Postfix SRS Only Forwarded Emails

From ivc wiki
Revision as of 13:20, 11 May 2022 by Ivc (talk | contribs)
Jump to navigationJump to search

As discussed on github discussions for postsrsd, it is possible to only perform Sender Rewriting Scheme (SRS) on emails passing through your server destined for an external address, bases solely on the destination email address, ex. user@example.org forwards to user@gmail.com, only match and SRS process the email going to user@gmail.com.

/etc/postfix/main.cf:

recipient_canonical_maps=tcp:localhost:10002
recipient_canonical_classes=envelope_recipient,header_recipient

virtual_alias_maps = hash:/etc/postfix/virtual-alias
transport_maps = hash:/etc/postfix/transport_srs
/etc/postfix/virtual-alias:

user@example.org              user@gmail.com
name@example.org              name@gmail.com
/etc/postfic/transport_srs:

user@gmail.com              smtp:[127.0.0.1]:10027
name@gmail.com              smtp:[127.0.0.1]:10027
/etc/postfix/master.cf:

cleanup-srs   unix  n       -       -       -       0       cleanup
       -o sender_canonical_maps=hash:/etc/postfix/virtual-alias,tcp:localhost:10001
       -o sender_canonical_classes=envelope_sender

127.0.0.1:10027 inet    n       -       -       -       -       smtpd
       -o cleanup_service_name=cleanup-srs
       -o smtpd_tls_security_level=none
       -o content_filter=smtp:
       # allow for system users sending email to forwarded alias destinations, ex. user@gmail.com etc
       -o smtpd_sender_restrictions=permit_mynetworks,reject
       # allow for inbound email, ex. user@example.org, which alias maps it to forward/relay outbound again, ex. user@gmail.com etc
       -o smtpd_relay_restrictions=permit_mynetworks,reject

Log from working system:

May 11 12:07:13 elitus postfix/smtpd[21921]: connect from nmsh5.e.xyz.com[198.123.160.199]
May 11 12:07:13 elitus postfix/smtpd[21921]: Anonymous TLS connection established from nmsh5.e.xyz.com[198.123.160.199]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
May 11 12:07:13 elitus policyd-spf[21927]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=198.123.160.199; helo=nmsh5.e.xyz.com; envelope-from=user@external.org; receiver=user@example.org
May 11 12:07:13 elitus postfix/smtpd[21921]: F3D8914CDE4: client=nmsh5.e.xyz.com[198.123.160.199]
May 11 12:07:14 elitus postfix/cleanup[21929]: F3D8914CDE4: message-id=<28F41311-7768-4CB8-8975-3F92D0A98CD8@external.org>
May 11 12:07:14 elitus opendmarc[24151]: F3D8914CDE4: external.org none
May 11 12:07:14 elitus postfix/qmgr[21914]: F3D8914CDE4: from=<user@external.org>, size=1425, nrcpt=1 (queue active)
May 11 12:07:14 elitus postfix/smtpd[21921]: disconnect from nmsh5.e.xyz.com[198.123.160.199] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
May 11 12:07:14 elitus postfix/smtpd[21933]: connect from localhost[127.0.0.1]
May 11 12:07:14 elitus opendmarc[24151]: ignoring connection from localhost
May 11 12:07:14 elitus policyd-spf[21935]: prepend X-Comment: SPF check N/A for local connections - client-ip=127.0.0.1; helo=elitus.x-pec.com; envelope-from=user@external.org; receiver=user@gmail.com
May 11 12:07:14 elitus postfix/smtpd[21933]: E492A14CE00: client=localhost[127.0.0.1]
May 11 12:07:14 elitus postsrsd[21938]: srs_forward: <user@external.org> rewritten as <SRS0=rRYH=VT=external.org=user@x-pec.com>
May 11 12:07:14 elitus postsrsd[21938]: srs_forward: <SRS0=rRYH=VT=external.org=user@x-pec.com> not rewritten: Valid SRS address for <user@external.org>
May 11 12:07:14 elitus postfix/cleanup[21937]: E492A14CE00: message-id=<28F41311-7768-4CB8-8975-3F92D0A98CD8@external.org>
May 11 12:07:15 elitus postfix/qmgr[21914]: E492A14CE00: from=<SRS0=rRYH=VT=external.org=user@x-pec.com>, size=2091, nrcpt=1 (queue active)
May 11 12:07:15 elitus postfix/smtpd[21933]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 11 12:07:15 elitus postfix/smtp[21932]: F3D8914CDE4: to=<user@gmail.com>, orig_to=<user@example.org>, relay=127.0.0.1[127.0.0.1]:10027, delay=1.4, delays=0.91/0.01/0.02/0.44, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E492A14CE00)
May 11 12:07:15 elitus postfix/qmgr[21914]: F3D8914CDE4: removed
May 11 12:07:15 elitus postfix/smtp[21932]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.131.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
May 11 12:07:15 elitus postfix/smtp[21932]: E492A14CE00: to=<user@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.131.27]:25, delay=1.2, delays=0.44/0/0.39/0.4, dsn=2.0.0, status=sent (250 2.0.0 OK  1652263635 h15-20020ac24daf000000b004722c9f58d6si1447690lfe.448 - gsmtp)
May 11 12:07:15 elitus postfix/qmgr[21914]: E492A14CE00: removed