Thanks for reply, Benny. Just to better explain my problem: Assume, all domains in example : d1.com, d2.com and d3.com have SPF record setup to Pass.
I have virtual_alias setup like this: "u...@d2.com ====> u...@d3.com". When I send email from u...@d1.com to u...@d2.com. It passes SPF with this message: "Received-SPF: pass (d1.com: IP of d1.com is authorized to use 'u...@d1.com'; envelope-from="u...@d1.com";" (I have reduced/edited message for brevity) Now, when I send email from u...@d1.com to u...@d3.com. It doesn't recognize SPF with this message: "Received-SPF: neutral (d3.com:IP of d2.com is neither permitted nor denied by domain of u...@d1.com) client-ip=IP of d2.com;" The problem is, d3.com is checking for d1.com's SPF record, as d1.com is as envelope-sender after virtual alias forwarding. Because message is forwarding thru d2.com, so its looking at d2.com's IP address. As a result, its trying to look for d1.com's SPF record for wrong IP and does't recognize valid SPF record and fails to "neutral" status. I believe, if I could add envelope-sender as u...@d2.com, then IP and domain would match. While I was reading Postfix manual, I read about canonical(5), that can re-write envelope-from. I didn't get how it does that. Can anyone help in understanding how canonical_classes can re-write 'envelope-from' without changing the actual message. I have virtual hosted domains and want more than one domain supporting this. Thanks for taking time in reading and understanding my problem. -Priyanka On Sun, Aug 23, 2009 at 4:31 AM, Benny Pedersen <m...@junc.org> wrote: > On Sat 22 Aug 2009 12:57:27 AM CEST, Priyanka Tyagi wrote > >> I have set up SPF record for 'mydomain.com' and passes SPF, in case >> email originates from my postfix server. But SPF verification fails while >> it >> forwards email using virtual aliases. >> > > why forward emails at all ? > > anyway 2 ways to solve it: > > 1: whitelist your mail server ip in the final recipient mta so spf there is > ignore for being forged > > 2: add your ip to the spf record, so final recipient see you as a valid > forwarder > > remember to do this for all forwarded sender envelope domains > > my point is that its simplier to not forward > > -- > xpoint > >
