Mail forwarding doesn't work?

    Quote from Heart1010


    @MuhKuh I have to compile postsrsd like github readme shows in order to get this working with i-mscp?


    yes, but consider the following

    • this is not an official postfix plugin and might contain bugs that affect your mail server
    • when using SRS you take responsibility for any spam you forward, this might affect your mail server reputation
    • you need to know exactly what you are doing when using this. You will probably not find many people that can help when you use it.

    @MuhKuh


    Another solution i to setup the mail server correctly (including SPF, reverse DNS and so on...) I don't use the plugin you mention. I've configured SPF records as stated by mailgun and all is working as it should.


    I mark this thread as solved because this is an i-MSCP related issue.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support
    Quote from Nuxwin

    Another solution i to setup the mail server correctly (including SPF, reverse DNS and so on...) I don't use the plugin you mention. I've configured SPF records as stated by mailgun and all is working as it should.


    This might be the case for gmail which is having only softfail records, but for any domain having SPF set to "fail" you will not be able to forward any mails. It does not matter in this case if your own domain has SPF records, as you mail server still is not allowed to send anything for that other domain. So without SRS unfortunately there are mails that cannot be forwarded at all. Stupid SPF.....

    @MuhKuh


    Forward mail doesn't mean that we try to send a mail to other domain with it identity. Forward mail only mean that we are sending a king of copy of received mail to other domain... from a mail server which is identified by SPF records. SPF record allow check of the sender domain. To resume, SPF records only allow to be sure that the mail server from which the mail is sent is allowed to send mail for a specific domain (using that domain as sender).

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    I will try to give an example:

    • We have a forwarding mail address defined in one of the imscp managed domains.
      [email protected] -> [email protected]
    • some-other-domain.test checks SPF records
    • [email protected] sends a mail to [email protected]
    • spf-hardfail-domain.test has a "-all" SPF record
    • Our server (my-imscp-domain.test) will forward the received mail
    • some-other-domain.test will receive the mail, check the DNS record of spf-hardfail-domain.test and will find out that my-imscp-domain.test is not allowed to send mails in the name of spf-hardfail-domain.test. As "-all" is used, it will reject the mail.

    @MuhKuh


    Ok but does i-MSCP is using the original sender to send the forwarded mail? or does it set it only as return path? I agreed with your workflow but as far I know, i-MSCP forward the mail as a new mail and only set return path with original sender (domain)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    @MuhKuh


    I'll process further tests, using a sender which is external to my i-MSCP server.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    @MuhKuh


    Code
    1. Does SPF break forwarding?Yes, but only if the receiver checks SPF without understanding their mail receiving architecture. If receivers are going to check SPF, they should whitelist forwarders that do not rewrite the sender address from SPF checks.


    So here, we could rewrite the sender (using the domain of mail account which receive the mail) and then, set the original sender as return path. This should solve the hard fail issues with SPF (as long SPF records for new sender is correct). So ? Do you want a workflow showing this?



    Refs:

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support
    Quote from Nuxwin


    So here, we could rewrite the sender (using the domain of mail account which receive the mail) and then, set the original sender as return path.


    Do you mean using SRS? If you just normally rewrite the sender, all mails will look like they come from your forwarding address. This will be very strange. Also by the way the return path is exactly what SPF checks use. If this contains the original sender it will still fail. Unfortunately the only correct way in a SPF world is using SRS (which encodes the original sender in the new return path).


    Quote from Nuxwin


    This should solve the hard fail issues with SPF (as long SPF records for new sender is correct). So ? Do you want a workflow showing this?


    The SPF record of the forwarding server does not matter in this case. You can use SRS without your own SPF records.

    @MuhKuh


    My idea was to use the Recipient domain (normal mail account) as sender for forwarded mail, and set the return path to the original sender. You say that SPF tests are made against the return path. Are you sure? I was sure that the tests was made only against From field.


    http://en.wikipedia.org/wiki/Sender_Policy_Framework

    Code
    1. The sender address is transmitted at the beginning of the SMTP dialog. If the server rejects the sender, the unauthorized client should receive a rejection message, and if that client was a relaying message transfer agent (MTA), a bounce message to the original sending address may be generated. If the server accepts the sender, and subsequently also accepts the recipients and the body of the message, it should insert a Return-Path field in the message header in order to save the sender address. While the address in the Return-Path often matches other originator addresses in the mail header such as From or Sender, this is not necessarily the case, and SPF does not prevent forgery of these other addresses.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support