Hello,
Some of our users are using forward to get a copy of their emails in a third
party mailbox (gmail, yahoo, …).
That’s why I have implemented the Sender Rewrite Scheme to be SPF compliant in
that case.
But the solution I have is actually half working and I have some problem when
he final destination reject the mail.
That’s why I ask for help here.
Actual state (inbound/outbound is on separated servers):
On outbound relay, envelope from are rewritten using canonical and a custom
script.
The script take care to rewrite only if originating domain have strict SPF
policy and rewrite envelope with the dedicated sub domain forward.ourdomain.com:
## main.cf
sender_canonical_maps = tcp:127.0.0.1:10005
sender_canonical_classes = envelope_sender
##master.cf
127.0.0.1:10005 inet n n n - 0 spawn
user=bypass-srs argv=/usr/local/bin/bypass-srsd
--srs-secret-key=file:///etc/postfix/bypass-srsd.key
--fwd-domain=forward.ourdomain.com
For exemple, an email sent from us...@gmail.com to us...@ourdomain.com is
rewritten to SRS0=xxxxxx=gmail.com=us...@forward.ourdomain.com to be SPF
compliant.
The problem is when the destination third party MX answer REJECT.
Then, a bounce comes to inbound MX of forward.ourdomain.com. And the goal is to
inform the original sender us...@gmail.com that it’s email was not delivered.
On this inbound MX server, postfix is configured to decode SRS address.
Configuration looks like :
## main.cf
recipient_canonical_maps = tcp:127.0.0.1:10006
recipient_canonical_classes = envelope_recipient, header_recipient
# /etc/postfix/relay_domains.cf contains our domains
relay_domains = hash:/etc/postfix/relay_domains.cf, forward.ourdomain.com
# /etc/postfix/relay_recipient_maps.cf contains all valid mailbox
# tcp:127.0.0.1:10006 returns decoded SRS email. If SRS enveloppe is forged
then bad guy will get a REJECT
# the same key used by outbound relay to encode SRS, i.e.
/etc/postfix/bypass-srsd.key, is also present on this inbound gateway.
relay_recipient_maps = hash:/etc/postfix/relay_recipient_maps.cf,
tcp:127.0.0.1:10006
##master.cf
127.0.0.1:10006 inet n n n - 0 spawn
user=bypass-srs argv=/usr/local/bin/bypass-srsd --reverse
--srs-secret-key=file:///etc/postfix/bypass-srsd.key
--fwd-domain=forward.numeezy.com
Postfix actually accept only valid SRS encoded email in addition of usual user
mailboxes.
That’s fine !
At that point, the bounce goes to my default_transport, which is an anti-spam
appliance. And, this appliance reject the email (relay access denied) because
the destination is not one of our domain (it’s the original sender domain).
Now, my goal is to send this bounce back to the original sender and I want to
avoid to be a open-relay / backscatter.
I was thinking about a rule like this :
When mail is sent from <> and destination match tcp:127.0.0.1:10006 then relay
through my outbound relay.
I know the big problem is that we first accept the mail, then it is rejected.
What are your advices to handle this scenario ?
Alexandre
