Postfix SRS Only Forwarded Emails

From ivc wiki
Revision as of 13:39, 11 May 2022 by Ivc (talk | contribs)
Jump to navigationJump to search

As discussed on github discussions for postsrsd, it is possible to only perform Sender Rewriting Scheme (SRS) to correct the Return-path/Mail from headers on emails passing through your server destined for an external address, based solely on the destination email address.

Ex. an external user@external.org sends an email to user@example.org which is an alias that forwards to user@gmail.com. The below configuration only matches user@gmail.com and will SRS process only that email.

/etc/postfix/main.cf:

recipient_canonical_maps=tcp:localhost:10002
recipient_canonical_classes=envelope_recipient,header_recipient

virtual_alias_maps = hash:/etc/postfix/virtual-alias
transport_maps = hash:/etc/postfix/transport_srs
/etc/postfix/virtual-alias:

user@example.org              user@gmail.com
name@example.org              name@gmail.com
/etc/postfic/transport_srs:

user@gmail.com              smtp:[127.0.0.1]:10027
name@gmail.com              smtp:[127.0.0.1]:10027
/etc/postfix/master.cf:

cleanup-srs   unix  n       -       -       -       0       cleanup
       -o syslog_name=postfix/srs
       -o sender_canonical_maps=hash:/etc/postfix/virtual-alias,tcp:localhost:10001
       -o sender_canonical_classes=envelope_sender

127.0.0.1:10027 inet    n       -       -       -       -       smtpd
       -o syslog_name=postfix/srs
       -o cleanup_service_name=cleanup-srs
       -o smtpd_tls_security_level=none
       -o content_filter=smtp:
       # allow for system users sending email to forwarded alias destinations, ex. when sysuser@example.org sends an email directly to user@gmail.com - note that SRS is not processed then
       -o smtpd_sender_restrictions=permit_mynetworks,reject
       # allow for inbound email, ex. user@external.org sends to destination user@example.org, which alias maps to forward outbound again, ex. user@gmail.com
       -o smtpd_relay_restrictions=permit_mynetworks,reject

Log from working system:

Sending an email from en external user@external.org to the email alias user@example.org, which the mail server forwards to user@gmail.com

May 11 12:07:13 mail postfix/smtpd[21921]: connect from nmsh5.e.xyz.com[198.123.160.199]
May 11 12:07:13 mail postfix/smtpd[21921]: Anonymous TLS connection established from nmsh5.e.xyz.com[198.123.160.199]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
May 11 12:07:13 mail policyd-spf[21927]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=198.123.160.199; helo=nmsh5.e.xyz.com; envelope-from=user@external.org; receiver=user@example.org
May 11 12:07:13 mail postfix/smtpd[21921]: F3D8914CDE4: client=nmsh5.e.xyz.com[198.123.160.199]
May 11 12:07:14 mail postfix/cleanup[21929]: F3D8914CDE4: message-id=<28F41311-7768-4CB8-8975-3F92D0A98CD8@external.org>
May 11 12:07:14 mail opendmarc[24151]: F3D8914CDE4: external.org none
May 11 12:07:14 mail postfix/qmgr[21914]: F3D8914CDE4: from=<user@external.org>, size=1425, nrcpt=1 (queue active)
May 11 12:07:14 mail postfix/smtpd[21921]: disconnect from nmsh5.e.xyz.com[198.123.160.199] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
May 11 12:07:14 mail postfix/srs/smtpd[21933]: connect from localhost[127.0.0.1]
May 11 12:07:14 mail opendmarc[24151]: ignoring connection from localhost
May 11 12:07:14 mail policyd-spf[21935]: prepend X-Comment: SPF check N/A for local connections - client-ip=127.0.0.1; helo=mail.example.org; envelope-from=user@external.org; receiver=user@gmail.com
May 11 12:07:14 mail postfix/srs/smtpd[21933]: E492A14CE00: client=localhost[127.0.0.1]
May 11 12:07:14 mail postsrsd[21938]: srs_forward: <user@external.org> rewritten as <SRS0=rRYH=VT=external.org=user@example.org>
May 11 12:07:14 mail postsrsd[21938]: srs_forward: <SRS0=rRYH=VT=external.org=user@example.org> not rewritten: Valid SRS address for <user@external.org>
May 11 12:07:14 mail postfix/srs/cleanup[21937]: E492A14CE00: message-id=<28F41311-7768-4CB8-8975-3F92D0A98CD8@external.org>
May 11 12:07:15 mail postfix/qmgr[21914]: E492A14CE00: from=<SRS0=rRYH=VT=external.org=user@example.org>, size=2091, nrcpt=1 (queue active)
May 11 12:07:15 mail postfix/srs/smtpd[21933]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 11 12:07:15 mail postfix/smtp[21932]: F3D8914CDE4: to=<user@gmail.com>, orig_to=<user@example.org>, relay=127.0.0.1[127.0.0.1]:10027, delay=1.4, delays=0.91/0.01/0.02/0.44, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E492A14CE00)
May 11 12:07:15 mail postfix/qmgr[21914]: F3D8914CDE4: removed
May 11 12:07:15 mail postfix/smtp[21932]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.131.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
May 11 12:07:15 mail postfix/smtp[21932]: E492A14CE00: to=<user@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.131.27]:25, delay=1.2, delays=0.44/0/0.39/0.4, dsn=2.0.0, status=sent (250 2.0.0 OK  1652263635 h15-20020ac24daf000000b004722c9f58d6si1447690lfe.448 - gsmtp)
May 11 12:07:15 mail postfix/qmgr[21914]: E492A14CE00: removed

Remeber to hash the tables

postmap /etc/postfix/transport_srs
postmap /etc/postfix/virtual-alias

And add a firewall exception for port tcp/10027 on localhost