> Try setting > > /etc/postfix/main.cf: > internal_mail_filter_classes = bounce > > (this assumes that you have configured "non_smtpd_milters" to invoke > the DKIM signer). > >> It also appears to come from a sub-domain, the HELO name, and not just >> the SLD (in this particular case) which causes it to fail SPF as well > > The sender domain is condigured with myorigin, you need to change > that if you want the domain instead.
Hi Wietse, That works in one case but not another. If I attempt to send from a domain whose DMARC policies do not allow sending from this server, the sender will now receive the NDR in the inbox as it (the NDR) meets the SPF/DKIM tests: ========================================================================== Jul 31 10:43:26 eserver postfix/pickup[20439]: F02ED403E25: uid=0 from=<us...@example.net> Jul 31 10:43:26 eserver postfix/cleanup[20674]: F02ED403E25: message-id=<20180731144326.f02ed403...@smtp.office.example.com> Jul 31 10:43:27 eserver postfix/qmgr[20440]: F02ED403E25: from=<us...@example.net>, size=465, nrcpt=1 (queue active) Jul 31 10:43:27 eserver postfix/smtp[20676]: F02ED403E25: to=<us...@example.com>, relay=ASPMX.L.GOOGLE.com[74.125.202.27]:25, delay=0.59, delays=0.07/0.01/0.25/0.27, dsn=5.7.1, status=bounced (host ASPMX.L.GOOGLE.com[74.125.202.27] said: 550-5.7.1 Unauthenticated email from example.net is not accepted due to 550-5.7.1 domain's DMARC policy. Please contact the administrator of 550-5.7.1 example.net domain if this was a legitimate mail. Please visit 550-5.7.1 https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.1 DMARC initiative. x23-v6si1859094ita.142 - gsmtp (in reply to end of DATA command)) Jul 31 10:43:27 eserver postfix/cleanup[20674]: 8A897403E24: message-id=<20180731144327.8a897403...@smtp.office.example.com> Jul 31 10:43:27 eserver postfix/bounce[20677]: F02ED403E25: sender non-delivery notification: 8A897403E24 Jul 31 10:43:27 eserver postfix/qmgr[20440]: 8A897403E24: from=<>, size=3329, nrcpt=1 (queue active) Jul 31 10:43:27 eserver postfix/qmgr[20440]: F02ED403E25: removed Jul 31 10:43:30 eserver postfix/smtp[20676]: 8A897403E24: to=<us...@example.net>, relay=mail.example.org[185.70.40.101]:25, delay=2.6, delays=0.03/0/1/1.5, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as AD72C92) Jul 31 10:43:30 eserver postfix/qmgr[20440]: 8A897403E24: removed ============================================================================ However if I send from a valid user account to an address that causes a bounce (non-existent in this case), the NDR gets rejected by the senders email service: ============================================================================ Jul 31 10:17:45 eserver postfix/pickup[19900]: 511AE403E25: uid=0 from=<us...@example.com> Jul 31 10:17:45 eserver postfix/cleanup[19977]: 511AE403E25: message-id=<20180731141745.511ae403...@smtp.office.example.com> Jul 31 10:17:45 eserver postfix/qmgr[19901]: 511AE403E25: from=<us...@example.com>, size=523, nrcpt=1 (queue active) Jul 31 10:17:46 eserver postfix/smtp[19978]: 511AE403E25: to=<pi...@example.net>, relay=mail.example.org[185.70.40.101]:25, delay=1.3, dela ys=0.05/0/1/0.17, dsn=5.7.1, status=bounced (host mail.example.org[185.70.40.101] said: 554 5.7.1 <pi...@example.net>: Recipient address rej ected: this address does not exist (in reply to RCPT TO command)) Jul 31 10:17:46 eserver postfix/cleanup[19977]: 88382403E24: message-id=<20180731141746.88382403...@smtp.office.example.com> Jul 31 10:17:46 eserver postfix/bounce[19981]: 511AE403E25: sender non-delivery notification: 88382403E24 Jul 31 10:17:46 eserver postfix/qmgr[19901]: 88382403E24: from=<>, size=3359, nrcpt=1 (queue active) Jul 31 10:17:46 eserver postfix/qmgr[19901]: 511AE403E25: removed Jul 31 10:17:47 eserver postfix/smtp[19978]: 88382403E24: to=<us...@example.com>, relay=ASPMX.L.GOOGLE.com[74.125.202.27]:25, delay=0.47, delays=0.02/0/0.23/0.22, dsn=5.7.1, status=bounced (host ASPMX.L.GOOGLE.com[74.125.202.27] said: 550-5.7.1 Unauthenticated email from example .com is not accepted due to 550-5.7.1 domain's DMARC policy. Please contact the administrator of 550-5.7.1 example.com domain if this was a le gitimate mail. Please visit 550-5.7.1 https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.1 DMARC initiative. o20-v6si1040 1393iod.272 - gsmtp (in reply to end of DATA command)) Jul 31 10:17:47 eserver postfix/qmgr[19901]: 88382403E24: removed ============================================================================ Of course the names have been changed to protect the guilty :-) I don't see why the NDR in the second case should fail DMARC, when it passes in the first case. Chris
