Re: Overriding transport_maps with sender_dependent
Matt Corallo: > I tried variations of this but never could get it to work - as far as I could > tell the nexthop is fully resolved by the > time we get to the smtp daemon, so there aren't any relevant settings to > override or otherwise set the default on the > nexthop there. In the FILTER command you specify transport AND nexthop. There is nothing to be resolved BEFORE the SMTP client. Wietse > Thanks, > Matt > > On 8/11/21 17:37, Wietse Venema wrote: > > Matt Corallo: > >> > >> > >> On 8/11/21 16:52, Wietse Venema wrote: > >> > If the sender address can override the routing, even if the recipient > >> > would otherwise be delivered locally, then that would be a recipe > >> > for mailer loops with the potential for mail explosions. This is > >> > why we have sender_dependent overrides for default transports and > >> > relay hosts, and avoid such stability problems. > >> > >> Ah! Understood, indeed, the setup I've had to fall back to has some risk > >> of routing loops, though with some care to > >> hopefully ensure it can't ever actually be hit. I guess the only solution > >> is multi-key lookups, which would be nice, but > >> understood that its likely very nontrivial to add :). > > > > Would this do the job: > > > > /etc/postfix/main.cf: > > smtpd_sender_restrictions = hash:/etc/postfix/sender_access > > > > /etc/postfix/sender_access > > example.com filter smtp-example-com:relay-for-example-com > > ... > > > > /etc/postfix/master.cf: > > smtp-example-com .. .. .. .. .. .. smtp > > ... > > > > It avoids the need for another instance. Postfix should break a > > mailer loop that delivers to itself. > > > > Wietse > > >
Re: Overriding transport_maps with sender_dependent
On 8/12/21 09:37, Wietse Venema wrote: Matt Corallo: I tried variations of this but never could get it to work - as far as I could tell the nexthop is fully resolved by the time we get to the smtp daemon, so there aren't any relevant settings to override or otherwise set the default on the nexthop there. In the FILTER command you specify transport AND nexthop. There is nothing to be resolved BEFORE the SMTP client. Ah, thanks. Sadly I'm not sure this solves the immediate issue either as it seems to override local domain delivery as well. i.e. it results in any of the source addresses which would need proxying to external domains being proxied to local domains as well. For context, this doesn't feel like a crazy setup - some users have external addresses they want to be able to send mail as, which we (obviously) need to relay via their external providers' smtp with authentication. For local-domain mails, there are some providers (*cough* Microsoft *cough*) which treat all mail from low-volume IPs as spam, no matter what best-practices you comply with, so we want to relay anything to Microsoft domains out via a third-party provider. Its currently working with a second postfix instance and a simple socketmap program in transport_maps to lookup if a domain's MX is *.outlook.com. Matt
Re: Overriding transport_maps with sender_dependent
On Thu, 12 Aug 2021 11:56:36 -0400, Matt Corallo stated: >On 8/12/21 09:37, Wietse Venema wrote: >> Matt Corallo: >>> I tried variations of this but never could get it to work - as far >>> as I could tell the nexthop is fully resolved by the time we get to >>> the smtp daemon, so there aren't any relevant settings to override >>> or otherwise set the default on the nexthop there. >> >> In the FILTER command you specify transport AND nexthop. There is >> nothing to be resolved BEFORE the SMTP client. > >Ah, thanks. Sadly I'm not sure this solves the immediate issue either >as it seems to override local domain delivery as well. i.e. it results >in any of the source addresses which would need proxying to external >domains being proxied to local domains as well. > >For context, this doesn't feel like a crazy setup - some users have >external addresses they want to be able to send mail as, which we >(obviously) need to relay via their external providers' smtp with >authentication. For local-domain mails, there are some providers >(*cough* Microsoft *cough*) which treat all mail from low-volume IPs >as spam, no matter what best-practices you comply with, so we want to >relay anything to Microsoft domains out via a third-party provider. > >Its currently working with a second postfix instance and a simple >socketmap program in transport_maps to lookup if a domain's MX is >*.outlook.com. > >Matt Have you made any attempt to get your IP 'whitelisted' with Microsoft? -- Gerard
Re: Overriding transport_maps with sender_dependent
On 8/12/21 14:41, Gerard E. Seibert wrote: Have you made any attempt to get your IP 'whitelisted' with Microsoft? Several attempts. If you know of a decent contact I can pursue it further, but even after fighting with their usual ticket people and getting "mitigation" turned on for the sending IP things are still insta-spam-boxed. The MailOps list is filled with people in similar boats, and at least a few have given up and just relay to Microsoft as well. Matt
will this break DMARC?
I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. This is DMARC setting of mail.ru: _dmarc.mail.ru. 164 IN TXT "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai"; "lto:dmarc_...@corp.mail.ru" (please notice p=reject setting) When gmail receive the forwarded email from pobox, will it break DMARC? since the message header showing sender is x...@mail.ru, but the SMTP talking IP is pobox's IP address. Thank you. -- Ken N https://lrblogs.com/
Re: will this break DMARC?
On 2021-08-13 04:44, Ken N wrote: I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. This is DMARC setting of mail.ru: _dmarc.mail.ru. 164 IN TXT "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai"; "lto:dmarc_...@corp.mail.ru" (please notice p=reject setting) https://dmarcian.com/dmarc-inspector/?domain=mail.ru its valid but it could join the splitted txt record without breaking line with space so remove " " wont hurd here, it makes it more readable in dns terms, but its still valid When gmail receive the forwarded email from pobox, will it break DMARC? example ? since the message header showing sender is x...@mail.ru, but the SMTP talking IP is pobox's IP address. forwards change spf envelope sender, but it should not break dmarc Thank you.
Re: will this break DMARC?
The DMARC record itself looks fine and valid; however, the issue is going to be whether your SPF and DKIM records alignment. I suspect the issue will be in the alignment and the OP didn't provide those details to be able to evaluate. On Thu, Aug 12, 2021 at 11:47 PM Benny Pedersen wrote: > On 2021-08-13 04:44, Ken N wrote: > > I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. > > > > This is DMARC setting of mail.ru: > > > > _dmarc.mail.ru. 164 IN TXT > > "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai"; > > "lto:dmarc_...@corp.mail.ru" > > > > (please notice p=reject setting) > > https://dmarcian.com/dmarc-inspector/?domain=mail.ru > > its valid > > but it could join the splitted txt record without breaking line with > space > > so remove " " wont hurd here, it makes it more readable in dns terms, > but its still valid > > > When gmail receive the forwarded email from pobox, will it break DMARC? > > example ? > > > since the message header showing sender is x...@mail.ru, but the SMTP > > talking IP is pobox's IP address. > > forwards change spf envelope sender, but it should not break dmarc > > > Thank you. >
Re: will this break DMARC?
Hello When gmail see this forwarded email from pobox.com, it won't break SPF because Pobox does a SRS. But I doubt it will break DMARC for mail.ru since: 1) the from address in message header is x...@mail.ru 2) the sender IP addr (by pobox) is not owned by mail.ru so gmail maybe reject this message due to DMARC setting. Am I right? Thank you On 2021/8/13 12:02 下午, Jeremy T. Bouse wrote: The DMARC record itself looks fine and valid; however, the issue is going to be whether your SPF and DKIM records alignment. I suspect the issue will be in the alignment and the OP didn't provide those details to be able to evaluate. -- Ken N https://lrblogs.com/
Re: will this break DMARC?
On Fri, Aug 13, 2021 at 10:44:31AM +0800, Ken N wrote: > I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. > > This is DMARC setting of mail.ru: > > _dmarc.mail.ru. 164 IN TXT > "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai"; > "lto:dmarc_...@corp.mail.ru" > > (please notice p=reject setting) > > When gmail receive the forwarded email from pobox, will it break DMARC? > since the message header showing sender is x...@mail.ru, but the SMTP talking > IP is pobox's IP address. > > Thank you. > -- > Ken N > https://lrblogs.com/ Maybe. It depends on lots of stuff. A DMARC check passes if either SPF or DKIM pass, but (for DMARC purposes), SPF only applies (and therefore can only pass) when the From: domain matches the envelope sender domain, and (for DMARC purposes) DKIM only applies (and therefore can only pass) when the From: domain matches the DKIM signing domain (d=). If pobox.com uses its own envelope sender when forwarding the email, then mail.ru's SPF doesn't apply (because it wouldn't be the envelope sender domain anymore). Instead, pobox.com's SPF applies (because it's now the envelope sender domain). But pobox.com's SPF doesn't apply to mail.ru's DMARC check. So SPF wouldn't contribute to a DMARC check for mail.ru. If pobox.com uses the original mail.ru envelope sender then mail.ru's SPF will apply and it will fail (because pobox.com won't be authorized by mail.ru's SPF). So it won't contribute to a DMARC check for mail.ru either. So, you can't count on SPF to get it through a DMARC check for mail.ru. The only other possibility is if the email was DKIM-signed by mail.ru as well. If it wasn't, then DMARC fails. If it was, and the email wasn't changed en route in any way that invalidated the DKIM signature, then DMARC passes. If the mail was modified too much, then DMARC fails, but if pobox.com is just forwarding, then it shouldn't have modified it in a way that matters to DKIM. And the DKIM signature has to have been signed with mail.ru's DKIM key. Any other signing domain doesn't apply for DMARC purposes. So, if it's DKIM-signed by mail.ru, and pobox.com just forwards it, and does nothing else other than adding headers along the way, then it'll probably pass a DMARC check for mail.ru. Otherwise, it won't. Having said all that, what gmail does with it upon arrival is entirely up to gmail. :-) cheers, raf
Re: will this break DMARC?
On 2021-08-13 06:25, Ken N wrote: Am I right? no, SRS is not part of dmarc pobox have there own spf, and dkim, but pobox should not use srs or add dkim signing, so only arc sealing on pobox is needed to not break dmarc if pobox on the other hand originating emails thay should dkim sign it, otherwize not note there is now cve on libspf2 with in most cases is used by srs implementions no one should use srs or sender-id anymore, both should be depricated
Re: will this break DMARC?
thank you very much @raf. I have got your idea. On 2021/8/13 1:03 下午, raf wrote: On Fri, Aug 13, 2021 at 10:44:31AM +0800, Ken N wrote: I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. This is DMARC setting of mail.ru: _dmarc.mail.ru. 164 IN TXT "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai"; "lto:dmarc_...@corp.mail.ru" (please notice p=reject setting) When gmail receive the forwarded email from pobox, will it break DMARC? since the message header showing sender is x...@mail.ru, but the SMTP talking IP is pobox's IP address. Thank you. -- Ken N https://lrblogs.com/ Maybe. It depends on lots of stuff. A DMARC check passes if either SPF or DKIM pass, but (for DMARC purposes), SPF only applies (and therefore can only pass) when the From: domain matches the envelope sender domain, and (for DMARC purposes) DKIM only applies (and therefore can only pass) when the From: domain matches the DKIM signing domain (d=). If pobox.com uses its own envelope sender when forwarding the email, then mail.ru's SPF doesn't apply (because it wouldn't be the envelope sender domain anymore). Instead, pobox.com's SPF applies (because it's now the envelope sender domain). But pobox.com's SPF doesn't apply to mail.ru's DMARC check. So SPF wouldn't contribute to a DMARC check for mail.ru. If pobox.com uses the original mail.ru envelope sender then mail.ru's SPF will apply and it will fail (because pobox.com won't be authorized by mail.ru's SPF). So it won't contribute to a DMARC check for mail.ru either. So, you can't count on SPF to get it through a DMARC check for mail.ru. The only other possibility is if the email was DKIM-signed by mail.ru as well. If it wasn't, then DMARC fails. If it was, and the email wasn't changed en route in any way that invalidated the DKIM signature, then DMARC passes. If the mail was modified too much, then DMARC fails, but if pobox.com is just forwarding, then it shouldn't have modified it in a way that matters to DKIM. And the DKIM signature has to have been signed with mail.ru's DKIM key. Any other signing domain doesn't apply for DMARC purposes. So, if it's DKIM-signed by mail.ru, and pobox.com just forwards it, and does nothing else other than adding headers along the way, then it'll probably pass a DMARC check for mail.ru. Otherwise, it won't. Having said all that, what gmail does with it upon arrival is entirely up to gmail. :-) cheers, raf -- Ken N https://lrblogs.com/
