Secure forwarding with LibSRS?

Just to clearify things. When people are sending email to name@domain.tld, postfix has to forward that email to another-name@another-domain.tld, and alter (keep) the FROM-address to name@domain.tld intead of keeping the original sender. This is becaise I'm using SPF/DKIM and the emails will be classes as spam (not permitted sender nor valid DKIM).

I use something like this:

In /etc/postfix/redirector, an executable script:

#!/bin/bash

# Redirects mail to make SPF happy.
# Ryan Tucker <rtucker@gmail.com>, 2010 Oct 24
# Based on http://serverfault.com/q/82234/54177
HOSTNAME=`hostname -f`
DESTINATION=`echo "$1" | sed 's/.munger$//'`

/usr/sbin/sendmail -bm -f "mail@$HOSTNAME" "$DESTINATION"
logger -i -p mail.info -t redirector "Redirecting message to $DESTINATION (orig to $2)"</rtucker@gmail.com> 

In master.cf:

# resends the message with a local envelope sender to "thwart" SPF on forwards
# remember to set munger_destination_recipient_limit = 1 in main.cf
munger  unix  -       n       n       -       -       pipe
  flags=q user=nobody argv=/etc/postfix/redirector ${mailbox}@${nexthop} ${original_recipient}

In transport:

# spf-ish domains
.munger   munger:

In main.cf:

munger_destination_recipient_limit = 1

And finally, virtual:

local@example.com    distant@example.net.munger

It worked well for pretty much all the mail going through my system, but we've been migrating domains to Fastmail. They have a ticky-box that does this automatically. (And they do mail better than I do.)

Hi!

Thanks for your answer, I'll definitely have a look into this. A questions first though, what do you mean with And finally, virtual: ?

Is it the virtualaliasmaps you mean in main.cf?

The current value for that is virtualaliasmaps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf and I need to keep it that way in order to use the mysql table. Or do you simply mean to add the "redirect" in my existing mysql table for aliases?`

Thanks!

Basically, you'd append .munger to any destination address, however you do it, and it'll go through this transport.

Okay! So you mean .munger will be removed from the target address? I'll give it a try then!

Almost there… :D

I've setup everything and first I got "Permission denied" for the "munger service". Ran chmod +x redirector. When a new email is arriving to the server, postfix log says: Sep 6 05:26:11 li416-119 postfix/sendmail[15584]: fatal: User nobody(65534) is not allowed to submit mail

Guess I have to adjust something in the redirector script, but what part? Thanks!

Tried to change user= in master.cf to both vmail and root, same error… Suggestions?

Think I solved it!

I commented out this line in main.cf: smtpd_data_restrictions = reject_unauth_pipelining

And added nobody to authorizedsubmitusers.

The email is coming through as it should, and the sender is correct! Two questions on this:

1) Is there a chance of any issues with commenting out "rejectunauthpipelining"?

2) Is it "dangerous" to add nobody to "authorizedsubmitusers" ?

Also, would be very, very nice if the receipient (which has a local inbox on the server) could keep a copy of the mail that's being forwarded.

Hmm, nope, it's not working…. The original sender is still the sender of the forwarded email…. I.e.

a) I've setup addr1@domain.tld is an alias with the destination addr2@anotherdomain.tld

b) When sending an email TO addr1@domain.tld it's supposed to save a local copy of the email in the inbox, and forward to email to addr2@anotherdomain.tld.

When addr2@anotherdomain.tld is receiving the email, addr1@domain.tld is supposed to be the FROM address.

What does your mail log say? What do the received message headers say?

Message headers:````
Return-Path: mail@email.mydomain.tld
Received: from email.mydomain.tld (unknown [178.xx.yyy.zzz])
by vsp-inbound-02-02.binero.net (Halon Mail Gateway) with ESMTP
for addr2@anotherdomain.tld; Sat, 6 Sep 2014 07:39:19 +0200 (CEST)
Received: by email.mydomain.tld (Postfix, from userid 65534)
id A21CF8282D; Sat, 6 Sep 2014 07:39:19 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by email.mydomain.tld (Postfix) with ESMTP id 9167D827CB
for addr2@anotherdomain.tld.munger; Sat, 6 Sep 2014 07:39:19 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at email.mydomain.tld
Received: from email.mydomain.tld ([127.0.0.1])
by localhost (email.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id LJBpolt37lq3 for addr2@anotherdomain.tld.munger;
Sat, 6 Sep 2014 07:39:14 +0200 (CEST)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173])
by email.mydomain.tld (Postfix) with ESMTPS id 448D2827C3
for addr1@domain.tld; Sat, 6 Sep 2014 07:39:14 +0200 (CEST)
Received: by mail-wi0-f173.google.com with SMTP id cc10so323375wib.12
for addr1@domain.tld; Fri, 05 Sep 2014 22:39:13 -0700 (PDT)

Postfix log:````
postfix/smtpd[22133]: 9167D827CB: client=localhost[127.0.0.1]
postfix/cleanup[22123]: 9167D827CB: message-id= <calk1bfqvo+bkbs-0hrs4ta2xguiqao8xttu-nr40dp2qr6wlyq@mail.gmail.com>opendkim[747]: 9167D827CB no signing table match for `the-sender@gmail.com'
opendkim[747]: 9167D827CB: no signature data
postfix/qmgr[21820]: 9167D827CB: from=<the-sender@gmail.com>, size=57915, nrcpt=1 (queue active)
amavis[19896]: (19896-04) Passed CLEAN, [209.85.212.173] [209.85.212.173] <the-sender@gmail.com> -> <addr2@anotherdomain.tld.munger>, Message-ID: <calk1bfqvo+bkbs-0hrs4ta2xguiqao8xttu-nr40dp2qr6wlyq@mail.gmail.com>, mail_id: LJBpolt37lq3, Hits: 0.615, size: 57391, queued_as: 9167D827CB, 5320 ms
redirector[22299]: Redirecting message to addr2@anotherdomain.tld (orig to addr2@anotherdomain.tld.munger)
postfix/smtp[22124]: 448D2827C3: to=<addr2@anotherdomain.tld.munger>, orig_to=<addr1@domain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.4, delays=0.08/0.01/0/5.3, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=19896-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9167D827CB)
postfix/pipe[22134]: 9167D827CB: to=<addr2@anotherdomain.tld.munger>, relay=munger, delay=0.07, delays=0.05/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via munger service)
postfix/qmgr[21820]: 9167D827CB: removed</addr2@anotherdomain.tld.munger></addr1@domain.tld></addr2@anotherdomain.tld.munger></calk1bfqvo+bkbs-0hrs4ta2xguiqao8xttu-nr40dp2qr6wlyq@mail.gmail.com></addr2@anotherdomain.tld.munger></the-sender@gmail.com></the-sender@gmail.com></calk1bfqvo+bkbs-0hrs4ta2xguiqao8xttu-nr40dp2qr6wlyq@mail.gmail.com>

The envelope sender is being changed:

Return-Path: <mail@email.mydomain.tld></mail@email.mydomain.tld> 

It is defaulting to the user executing the redirector script, but that could be changed by adjusting the -f argument on its call to sendmail. (Perhaps -f "$2" would do the trick?) None of this touches the "From:" header inside of the message – that's not used for SPF/DKIM/etc, it's just for human readability.

As far as saving a copy of the mail locally, you might want to look into http://www.postfix.org/ADDRESS_REWRITIN … l#auto_bcc">http://www.postfix.org/ADDRESSREWRITINGREADME.html#autobcc … instead of forwarding all mail, use recipientbcc_maps to bcc: mail for that user to the external address.

In all cases, be mindful of loops that could occur when the external address is undeliverable. If the envelope sender of the forwarding copy is the recipient's e-mail address, then all hell will break loose if the external address bounces. (That's why I didn't do -f "$2" in the first place.)

Tried to setup the recipientbccmaps now and the problem is when the mail is received the sender is still the original sender. So back to square 1… I need to forward the email to a adress, and change the sender adress. Perhaps the easiest way is to create a PHP script that connects to the inbox, forwarding the email and run this script from cron?