what is the recommended method for mailforwarding in ispconfig now? i used to have a system on 3.1 with postfix, using amavisd, and postsrsd which worked.. now everythings been re-installed on 3.2 using the auto-installer with postfix and rspamd, and up until now mailforwards have been working fine with no change to the default setup.. now one of our customer's, with a mailforward to a gmail account is getting a message from a pitchup with: and postfix logs are showing: Code: Jun 10 07:00:47 mail-01 postfix/smtp[2007371]: 3EF2E7E053: to=<******@gmail.com>, orig_to=<****@********.co.uk>, relay=gmail-smtp-in.l.google.com[108.177.15.26]:25, delay=3.4, delays=1.4/0.04/0.42/1.5, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[108.177.15.26] said: 550-5.7.26 The MAIL FROM domain [em1.pitchup.com] has an SPF record with a hard 550-5.7.26 fail policy (-all) but it fails to pass SPF checks with the ip: 550-5.7.26 [13.41.246.91]. To best protect our users from spam and phishing, 550-5.7.26 the message has been blocked. For instructions on setting up 550-5.7.26 authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication ffacd0b85a97d-35f158a2ad5si2702844f8f.457 - gsmtp (in reply to end of DATA command)) obviously, it's trying to send the email onto gmail, from our own mailserver (13.41.246.91) still using the original domain/host em1.pitchup.com and failing on spf checks. should rspamd be handling the SRS, should it be using ARC, or should i still be using postSRSd? and has anyone got any guide on how to fix this? i can't find the guide i used to configure postSRSd before, and i can't find anything useful about configuring ARC or SRS in rspamd.
my recommend method for this is: do not do mailforwarding. Recommend mail fetching on receiver side. Though this would include sharing the password, though outlook users share their passwords with microsoft anyways. Create a pickup account for "forwarded" mails if one has concerns about the password getting "lost". Otherwise yes, DMARC/DKIM/SPF is a must, ARC for forwarding aswell. https://jichu4n.com/posts/setting-up-dkim-and-srs-in-postfix/ https://help.sendmarc.com/srs-sender-rewriting-scheme Code: SRS addresses are not compatible with some email features or standards, such as DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting and Conformance), or ARC (Authenticated Received Chain). These features or standards rely on the sender address or the message headers to verify the authenticity or the delivery path of the message, and may not work well with the SRS address or the rewritten headers. This may cause the messages to fail the verification or the alignment checks, and be rejected or marked as spam by the recipient's mail servers.
What an weird take... Anyways you can setup ARC Sealing with rspamd, which should be enough in itself. As this is what Google advises: However setting up ARC is not simple done by enabling it. It comes with the same sort of headaches as DKIM The project provoides some good documenation. Another "easy" option is to set up postSRSd as you've mentioned. There is no implementation of SRS in rspamd itself, allthough possible with some funky lua
acting like a mail relay server can harm your personal life at some point weird delays and stuck queues because a certain limit for provider x has been reached inbox of the receiver is full or non-existant anymore thus harming your ip reputation by trying to deliver the spam mails one gets. customers who manage to configure a mail loop... nah mail forwarding is a more secure thing as you do not need to share the password but as you mentioned arc can be a pain to setup and recognized by providers, yup that's an issue aswell or at least has been. just my 2 cents sure enough, if you get paid enough to _really_ manage your mails, one certainly can offer forwardings.
i would love to not do mailforwarding... it's a pain. but a lot of customers can barely get their head around mailforwarding... configuring gmail/hotmail etc to login in to a mailbox to retrieve mail is beyond them.. and with gmails 2fa... logging into their gmail to configure it for them is even more of a pain than just doing mailforwarding. the annoying thing with postsrsd is that everything ups up going out rewritten as coming from our own domain rather than the customers.. so it's putting our own domain reputation at risk... not keen on that.. will have to look at ARC.. it all seems to be heading in that direction anyway.. is it all done in rspamd? or is there anything in ispconfig that needs to be changed/reconfigured?
Just a hint, you can reuse the dkim key as arc key. use the same selector for that sending domain and it should work. ISPConfig puts a dkim key in configured dns server https://rspamd.com/doc/modules/arc.html also, domain specific settings really mean: only needed if a domain has different settings than default
I guess ARC is the way to go, indeed. Maybe if you figure out the Rspamd setup, you could write it down and post it here? So we can integrate it into the default setup in future. That's a good idea. Especially as it should make this setup work out of the box for users with external DNS that have setup DKIm already.
I have a standalone server for a single E-Mail domian. As i've had dkim sining already setup with rspamd the arc singing was easy: Code: $ cat local.d/arc.conf path = "/var/lib/rspamd/dkim/$selector.key"; selector = "2024"; ### Enable DKIM signing for alias sender addresses allow_username_mismatch = true; $ cat local.d/dkim_signing.conf path = "/var/lib/rspamd/dkim/$selector.key"; selector = "2024"; ### Enable DKIM signing for alias sender addresses allow_username_mismatch = true; arc.conf is just the same as dkim_signing.conf in that setup. I don't have ARC in ISPConfig but it should be possible
This should work for arc.conf: Code: try_fallback = false; selector_map = "/etc/rspamd/local.d/dkim_selectors.map"; path_map = "/etc/rspamd/local.d/dkim_domains.map";
I always thought that arc is already implemented in ISPConfig. It seems to be signing mails with an arc signature. Or is the implementation in ISPConfig rather incomplete?
ISPConfig is not doing mail signing, its just a control panel. Mails are signed by either Rspamd or Amavis.
hmm.. not changed anything yet... need to actually read up on ARC before i do that.. but looking at what's configured on an auto-installed ispconfig 3.2 server... ARC already seems to be trying to use the dkim keys... /etc/rspamd/local.d/arc.conf: Code: sign_authenticated = false; sign_inbound = true; sign_local = false; use_domain = "recipient"; try_fallback = false; use_esld = false; path_map = "/etc/rspamd/local.d/dkim_domains.map"; selector_map = "/etc/rspamd/local.d/dkim_selectors.map"; /etc/rspamd/local.d/dkim_domains_map is pointing to the dkim private keys... Code: .. ***ville.com /var/lib/amavis/dkim/****ville.com.private ***anza.co.uk /var/lib/amavis/dkim/****anza.co.uk.private ***opoly.co.uk /var/lib/amavis/dkim/****opoly.co.uk.private .. and /etc/rspamd/local.d/dkim_selectors.map is providing the dkim selector key... Code: .. ***ville.com mail ***anza.co.uk default ****opoly.co.uk default .. so it doesn't, to me, look like there's much else to configure.. unless some of these settings need changing... sign_authenticated = false; sign_inbound = true; sign_local = false; use_domain = "recipient"; use_esld = false; no idea what esld is, but i'm pretty sure it's not 'end stage liver disease' which is all google seems to want to suggest..
https://rspamd.com/doc/lua/rspamd_url.html#m2698e should not be needed usually. wonder if there is an issue recognizing wether it really is from an authenticated user or not? same for sign_local as explained, I'm just guessing here as I simply do not allow mail_forwarding nor use it privately.
I've just tested the default ISPConfig implementation and it seems to work just fine. With a domain configured with DKIM i've created a mailforwarding to three external mailaddresses(and different mailservers + gmail) and the ARC Seal is correctly specified in the headers. The rspamd on the other side even reports this with this ARC_ALLOW Symbol: ARC_ALLOW(-1.00)[recated-due-to-privacy.com:s=default:i=1]; So the default setup seems to work for me as long as DKIM is enabled and working properly.
yeah, i can't see anything wrong with the configuration either.. but i just don't get why the original problem email is getting forwarded from our mailserver still using the original sender domain, and then gmail running the spf check for that domain against our mailserver. just seems odd.
Just set up a test forward and check the headers if ARC is correctly applied. Or enable the debug mode in rspamd for the ARC Module
did some test forwards yesterday.. all the arc was in the headers and all seemed fine.. although one sent from my gmail, to the mailforward, which forwarded it back to the gmail address i sent it from.. didn't re-appear.. no bounce.. ndr or anything.. don't know if it just went into a black hole.. or if gmail recognised it as a duplicate and just didn't show it separately.... i'l have to get another email address elsewhere to properly test the forwarding between 3 different accounts.. i don't really know anything about rspamd... just installed it as part of the auto-install and left it to do it's thing.. so gotta read about all about that not just arc.... by debug mode, i'm assuming you mean setting it in /etc/rspamd/logging.inc? and rather than setting it for everything, ie change 'level = "info"' to 'level = "debug";' the better option would be changing 'debug_modules = []' to debug_moduls = [arc]' ? that said... checking the mail logs for the problem again today... the same mailforward gmail rejected yesterday, seems to have gone through fine... so i'm more inclined to believe it was a problem (hopefully temporary or misconfiguration on one of the external systems.... unless one of you can see something in the mail logs that i'm not seeing... Code: Jun 9 13:28:40 mail-01 postfix/smtpd[1788193]: connect from o3.ptr3078.pitchup.com[149.72.223.165] Jun 9 13:28:42 mail-01 postgrey[805]: action=pass, reason=triplet found, client_name=o3.ptr3078.pitchup.com, client_address=149.72.223.165/32, sender=bounces+165634-a5d6-info=*****[email protected], recipient=info@*****-shires.co.uk Jun 9 13:28:42 mail-01 postfix/smtpd[1788193]: 325737E053: client=o3.ptr3078.pitchup.com[149.72.223.165] Jun 9 13:28:42 mail-01 postfix/cleanup[1788206]: 325737E053: message-id=<171793611958.68.13587797314331176994@pitchupcom-celery-email-6ff6dc965-rwn26> Jun 9 13:28:44 mail-01 postfix/qmgr[1614]: 325737E053: from=<bounces+165634-a5d6-info=*****[email protected]>, size=44553, nrcpt=2 (queue active) Jun 9 13:28:44 mail-01 postfix/smtpd[1788193]: disconnect from o3.ptr3078.pitchup.com[149.72.223.165] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Jun 9 13:28:45 mail-01 postfix/smtp[1788164]: 325737E053: to=<huw.*****@gmail.com>, orig_to=<info@*****-shires.co.uk>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c04::1b]:25, delay=3.3, delays=2.2/0.01/0.26/0.83, dsn=2.0.0, status=sent (250 2.0.0 OK 1717936125 5b1f17b1804b1-421580f54c4si58090505e9.31 - gsmtp) Jun 9 13:28:45 mail-01 postfix/smtp[1788164]: 325737E053: to=<office.*****@gmail.com>, orig_to=<info@*****-shires.co.uk>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c04::1b]:25, delay=3.3, delays=2.2/0.01/0.26/0.83, dsn=2.0.0, status=sent (250 2.0.0 OK 1717936125 5b1f17b1804b1-421580f54c4si58090505e9.31 - gsmtp) Jun 9 13:28:45 mail-01 postfix/qmgr[1614]: 325737E053: removed Jun 10 07:00:43 mail-01 postfix/smtpd[2006728]: connect from xvfrnchx.outbound-mail.sendgrid.net[168.245.44.10] Jun 10 07:00:44 mail-01 postgrey[805]: action=pass, reason=triplet found, client_name=xvfrnchx.outbound-mail.sendgrid.net, client_address=168.245.44.10/32, sender=bounces+165634-a5d6-info=*****[email protected], recipient=info@*****-shires.co.uk Jun 10 07:00:44 mail-01 postfix/smtpd[2006728]: 3EF2E7E053: client=xvfrnchx.outbound-mail.sendgrid.net[168.245.44.10] Jun 10 07:00:44 mail-01 postfix/cleanup[2006732]: 3EF2E7E053: message-id=<171799924267.58.15750963866164053840@pitchupcom-celery-email-6ff6dc965-rwn26> Jun 10 07:00:45 mail-01 postfix/qmgr[1614]: 3EF2E7E053: from=<bounces+165634-a5d6-info=*****[email protected]>, size=26695, nrcpt=2 (queue active) Jun 10 07:00:45 mail-01 postfix/smtpd[2006728]: disconnect from xvfrnchx.outbound-mail.sendgrid.net[168.245.44.10] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Jun 10 07:00:47 mail-01 postfix/smtp[2007371]: 3EF2E7E053: to=<huw.*****@gmail.com>, orig_to=<info@*****-shires.co.uk>, relay=gmail-smtp-in.l.google.com[108.177.15.26]:25, delay=3.4, delays=1.4/0.04/0.42/1.5, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[108.177.15.26] said: 550-5.7.26 The MAIL FROM domain [em1.pitchup.com] has an SPF record with a hard 550-5.7.26 fail policy (-all) but it fails to pass SPF checks with the ip: 550-5.7.26 [13.41.246.91]. To best protect our users from spam and phishing, 550-5.7.26 the message has been blocked. For instructions on setting up 550-5.7.26 authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication ffacd0b85a97d-35f158a2ad5si2702844f8f.457 - gsmtp (in reply to end of DATA command)) Jun 10 07:00:47 mail-01 postfix/smtp[2007371]: 3EF2E7E053: to=<office.*****@gmail.com>, orig_to=<info@*****-shires.co.uk>, relay=gmail-smtp-in.l.google.com[108.177.15.26]:25, delay=3.4, delays=1.4/0.04/0.42/1.5, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[108.177.15.26] said: 550-5.7.26 The MAIL FROM domain [em1.pitchup.com] has an SPF record with a hard 550-5.7.26 fail policy (-all) but it fails to pass SPF checks with the ip: 550-5.7.26 [13.41.246.91]. To best protect our users from spam and phishing, 550-5.7.26 the message has been blocked. For instructions on setting up 550-5.7.26 authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication ffacd0b85a97d-35f158a2ad5si2702844f8f.457 - gsmtp (in reply to end of DATA command)) Jun 10 07:00:47 mail-01 postfix/cleanup[2006732]: 725BF7EEAF: message-id=<[email protected]> Jun 10 07:00:47 mail-01 postfix/bounce[2007372]: 3EF2E7E053: sender non-delivery notification: 725BF7EEAF Jun 10 07:00:47 mail-01 postfix/qmgr[1614]: 725BF7EEAF: from=<>, size=33930, nrcpt=1 (queue active) Jun 10 07:00:47 mail-01 postfix/qmgr[1614]: 3EF2E7E053: removed Jun 10 07:00:48 mail-01 postfix/smtp[2007371]: 725BF7EEAF: to=<bounces+165634-a5d6-info=*****[email protected]>, relay=mx.sendgrid.net[167.89.115.46]:25, delay=0.94, delays=0.01/0.01/0.6/0.31, dsn=2.0.0, status=sent (250 Ok: queued as rfdxbBGmTYeyeiz-na4AMg) Jun 10 07:00:48 mail-01 postfix/qmgr[1614]: 725BF7EEAF: removed Jun 11 10:07:48 mail-01 postfix/smtpd[2270193]: connect from xvfrnchx.outbound-mail.sendgrid.net[168.245.44.10] Jun 11 10:07:49 mail-01 postgrey[805]: action=pass, reason=triplet found, client_name=xvfrnchx.outbound-mail.sendgrid.net, client_address=168.245.44.10/32, sender=bounces+165634-a5d6-info=*****[email protected], recipient=info@*****-shires.co.uk Jun 11 10:07:49 mail-01 postfix/smtpd[2270193]: 9ACA07E0CD: client=xvfrnchx.outbound-mail.sendgrid.net[168.245.44.10] Jun 11 10:07:49 mail-01 postfix/cleanup[2269909]: 9ACA07E0CD: message-id=<171809686843.68.7684071595817875558@pitchupcom-celery-email-5b6bb958dd-h9sgm> Jun 11 10:07:50 mail-01 postfix/qmgr[1614]: 9ACA07E0CD: from=<bounces+165634-a5d6-info=*****[email protected]>, size=45376, nrcpt=2 (queue active) Jun 11 10:07:50 mail-01 postfix/smtpd[2270193]: disconnect from xvfrnchx.outbound-mail.sendgrid.net[168.245.44.10] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Jun 11 10:07:51 mail-01 postfix/smtp[2271205]: 9ACA07E0CD: to=<huw.*****@gmail.com>, orig_to=<info@*****-shires.co.uk>, relay=gmail-smtp-in.l.google.com[74.125.206.27]:25, delay=1.7, delays=0.88/0.02/0.12/0.65, dsn=2.0.0, status=sent (250 2.0.0 OK 1718096871 ffacd0b85a97d-35f1c277a04si3606375f8f.730 - gsmtp) Jun 11 10:07:51 mail-01 postfix/smtp[2271205]: 9ACA07E0CD: to=<office.*****@gmail.com>, orig_to=<info@*****-shires.co.uk>, relay=gmail-smtp-in.l.google.com[74.125.206.27]:25, delay=1.7, delays=0.88/0.02/0.12/0.65, dsn=2.0.0, status=sent (250 2.0.0 OK 1718096871 ffacd0b85a97d-35f1c277a04si3606375f8f.730 - gsmtp) Jun 11 10:07:51 mail-01 postfix/qmgr[1614]: 9ACA07E0CD: removed
When that's the case i wouldn't check againthing else. No need to debug rspamd if ARC signing is working.
