Viktor Dukhovni:
> On Thu, Jun 23, 2022 at 02:43:02PM -0700, Derek B. Noonburg wrote:
>
> > I'm running postfix to handle email for several users. One of them
> > has a .forward file that points to a gmail address. Gmail's servers
> > are rejecting some email for various causes ("low reputation of
> > sending domain", SPF failures).
> >
> > The problem is that postfix then bounces the email back to the (likely
> > forged) sender, which means my server is sending backscatter.
> >
> > What I'd like to do is silently drop any email that's rejected by the
> > target of a .forward file. Is there some way to configure postfix to
> > do that? Or some better way of handling this problem?
>
> If you can convince the user to surrender the alias management to you,
> then you instead configure:
>
> owner-user: user
> user: some.a...@gmail.com
>
> And presto magic, email to gmail will be forwarded with an envelope
> sender address that no longer fails SPF checks. DKIM should continue
> to work, because the message content will not be modified in transit.
That is a neat hack. Would this work?
owner-user: user
user: :include:/home/user/.forward
Postfix will switch execution privileges to those of the :include:
file owner, when that file is included from the local system aiases
file (it won't switch when the :include: directive is in a user-owned
file, to avoid privilege escalation).
This would not propagate address extensions. But then, local aliases
and .forward files don't propagate address extensions by default.
> I just don't expect that owner-aliases can be sensibly combined with
> .forward files. Though perhaps local(8) manages to pull off that magic
> much to my surprise.
owner-foo lookups are implemented for local alias file lokups.
Wietse
