Postfix SRS Only Forwarded Emails

From ivc wiki
Jump to navigationJump to search

As discussed on github discussions for postsrsd, it is possible to only perform Sender Rewriting Scheme (SRS) to correct the Return-path/Mail from headers on emails passing through your server destined for an external address, based solely on the destination email address.

Ex. an external user@external.org sends an email to user@example.org which is an alias that forwards to user@gmail.com. The below configuration only matches user@gmail.com and will SRS process only that email.

/etc/postfix/main.cf:

recipient_canonical_maps=tcp:localhost:10002
recipient_canonical_classes=envelope_recipient,header_recipient

virtual_alias_maps = hash:/etc/postfix/virtual-alias
transport_maps = hash:/etc/postfix/transport_srs
/etc/postfix/virtual-alias:

user@example.org              user@gmail.com
name@example.org              name@gmail.com
/etc/postfic/transport_srs:

user@gmail.com              smtp:[127.0.0.1]:10027
name@gmail.com              smtp:[127.0.0.1]:10027
/etc/postfix/master.cf:

cleanup-srs   unix  n       -       -       -       0       cleanup
       -o syslog_name=postfix/srs
       -o sender_canonical_maps=hash:/etc/postfix/virtual-alias,tcp:localhost:10001
       -o sender_canonical_classes=envelope_sender

127.0.0.1:10027 inet    n       -       -       -       -       smtpd
       -o syslog_name=postfix/srs
       # avoid double processing through milters, ex. dkim, dmarc, spamassassin, scanners, etc.
       -o smtpd_milters=
       -o cleanup_service_name=cleanup-srs
       -o smtpd_tls_security_level=none
       -o content_filter=smtp:
       # allow for system users sending email to forwarded alias destinations, ex. when sysuser@example.org sends an email directly to user@gmail.com - note that SRS is not processed then
       -o smtpd_sender_restrictions=permit_mynetworks,reject
       # allow for inbound email, ex. user@external.org sends to destination user@example.org, which alias maps to forward outbound again, ex. user@gmail.com
       -o smtpd_relay_restrictions=permit_mynetworks,reject

Log from working system where sending an email from en external user@external.org to the email alias user@example.org, which the mail server forwards to user@gmail.com

May 11 12:07:13 mail postfix/smtpd[21921]: connect from nmsh5.e.xyz.com[198.123.160.199]
May 11 12:07:13 mail postfix/smtpd[21921]: Anonymous TLS connection established from nmsh5.e.xyz.com[198.123.160.199]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
May 11 12:07:13 mail policyd-spf[21927]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=198.123.160.199; helo=nmsh5.e.xyz.com; envelope-from=user@external.org; receiver=user@example.org
May 11 12:07:13 mail postfix/smtpd[21921]: F3D8914CDE4: client=nmsh5.e.xyz.com[198.123.160.199]
May 11 12:07:14 mail postfix/cleanup[21929]: F3D8914CDE4: message-id=<28F41311-7768-4CB8-8975-3F92D0A98CD8@external.org>
May 11 12:07:14 mail opendmarc[24151]: F3D8914CDE4: external.org none
May 11 12:07:14 mail postfix/qmgr[21914]: F3D8914CDE4: from=<user@external.org>, size=1425, nrcpt=1 (queue active)
May 11 12:07:14 mail postfix/smtpd[21921]: disconnect from nmsh5.e.xyz.com[198.123.160.199] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
May 11 12:07:14 mail postfix/srs/smtpd[21933]: connect from localhost[127.0.0.1]
May 11 12:07:14 mail opendmarc[24151]: ignoring connection from localhost
May 11 12:07:14 mail policyd-spf[21935]: prepend X-Comment: SPF check N/A for local connections - client-ip=127.0.0.1; helo=mail.example.org; envelope-from=user@external.org; receiver=user@gmail.com
May 11 12:07:14 mail postfix/srs/smtpd[21933]: E492A14CE00: client=localhost[127.0.0.1]
May 11 12:07:14 mail postsrsd[21938]: srs_forward: <user@external.org> rewritten as <SRS0=rRYH=VT=external.org=user@example.org>
May 11 12:07:14 mail postsrsd[21938]: srs_forward: <SRS0=rRYH=VT=external.org=user@example.org> not rewritten: Valid SRS address for <user@external.org>
May 11 12:07:14 mail postfix/srs/cleanup[21937]: E492A14CE00: message-id=<28F41311-7768-4CB8-8975-3F92D0A98CD8@external.org>
May 11 12:07:15 mail postfix/qmgr[21914]: E492A14CE00: from=<SRS0=rRYH=VT=external.org=user@example.org>, size=2091, nrcpt=1 (queue active)
May 11 12:07:15 mail postfix/srs/smtpd[21933]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 11 12:07:15 mail postfix/smtp[21932]: F3D8914CDE4: to=<user@gmail.com>, orig_to=<user@example.org>, relay=127.0.0.1[127.0.0.1]:10027, delay=1.4, delays=0.91/0.01/0.02/0.44, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E492A14CE00)
May 11 12:07:15 mail postfix/qmgr[21914]: F3D8914CDE4: removed
May 11 12:07:15 mail postfix/smtp[21932]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.131.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
May 11 12:07:15 mail postfix/smtp[21932]: E492A14CE00: to=<user@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.131.27]:25, delay=1.2, delays=0.44/0/0.39/0.4, dsn=2.0.0, status=sent (250 2.0.0 OK  1652263635 h15-20020ac24daf000000b004722c9f58d6si1447690lfe.448 - gsmtp)
May 11 12:07:15 mail postfix/qmgr[21914]: E492A14CE00: removed

Remeber to hash the tables

postmap /etc/postfix/transport_srs
postmap /etc/postfix/virtual-alias

And add a firewall exception for port tcp/10027 on localhost