp_mail_timeout = ${stress?{10}:{60}}s smtpd_error_sleep_time = ${stress?{1}:{2}}s smtpd_hard_error_limit = ${stress?{1}:{10}} smtpd_recipient_overshoot_limit = ${stress?{60}:{600}} smtpd_soft_error_limit = ${stress?{2}:{5}} smtpd_timeout = ${stress?{10}:{60}}s
The error message you refer to is not from your server; it's from smtp2go.com. So this is neither about your main.cf file nor about ISPConfig. You seem to try sending with a blank sender and smtp2go.com refuses to accept the email due to that. You might want to contact the support from smtp2go.com and as them if they provide an option to allow that. Or better, deploy your server at a provider that allows you to run an email system, then you do not need workarounds like smtp2go.com at all.
@till no issue is that ispconfig3 is using Destination Email as From ([email protected]) instead of my-ispconfig-website.com (verified domain name). it should be From : [email protected] To : [email protected] Body : Email Body. Also tried Allow target to send mail using this address as origin (if target is internal)
First, it's not ISPConfig that is forwarding your email; it is Postfix. Postfix does this exactly as a forward should be made. And no, Postfix is not exchanging from and to address in an email. My guess is you created this email yourself somehow, so you should check your code and set proper addresses.
i haven't touched the default code yet of postfix. this is am trying to do. but since, smtp2go show that. you are sending a email from [email protected] instead of [email protected].
An email forward does not alter the sender's address, you should have read post #4 where I mentioned that already. So what you did was this: You have sent an email from Gmail address [email protected] to [email protected] to test the forwarder. So the sender address was [email protected], a forwarder does not alter the sender address of course, so the email gets forwarded with from address [email protected]. What you want is not a forwarder; you want your system to impersonalize the email, which means you want the content of an email to be sent to your own address and not the email to be forwarded. To send incoming email content (which includes spam and will get you banned) with your own address instead of the correct original sender address, you can not use a forwarder. Instead, create a mailbox and use the forwarding function of the mailbox instead.
Yes! Most people require their incoming email should also reaches their personal email as a copy. in this case then what option are reliable to use?
None today, especially not when forwarding to providers like Gmail. Otherwise, they will ban you sooner or later, especially when you start to impersonalize emails, which means you also become a spam sender when your system receives spam mail that does not get filtered out. And you will likely not receive all emails anyway, as Gmail might filter some of them out. Instead, create a mailbox and connect your mail client to it, or use an email fetch software, I'm not sure if Gmail has that; ISPConfig has this under the fetchmail menu. Forwarding makes only sense within the same server, everything else will just get you banned today. You might try using Postsrs, but I won't recommend it.
yes, And really do not want to be under the spammers. it is too typical to get out of it. otherwise, it takes a lot of time. thnks! That's now cleared. Believe it or not. but your opinions really matters to me.
@till Is it something to worry about mail.domain.com isn't seems to be using SSL. mail.regionaltimes.com should show verified SSL ? https://ssl-tools.net/mailservers/regionaltimes.com it shows hostname mismatched.
correct. No, as you are querying the wrong name. So there is no issue with the server setup, its an issue of using the test tool wrong by quering it for a wrong name. Your server's SSL cert is for the system hostname server.websol.biz; it is not and shall not be issued for any subdomain of an email domain like the one you previously queried for. Correct, this guide is not for current systems plus your SSL cert is already correctly issued and valid for the system hostname.
Got it! I'm querying mail.client-domains.com that won't catch it up with hostname: server.websol.biz.
can you let me know why do i see arkenterprises.pk one of the domain name of my customer/client when trying to wrongly check ssl mail.regionaltimes.com. Expand: ssl admin@Waqass-MacBook-Pro ~ % echo | openssl s_client -connect regionaltimes.com:443 -servername mail.regionaltimes.com | openssl x509 -text -noout Connecting to 49.13.195.202 depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1 verify return:1 depth=1 C=US, O=Let's Encrypt, CN=R10 verify return:1 depth=0 CN=arkenterprises.pk verify return:1 DONE Certificate: Data: Version: 3 (0x2) Serial Number: 04:92:1c:3d:01:99:f6:dc:7c:e8:67:b2:c4:92:88:fc:64:c8 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R10 Validity Not Before: Jul 26 15:53:19 2024 GMT Not After : Oct 24 15:53:18 2024 GMT Subject: CN=arkenterprises.pk Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:af:37:50:ac:aa:0f:d9:87:e8:5c:7f:82:d8:95: ad:a3:dc:69:9d:a1:e3:6f:29:7f:dd:de:3e:ad:93: ed:0c:98:69:53:4f:12:ec:0c:45:a2:a0:ff:42:c9: 31:91:ff:13:c6:1d:47:dc:88:79:88:3d:a4:03:db: c9:12:c1:7c:f7:8b:db:35:c5:20:be:54:99:1e:1f: 21:e4:62:58:25:42:06:77:ee:33:16:7a:ae:ee:7e: d6:92:43:d3:3f:45:21:37:d5:a7:06:4b:0e:e3:d6: a1:08:e7:90:4d:b0:ca:77:1f:32:81:11:aa:4a:60: 5b:68:4a:d6:6d:a7:1b:b5:76:18:f6:44:94:84:18: 71:0d:d8:62:df:38:4e:14:46:60:74:b2:89:97:e3: 51:77:58:be:b7:40:59:78:64:4b:11:48:19:f3:e1: ee:2f:ec:28:2f:9a:68:80:9f:06:e0:63:02:87:f9: e7:a8:e4:54:aa:d8:c0:1e:ab:83:ab:11:df:0c:3b: 40:54:81:2c:c9:9a:da:c3:6b:bf:ac:cd:96:50:62: 63:69:cb:57:a8:4b:34:2a:d1:e8:33:c7:f5:11:f4: a1:e9:a8:f5:67:75:63:73:a6:43:63:f2:03:bb:41: 56:dd:18:67:9c:1b:8f:30:a3:d9:6f:99:7b:02:0b: f2:47:10:90:10:57:6a:75:94:09:26:a9:68:63:14: 30:6e:51:73:bf:46:a7:dc:4c:76:a3:96:15:e7:7f: 4c:f3:36:f4:24:52:f7:b8:d6:6c:2c:d1:37:b9:86: d5:f0:ed:91:5d:3e:e0:26:7c:09:de:4d:ab:fc:5a: 99:e5:35:09:26:5f:f6:a0:4c:1e:a0:dd:f1:39:d3: 41:e8:86:2e:dd:4f:3d:d5:48:de:a1:18:29:73:0e: 87:43:d6:fb:86:1c:17:56:2f:84:2f:2d:95:be:50: fc:f0:63:1b:e6:c9:01:99:f9:71:5c:28:af:3f:83: 96:a3:e4:6a:3d:c1:f8:4f:73:51:72:77:eb:59:d6: 9b:24:2e:9b:85:68:d3:b3:89:5f:9d:e1:61:c8:9a: 2c:27:f6:bb:13:1b:d4:e9:a4:b7:d9:49:92:fa:1b: 75:d9:ad:87:9c:58:e4:bc:28:8f:6b:bb:02:c6:3b: 68:37:6c:60:22:95:f2:64:4b:39:b7:a3:69:8d:68: e7:35:50:35:d4:ba:83:a1:48:e5:0c:59:3a:61:a5: 46:34:10:79:c8:3b:e8:d0:bc:a9:a7:76:69:41:2c: 01:bb:12:8f:eb:c4:98:f8:3f:03:f7:49:e2:b3:f2: b5:bd:04:47:93:32:44:53:eb:8d:ba:d0:86:76:4e: 54:c2:cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 7F:F4:6D:E8:92:23:B9:AE:7F7:77:B2:94:3C:2E:AC:B9:25:5D:07 X509v3 Authority Key Identifier: BB:BC:C3:47:A5:E4:BC:A9:C6:C3:A4:72:0C:10:8D:A2:35:E1:C8:E8 Authority Information Access: OCSP - URI:http://r10.o.lencr.org CA Issuers - URI:http://r10.i.lencr.org/ X509v3 Subject Alternative Name: DNS:arkenterprises.pk, DNS:www.arkenterprises.pk X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 48:B0:E3:6BA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB: 1C:52:01:CB:56D:2C:819:BB:BF:AB:398:84:73 Timestamp : Jul 26 16:53:19.391 2024 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:25:5B:32:A4:65:FE:61:63:8C2:EA:96: 1D:2A:F4:E2F:87:88:3C:F3:C8:B7:CE:C6:F7:37:4F: 62:88:E0:9B:02:20:06:57:B3:BF:38:FF:A9:AC:CC:35: 88:34:54:1E:FC:FD:98:6D:99:2E:E4:43:CC:2F:FA:E7: 252:6E:81:78:F9 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : EE:CD0:645B:1A:CE:C5:5C:B7:9D:B4:CD:13:A2: 32:87:46:7C:BC:ECE:C3:51:48:59:46:71:1F:B5:9B Timestamp : Jul 26 16:53:19.397 2024 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:C4:6F:15:C2:9D1:94E4:C7:AE: BF:56:6E:41:A3:1B:84:15:F8:BF:62:AD:E5:6F:5D:F3: 2D:0A:1A:E6:5B:02:21:00:84:5B:4F:6D:3B:58:BF:24: 11:18:CC:FC:C6:E6:81:1F:BC:10:62:8F:E4:69:79:CD: 82:F4:2E:3E:86:9C:F1:C3 Signature Algorithm: sha256WithRSAEncryption Signature Value: 8a:be:34:c5:ff:cd:62:be:98:cb:9e:4a:ea:9a:95:e8:6d:24: 50:8c:26:f1:73:b3:92:cd:79:61:73:f8:3b:d4:70:f7:a9:da: e1:17:f8:e9:0b:74:5b:a7:71:2a:7e:26:58:ce:52:2f:ab:c6: 36:7c:6b:ef:c7:59:91:d1:4b:36:f2:f4:20:0e:96:86:e5:c0: e5:a1:c7:1d:03:2e:1e:c0:86:80:a8:b8:e8:dc:62:6a:c6:fe: 7e:ed:6e:93:c1:e9:eb:40:18:5c:f7:a2:7e:9a:7e:7b:c3:15: c6:54:ca:84:ca:18:34:49:aa:dc:3e:c7:95:56:2f:04:63:87: c5:5e:24:c9:dd:3f:7d:5a:2e:60:c8:03:2c:63:2f:fa:b5:75: fb:6b:e4:d8:1e:28:a2:f5:51:21:70:07:15:97:86:97:fb:5a: a1:87:a5:3a:63:df:2a:aa:bf:64:b2:b9:54:36:95:d6:6d:66: f2:02:d9:30:04:f4:43:91:fe:c5:4b:f9:56:af:d1:24:a4:e8: 15:5a:96:c6:07:f1:41:50:93:c7:dd:d9:c5:e8:42:70:40:53: a1:7f:ca:46:0a:63:a3:32:19:94:4c:70:57:d3:dc:d9:4e:bb: d8:a2:78:5b:1a:26:12:80:22:89:30:26:92:ce:e4:a4:90:5c: bf:32:d3:10 what did i do? actually.
Because you connected to that exact website with your test. You should consider stopping to run such tests until you fully know how they workqnd why they must return which result. If you want to test a website, enter its URL in a web browser, if you used https and it shows no SSL error, then you are good to go. What you did there is that you let the openssl command query the SSL cert of the first domain it can find on that server, which is arkenterprises.pk in your case. To understand this, you must know how a web server like Apache or nginx works, if it does not find a better matching result for a given query, it will return the first vhost in alphabetical order that it finds on the same IP address. Search the forum for default vhost if you want to know more about how Apache and Nginx work.
I have the same problem, @till , and I suspect what you mean is "create a mailbox and use the send copy to function of that mailbox to send the content of the email to your gmail account". Do I understand you correctly?
Are you sure you have the same problem? The user who started this thread had no problem, as it turned out in the end; he just made a mistake with his tests and mixed up from and to address. So, there was neither an issue nor something was wrong with the forwarding.
Well spotted. Indeed, it is not the same problem. To reduce confusion, I'll search for, and/or start, a different thread for my issue.
In most cases; Forwarding an email modifies its headers, which can trigger Gmail's suspicion. The alterations might include changes in the "From" or "Reply-To" fields, making it harder for Gmail to verify the email's legitimacy. A few smtp relays offer blank senders but that usually doesn't work as expected. the most will be undelivered. This is especially common if the forwarding server is known to be used by spammers.
Yes, DKIM signatures can become invalid and you will also have issues with SPF records as the original SPF record will likely not permit your server to send emails for the domain of the sender address. What you can try though if you require forwarding is to use sender rewriting scheme (SRS) with postsrsd. You can find a install script for ISPConfig here: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2551
