Secure forwarding with LibSRS?
I've setup my own email server using the linode guide for postfix/mysql and dovecot. Everything is working very well. Now to my issue. I need to forward all incoming emails to a certain address so an external address, and at the same time rewrite the sender in order for SPF/DKIM to pass.
I've found LibSRS (
Any help I can get in this matter would be highly appreciated!
Thanks!
13 Replies
In /etc/postfix/redirector, an executable script:
#!/bin/bash
# Redirects mail to make SPF happy.
# Ryan Tucker <rtucker@gmail.com>, 2010 Oct 24
# Based on http://serverfault.com/q/82234/54177
HOSTNAME=`hostname -f`
DESTINATION=`echo "$1" | sed 's/.munger$//'`
/usr/sbin/sendmail -bm -f "mail@$HOSTNAME" "$DESTINATION"
logger -i -p mail.info -t redirector "Redirecting message to $DESTINATION (orig to $2)"</rtucker@gmail.com>
In master.cf:
# resends the message with a local envelope sender to "thwart" SPF on forwards
# remember to set munger_destination_recipient_limit = 1 in main.cf
munger unix - n n - - pipe
flags=q user=nobody argv=/etc/postfix/redirector ${mailbox}@${nexthop} ${original_recipient}
In transport:
# spf-ish domains
.munger munger:
In main.cf:
munger_destination_recipient_limit = 1
And finally, virtual:
local@example.com distant@example.net.munger
It worked well for pretty much all the mail going through my system, but we've been migrating domains to Fastmail. They have a ticky-box that does this automatically. (And they do mail better than I do.)
Thanks for your answer, I'll definitely have a look into this. A questions first though, what do you mean with And finally, virtual: ?
Is it the virtualaliasmaps you mean in main.cf?
The current value for that is virtualaliasmaps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf and I need to keep it that way in order to use the mysql table. Or do you simply mean to add the "redirect" in my existing mysql table for aliases?`
Thanks!
I've setup everything and first I got "Permission denied" for the "munger service". Ran chmod +x redirector. When a new email is arriving to the server, postfix log says:
Sep 6 05:26:11 li416-119 postfix/sendmail[15584]: fatal: User nobody(65534) is not allowed to submit mail
Guess I have to adjust something in the redirector script, but what part? Thanks!
I commented out this line in main.cf:
smtpd_data_restrictions = reject_unauth_pipelining
And added nobody to authorizedsubmitusers.
The email is coming through as it should, and the sender is correct! Two questions on this:
1) Is there a chance of any issues with commenting out "rejectunauthpipelining"?
2) Is it "dangerous" to add nobody to "authorizedsubmitusers" ?
Also, would be very, very nice if the receipient (which has a local inbox on the server) could keep a copy of the mail that's being forwarded.
a) I've setup
b) When sending an email TO
When
Return-Path: mail@email.mydomain.tld
Received: from email.mydomain.tld (unknown [178.xx.yyy.zzz])
by vsp-inbound-02-02.binero.net (Halon Mail Gateway) with ESMTP
for addr2@anotherdomain.tld; Sat, 6 Sep 2014 07:39:19 +0200 (CEST)
Received: by email.mydomain.tld (Postfix, from userid 65534)
id A21CF8282D; Sat, 6 Sep 2014 07:39:19 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by email.mydomain.tld (Postfix) with ESMTP id 9167D827CB
for addr2@anotherdomain.tld.munger; Sat, 6 Sep 2014 07:39:19 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at email.mydomain.tld
Received: from email.mydomain.tld ([127.0.0.1])
by localhost (email.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id LJBpolt37lq3 for addr2@anotherdomain.tld.munger;
Sat, 6 Sep 2014 07:39:14 +0200 (CEST)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173])
by email.mydomain.tld (Postfix) with ESMTPS id 448D2827C3
for addr1@domain.tld; Sat, 6 Sep 2014 07:39:14 +0200 (CEST)
Received: by mail-wi0-f173.google.com with SMTP id cc10so323375wib.12
for addr1@domain.tld; Fri, 05 Sep 2014 22:39:13 -0700 (PDT)
Postfix log:````
postfix/smtpd[22133]: 9167D827CB: client=localhost[127.0.0.1]
postfix/cleanup[22123]: 9167D827CB: message-id= <calk1bfqvo+bkbs-0hrs4ta2xguiqao8xttu-nr40dp2qr6wlyq@mail.gmail.com>opendkim[747]: 9167D827CB no signing table match for `the-sender@gmail.com'
opendkim[747]: 9167D827CB: no signature data
postfix/qmgr[21820]: 9167D827CB: from=<the-sender@gmail.com>, size=57915, nrcpt=1 (queue active)
amavis[19896]: (19896-04) Passed CLEAN, [209.85.212.173] [209.85.212.173] <the-sender@gmail.com> -> <addr2@anotherdomain.tld.munger>, Message-ID: <calk1bfqvo+bkbs-0hrs4ta2xguiqao8xttu-nr40dp2qr6wlyq@mail.gmail.com>, mail_id: LJBpolt37lq3, Hits: 0.615, size: 57391, queued_as: 9167D827CB, 5320 ms
redirector[22299]: Redirecting message to addr2@anotherdomain.tld (orig to addr2@anotherdomain.tld.munger)
postfix/smtp[22124]: 448D2827C3: to=<addr2@anotherdomain.tld.munger>, orig_to=<addr1@domain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.4, delays=0.08/0.01/0/5.3, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=19896-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9167D827CB)
postfix/pipe[22134]: 9167D827CB: to=<addr2@anotherdomain.tld.munger>, relay=munger, delay=0.07, delays=0.05/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via munger service)
postfix/qmgr[21820]: 9167D827CB: removed</addr2@anotherdomain.tld.munger></addr1@domain.tld></addr2@anotherdomain.tld.munger></calk1bfqvo+bkbs-0hrs4ta2xguiqao8xttu-nr40dp2qr6wlyq@mail.gmail.com></addr2@anotherdomain.tld.munger></the-sender@gmail.com></the-sender@gmail.com></calk1bfqvo+bkbs-0hrs4ta2xguiqao8xttu-nr40dp2qr6wlyq@mail.gmail.com>
Return-Path: <mail@email.mydomain.tld></mail@email.mydomain.tld>
It is defaulting to the user executing the redirector script, but that could be changed by adjusting the -f argument on its call to sendmail. (Perhaps -f "$2" would do the trick?) None of this touches the "From:" header inside of the message – that's not used for SPF/DKIM/etc, it's just for human readability.
As far as saving a copy of the mail locally, you might want to look into
In all cases, be mindful of loops that could occur when the external address is undeliverable. If the envelope sender of the forwarding copy is the recipient's e-mail address, then all hell will break loose if the external address bounces. (That's why I didn't do -f "$2" in the first place.)