Difference between revisions of "Postfix SRS Only Forwarded Emails"
From ivc wiki
Jump to navigationJump to search
(10 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
As discussed on [https://github.com/roehling/postsrsd/discussions/76 github discussions] for [https://github.com/roehling/postsrsd/ postsrsd], it is possible to only perform Sender Rewriting Scheme (SRS) on emails passing through your server destined for an external address, | As discussed on [https://github.com/roehling/postsrsd/discussions/76 github discussions] for [https://github.com/roehling/postsrsd/ postsrsd], it is possible to only perform Sender Rewriting Scheme (SRS) to correct the Return-path/Mail from headers on emails passing through your server destined for an external address, based solely on the destination email address. | ||
Ex. an external user@external.org sends an email to user@example.org which is an alias that forwards to user@gmail.com. The below configuration only matches user@gmail.com and will SRS process only that email. | |||
/etc/postfix/main.cf: | /etc/postfix/main.cf: | ||
Line 22: | Line 24: | ||
cleanup-srs unix n - - - 0 cleanup | cleanup-srs unix n - - - 0 cleanup | ||
-o syslog_name=postfix/srs | |||
-o sender_canonical_maps=hash:/etc/postfix/virtual-alias,tcp:localhost:10001 | -o sender_canonical_maps=hash:/etc/postfix/virtual-alias,tcp:localhost:10001 | ||
-o sender_canonical_classes=envelope_sender | -o sender_canonical_classes=envelope_sender | ||
127.0.0.1:10027 inet n - - - - smtpd | 127.0.0.1:10027 inet n - - - - smtpd | ||
-o syslog_name=postfix/srs | |||
# avoid double processing through milters, ex. dkim, dmarc, spamassassin, scanners, etc. | |||
-o smtpd_milters= | |||
-o cleanup_service_name=cleanup-srs | -o cleanup_service_name=cleanup-srs | ||
-o smtpd_tls_security_level=none | -o smtpd_tls_security_level=none | ||
-o content_filter=smtp: | -o content_filter=smtp: | ||
# allow for system users sending email to forwarded alias destinations, ex. user@gmail.com | # allow for system users sending email to forwarded alias destinations, ex. when sysuser@example.org sends an email directly to user@gmail.com - note that SRS is not processed then | ||
-o smtpd_sender_restrictions=permit_mynetworks,reject | -o smtpd_sender_restrictions=permit_mynetworks,reject | ||
# allow for inbound email, ex. user@example.org, which alias maps | # allow for inbound email, ex. user@external.org sends to destination user@example.org, which alias maps to forward outbound again, ex. user@gmail.com | ||
-o smtpd_relay_restrictions=permit_mynetworks,reject | -o smtpd_relay_restrictions=permit_mynetworks,reject | ||
Log from working system | Log from working system where sending an email from en external user@external.org to the email alias user@example.org, which the mail server forwards to user@gmail.com | ||
May 11 12:07:13 mail postfix/smtpd[21921]: connect from nmsh5.e.xyz.com[198.123.160.199] | May 11 12:07:13 mail postfix/smtpd[21921]: connect from nmsh5.e.xyz.com[198.123.160.199] | ||
Line 46: | Line 50: | ||
May 11 12:07:14 mail postfix/qmgr[21914]: F3D8914CDE4: from=<user@external.org>, size=1425, nrcpt=1 (queue active) | May 11 12:07:14 mail postfix/qmgr[21914]: F3D8914CDE4: from=<user@external.org>, size=1425, nrcpt=1 (queue active) | ||
May 11 12:07:14 mail postfix/smtpd[21921]: disconnect from nmsh5.e.xyz.com[198.123.160.199] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 | May 11 12:07:14 mail postfix/smtpd[21921]: disconnect from nmsh5.e.xyz.com[198.123.160.199] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 | ||
May 11 12:07:14 mail postfix/smtpd[21933]: connect from localhost[127.0.0.1] | May 11 12:07:14 mail postfix/srs/smtpd[21933]: connect from localhost[127.0.0.1] | ||
May 11 12:07:14 mail opendmarc[24151]: ignoring connection from localhost | May 11 12:07:14 mail opendmarc[24151]: ignoring connection from localhost | ||
May 11 12:07:14 mail policyd-spf[21935]: prepend X-Comment: SPF check N/A for local connections - client-ip=127.0.0.1; helo=mail.example.org; envelope-from=user@external.org; receiver=user@gmail.com | May 11 12:07:14 mail policyd-spf[21935]: prepend X-Comment: SPF check N/A for local connections - client-ip=127.0.0.1; helo=mail.example.org; envelope-from=user@external.org; receiver=user@gmail.com | ||
May 11 12:07:14 mail postfix/smtpd[21933]: E492A14CE00: client=localhost[127.0.0.1] | May 11 12:07:14 mail postfix/srs/smtpd[21933]: E492A14CE00: client=localhost[127.0.0.1] | ||
May 11 12:07:14 mail postsrsd[21938]: srs_forward: <user@external.org> rewritten as <SRS0=rRYH=VT=external.org=user@example.org> | May 11 12:07:14 mail postsrsd[21938]: srs_forward: <user@external.org> rewritten as <SRS0=rRYH=VT=external.org=user@example.org> | ||
May 11 12:07:14 mail postsrsd[21938]: srs_forward: <SRS0=rRYH=VT=external.org=user@example.org> not rewritten: Valid SRS address for <user@external.org> | May 11 12:07:14 mail postsrsd[21938]: srs_forward: <SRS0=rRYH=VT=external.org=user@example.org> not rewritten: Valid SRS address for <user@external.org> | ||
May 11 12:07:14 mail postfix/cleanup[21937]: E492A14CE00: message-id=<28F41311-7768-4CB8-8975-3F92D0A98CD8@external.org> | May 11 12:07:14 mail postfix/srs/cleanup[21937]: E492A14CE00: message-id=<28F41311-7768-4CB8-8975-3F92D0A98CD8@external.org> | ||
May 11 12:07:15 mail postfix/qmgr[21914]: E492A14CE00: from=<SRS0=rRYH=VT=external.org=user@example.org>, size=2091, nrcpt=1 (queue active) | May 11 12:07:15 mail postfix/qmgr[21914]: E492A14CE00: from=<SRS0=rRYH=VT=external.org=user@example.org>, size=2091, nrcpt=1 (queue active) | ||
May 11 12:07:15 mail postfix/smtpd[21933]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 | May 11 12:07:15 mail postfix/srs/smtpd[21933]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 | ||
May 11 12:07:15 mail postfix/smtp[21932]: F3D8914CDE4: to=<user@gmail.com>, orig_to=<user@example.org>, relay=127.0.0.1[127.0.0.1]:10027, delay=1.4, delays=0.91/0.01/0.02/0.44, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E492A14CE00) | May 11 12:07:15 mail postfix/smtp[21932]: F3D8914CDE4: to=<user@gmail.com>, orig_to=<user@example.org>, relay=127.0.0.1[127.0.0.1]:10027, delay=1.4, delays=0.91/0.01/0.02/0.44, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E492A14CE00) | ||
May 11 12:07:15 mail postfix/qmgr[21914]: F3D8914CDE4: removed | May 11 12:07:15 mail postfix/qmgr[21914]: F3D8914CDE4: removed | ||
Line 60: | Line 64: | ||
May 11 12:07:15 mail postfix/smtp[21932]: E492A14CE00: to=<user@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.131.27]:25, delay=1.2, delays=0.44/0/0.39/0.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1652263635 h15-20020ac24daf000000b004722c9f58d6si1447690lfe.448 - gsmtp) | May 11 12:07:15 mail postfix/smtp[21932]: E492A14CE00: to=<user@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.131.27]:25, delay=1.2, delays=0.44/0/0.39/0.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1652263635 h15-20020ac24daf000000b004722c9f58d6si1447690lfe.448 - gsmtp) | ||
May 11 12:07:15 mail postfix/qmgr[21914]: E492A14CE00: removed | May 11 12:07:15 mail postfix/qmgr[21914]: E492A14CE00: removed | ||
Remeber to hash the tables | |||
postmap /etc/postfix/transport_srs | |||
postmap /etc/postfix/virtual-alias | |||
And add a firewall exception for port tcp/10027 on localhost |
Latest revision as of 13:54, 11 May 2022
As discussed on github discussions for postsrsd, it is possible to only perform Sender Rewriting Scheme (SRS) to correct the Return-path/Mail from headers on emails passing through your server destined for an external address, based solely on the destination email address.
Ex. an external user@external.org sends an email to user@example.org which is an alias that forwards to user@gmail.com. The below configuration only matches user@gmail.com and will SRS process only that email.
/etc/postfix/main.cf: recipient_canonical_maps=tcp:localhost:10002 recipient_canonical_classes=envelope_recipient,header_recipient virtual_alias_maps = hash:/etc/postfix/virtual-alias transport_maps = hash:/etc/postfix/transport_srs
/etc/postfix/virtual-alias: user@example.org user@gmail.com name@example.org name@gmail.com
/etc/postfic/transport_srs: user@gmail.com smtp:[127.0.0.1]:10027 name@gmail.com smtp:[127.0.0.1]:10027
/etc/postfix/master.cf: cleanup-srs unix n - - - 0 cleanup -o syslog_name=postfix/srs -o sender_canonical_maps=hash:/etc/postfix/virtual-alias,tcp:localhost:10001 -o sender_canonical_classes=envelope_sender 127.0.0.1:10027 inet n - - - - smtpd -o syslog_name=postfix/srs # avoid double processing through milters, ex. dkim, dmarc, spamassassin, scanners, etc. -o smtpd_milters= -o cleanup_service_name=cleanup-srs -o smtpd_tls_security_level=none -o content_filter=smtp: # allow for system users sending email to forwarded alias destinations, ex. when sysuser@example.org sends an email directly to user@gmail.com - note that SRS is not processed then -o smtpd_sender_restrictions=permit_mynetworks,reject # allow for inbound email, ex. user@external.org sends to destination user@example.org, which alias maps to forward outbound again, ex. user@gmail.com -o smtpd_relay_restrictions=permit_mynetworks,reject
Log from working system where sending an email from en external user@external.org to the email alias user@example.org, which the mail server forwards to user@gmail.com
May 11 12:07:13 mail postfix/smtpd[21921]: connect from nmsh5.e.xyz.com[198.123.160.199] May 11 12:07:13 mail postfix/smtpd[21921]: Anonymous TLS connection established from nmsh5.e.xyz.com[198.123.160.199]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 May 11 12:07:13 mail policyd-spf[21927]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=198.123.160.199; helo=nmsh5.e.xyz.com; envelope-from=user@external.org; receiver=user@example.org May 11 12:07:13 mail postfix/smtpd[21921]: F3D8914CDE4: client=nmsh5.e.xyz.com[198.123.160.199] May 11 12:07:14 mail postfix/cleanup[21929]: F3D8914CDE4: message-id=<28F41311-7768-4CB8-8975-3F92D0A98CD8@external.org> May 11 12:07:14 mail opendmarc[24151]: F3D8914CDE4: external.org none May 11 12:07:14 mail postfix/qmgr[21914]: F3D8914CDE4: from=<user@external.org>, size=1425, nrcpt=1 (queue active) May 11 12:07:14 mail postfix/smtpd[21921]: disconnect from nmsh5.e.xyz.com[198.123.160.199] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 May 11 12:07:14 mail postfix/srs/smtpd[21933]: connect from localhost[127.0.0.1] May 11 12:07:14 mail opendmarc[24151]: ignoring connection from localhost May 11 12:07:14 mail policyd-spf[21935]: prepend X-Comment: SPF check N/A for local connections - client-ip=127.0.0.1; helo=mail.example.org; envelope-from=user@external.org; receiver=user@gmail.com May 11 12:07:14 mail postfix/srs/smtpd[21933]: E492A14CE00: client=localhost[127.0.0.1] May 11 12:07:14 mail postsrsd[21938]: srs_forward: <user@external.org> rewritten as <SRS0=rRYH=VT=external.org=user@example.org> May 11 12:07:14 mail postsrsd[21938]: srs_forward: <SRS0=rRYH=VT=external.org=user@example.org> not rewritten: Valid SRS address for <user@external.org> May 11 12:07:14 mail postfix/srs/cleanup[21937]: E492A14CE00: message-id=<28F41311-7768-4CB8-8975-3F92D0A98CD8@external.org> May 11 12:07:15 mail postfix/qmgr[21914]: E492A14CE00: from=<SRS0=rRYH=VT=external.org=user@example.org>, size=2091, nrcpt=1 (queue active) May 11 12:07:15 mail postfix/srs/smtpd[21933]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 May 11 12:07:15 mail postfix/smtp[21932]: F3D8914CDE4: to=<user@gmail.com>, orig_to=<user@example.org>, relay=127.0.0.1[127.0.0.1]:10027, delay=1.4, delays=0.91/0.01/0.02/0.44, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E492A14CE00) May 11 12:07:15 mail postfix/qmgr[21914]: F3D8914CDE4: removed May 11 12:07:15 mail postfix/smtp[21932]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.131.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 May 11 12:07:15 mail postfix/smtp[21932]: E492A14CE00: to=<user@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.131.27]:25, delay=1.2, delays=0.44/0/0.39/0.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1652263635 h15-20020ac24daf000000b004722c9f58d6si1447690lfe.448 - gsmtp) May 11 12:07:15 mail postfix/qmgr[21914]: E492A14CE00: removed
Remeber to hash the tables
postmap /etc/postfix/transport_srs postmap /etc/postfix/virtual-alias
And add a firewall exception for port tcp/10027 on localhost