Dear all, we have a lot of customer that use "Send copy to" function on their mailbox (for example on the [email protected] -> Send copy to [email protected]). But, when the email is sent from ispconfig to the destination email, obviously break the spf/dkim because the sending server change, and the from of the mail (that usually is external) does not allow our server as sending server. Some of you has already managed to solve that problem? Sender rewriting scheme is a thing in ispconfig in these days? Or actually is better to disable that mail send in copy to function for now? ty
It's not a thing in the ISPConfig panel but I've written 2 tutorials about it to implement it in your ISPConfig server. https://forum.howtoforge.com/thread...heme-in-an-ispconfig-mailserver-part-1.89827/ https://forum.howtoforge.com/thread...heme-in-an-ispconfig-mailserver-part-2.89828/
Dear thank you, i had already seen this tutorial. But due that our stack it's pretty medium-to-large (20 slave node, ~500K mail/month) i would like to keep it as straight to the ispconfig default configuration as possible. So without your modification/workaround at this time, is not possible to use mail forward/send copy to, directly from ispconfig, for the above mentioned problems with spf/dkim? ty
Using send copy without SRS to an external email address like Gmail will not work. Internally, it should be fine. I will have to see how to integrate SRS into the default setup.
you need carefully modify the config file in a way that are not overwritten on the first upgrade. Like any others template modification of ispconfig.
If it broke functionality I would have mentioned it in the tutorials (and probably wouldn't have made the tutorurials).
So then it shouldn't be that complicated to integrate it to ISPConfig by default I guess. I wish I had more time on my hands right now - maybe in a few month if nobody else has already worked on it in the meantime.
It should be fairly easy I reckon, though programming things like forms into ISPC is definitely not my field of expertise. You'll need a form to set SRS domain among maybe other things and the software needs to install postsrsd and create a 2nd postfix instance. Also one of the postfix hooks into sql needs to be altered. PS. During a recent install of a new mailserver node I discovered the tutorials are a little bit out of date. Also they're based on Ubuntu as OS. No clue if and how it would differ to other distro's, like Debian.
does anything actually need to change? i know ages ago, i ended up installing postSRSd to get this sort of thing working properly.. wasn't completely happy with it, since it wanted to rewrite everything to use a single domain for every outgoing email.. so people requesting lots of crap that then gets forwarded could then ruin my own domains reputation. when i migrated everything to hetzner, i clean installed new servers and didn't bother with postSRSd everything looks like it's getting ARC signed, so it should preserve the dkim chain so that can still be validated. yes, when forwarding, the forwarding server ip becomes the 'sender', causing spf to fail, but ARC signing allows forwarding servers to sign the original authentication results, potentially overriding the SPF failure.
Well ARC doesn't "overturn" the SPF failure when forwarding. The receiving server has to trust the ARC signer and be configured to honor the result. So when skipping SRS and relying only on ARC, SPF failures will still happen for receivers that don't honor ARC and there are still a lot of them.
"potentially" is the correct word. If I'm not mistaking rspamd is using arc signing. But when forwarding messages to Google or Microsoft for example they still suffer from spf failures without srs, causing emails to end up in the spamfolder or not being received at all.
