Sonic: > > Try setting > > > > /etc/postfix/main.cf: > > internal_mail_filter_classes = bounce > > > > (this assumes that you have configured "non_smtpd_milters" to invoke > > the DKIM signer). > > > >> It also appears to come from a sub-domain, the HELO name, and not just > >> the SLD (in this particular case) which causes it to fail SPF as well > > > > The sender domain is condigured with myorigin, you need to change > > that if you want the domain instead. > > Hi Wietse, > > That works in one case but not another. > > If I attempt to send from a domain whose DMARC policies do not allow > sending from this server, the sender will now receive the NDR in the > inbox as it (the NDR) meets the SPF/DKIM tests: > ========================================================================== > Jul 31 10:43:26 eserver postfix/pickup[20439]: F02ED403E25: uid=0 > from=<us...@example.net> > Jul 31 10:43:26 eserver postfix/cleanup[20674]: F02ED403E25: > message-id=<20180731144326.f02ed403...@smtp.office.example.com> > Jul 31 10:43:27 eserver postfix/qmgr[20440]: F02ED403E25: > from=<us...@example.net>, size=465, nrcpt=1 (queue active) > Jul 31 10:43:27 eserver postfix/smtp[20676]: F02ED403E25: > to=<us...@example.com>, relay=ASPMX.L.GOOGLE.com[74.125.202.27]:25, > delay=0.59, delays=0.07/0.01/0.25/0.27, dsn=5.7.1, status=bounced (host > ASPMX.L.GOOGLE.com[74.125.202.27] said: 550-5.7.1 Unauthenticated email from > example.net is not accepted due to 550-5.7.1 domain's DMARC policy. Please > contact the administrator of 550-5.7.1 example.net domain if this was a > legitimate mail. Please visit 550-5.7.1 > https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.1 > DMARC initiative. x23-v6si1859094ita.142 - gsmtp (in reply to end of DATA > command)) > Jul 31 10:43:27 eserver postfix/cleanup[20674]: 8A897403E24: > message-id=<20180731144327.8a897403...@smtp.office.example.com> > Jul 31 10:43:27 eserver postfix/bounce[20677]: F02ED403E25: sender > non-delivery > notification: 8A897403E24 > Jul 31 10:43:27 eserver postfix/qmgr[20440]: 8A897403E24: from=<>, size=3329, > nrcpt=1 (queue active) > Jul 31 10:43:27 eserver postfix/qmgr[20440]: F02ED403E25: removed > Jul 31 10:43:30 eserver postfix/smtp[20676]: 8A897403E24: > to=<us...@example.net>, relay=mail.example.org[185.70.40.101]:25, > delay=2.6, delays=0.03/0/1/1.5, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued > as > AD72C92) > Jul 31 10:43:30 eserver postfix/qmgr[20440]: 8A897403E24: removed
This bounce message is sent to mail.example.org. > ============================================================================ > > However if I send from a valid user account to an address that causes > a bounce (non-existent in this case), the NDR gets rejected by the > senders email service: > ============================================================================ > Jul 31 10:17:45 eserver postfix/pickup[19900]: 511AE403E25: uid=0 > from=<us...@example.com> > Jul 31 10:17:45 eserver postfix/cleanup[19977]: 511AE403E25: > message-id=<20180731141745.511ae403...@smtp.office.example.com> > Jul 31 10:17:45 eserver postfix/qmgr[19901]: 511AE403E25: > from=<us...@example.com>, size=523, nrcpt=1 (queue active) > Jul 31 10:17:46 eserver postfix/smtp[19978]: 511AE403E25: > to=<pi...@example.net>, relay=mail.example.org[185.70.40.101]:25, > delay=1.3, dela > ys=0.05/0/1/0.17, dsn=5.7.1, status=bounced (host > mail.example.org[185.70.40.101] said: 554 5.7.1 <pi...@example.net>: > Recipient address rej > ected: this address does not exist (in reply to RCPT TO command)) > > Jul 31 10:17:46 eserver postfix/cleanup[19977]: 88382403E24: > message-id=<20180731141746.88382403...@smtp.office.example.com> > Jul 31 10:17:46 eserver postfix/bounce[19981]: 511AE403E25: sender > non-delivery notification: 88382403E24 > Jul > 31 10:17:46 eserver postfix/qmgr[19901]: 88382403E24: from=<>, size=3359, > nrcpt=1 (queue active) Jul 31 > 10:17:46 eserver postfix/qmgr[19901]: 511AE403E25: removed > Jul 31 10:17:47 > eserver postfix/smtp[19978]: 88382403E24: to=<us...@example.com>, > relay=ASPMX.L.GOOGLE.com[74.125.202.27]:25, delay=0.47, > delays=0.02/0/0.23/0.22, dsn=5.7.1, status=bounced (host > ASPMX.L.GOOGLE.com[74.125.202.27] said: 550-5.7.1 Unauthenticated email from > example > .com is not accepted due to 550-5.7.1 domain's DMARC policy. Please contact > the > administrator of 550-5.7.1 example.com domain if this was a le > gitimate mail. Please visit 550-5.7.1 > https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.1 > DMARC initiative. o20-v6si1040 > 1393iod.272 - gsmtp (in reply to end of DATA command)) > > Jul 31 10:17:47 eserver postfix/qmgr[19901]: 88382403E24: removed > ============================================================================ This bounce message was sent to ASPMX.L.GOOGLE.com. Apparently, mail.example.org and ASPMX.L.GOOGLE.com enforce DMARC in different ways. Regardless, if the DMARC policy does not authorize host Y to send mail on behalf of domain $myorigin, then you need to fix the DMARC policy so that those bounces sent by host Y aren't violating DMARC, or you need to somehow route those bounces from host Y through a host that is DMARC-authorized. Wietse
