Postfix – Implementing Sender Rewriting Scheme (SRS) for Forwarding Mail

emailpostfix

Is there any way to perform SRS, or something similar using Postfix?

When I get a mail from user@example.org, I forward it (via a catchall) to something@gmail.com, but GMail is checking SPF, and seeing that my server is not authorized to send mail on behalf of example.org. I'd like to rewrite the sender to something@myserver, while leaving the from as user@example.org.

Best Answer

Here are the steps to install postsrsd from Timo Röhling. These instructions seem to work for many Unix flavors including Ubuntu 14.04.

# Debian/Ubuntu preparations:
sudo apt-get install cmake sysv-rc-conf

# download and compile the software:
cd ~
wget https://github.com/roehling/postsrsd/archive/master.zip
unzip master
cd postsrsd-master/
make
sudo make install

# or alternatively install binary from later Ubuntu repositories
sudo apt-get install postsrsd

# Add postfix configuration parameters for postsrsd:
sudo postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001"
sudo postconf -e "sender_canonical_classes = envelope_sender"
sudo postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002"
sudo postconf -e "recipient_canonical_classes = envelope_recipient"

# Add SRS daemon to startup (Red Hat 6/CentOS):
sudo chkconfig postsrsd on
# Add SRS daemon to startup (Debian/Ubuntu):
sudo sysv-rc-conf postsrsd on
# Start SRS daemon:
sudo service postsrsd restart
#Reload postfix:
sudo service postfix reload

Related Solutions

Postfix – Sender Verification 550 Error

Yep it's called Sender Verification. The verification was done by geekmatt.com mail server, not yours. And based on the error message, I can conclude that

550-Verification failed for <contact@tomjn.com> 550-The mail server could
not deliver mail to contact@tomjn.com.  The account or domain may not
exist, they may be blacklisted, or missing the proper dns entries. 550
Sender verify failed

was exim standard error message.

BTW, not all sender verification was bad. For the explanation, I will assume that you want send email FROM example.com TO example.net

At basic level, example.net mail server must verify that sender domain was exist. If a mail server rejected your email in this level, then your domain has 1) no DNS MX and no DNS A record, or 2) a malformed MX record such as a record with a zero-length MX hostname. In postfix, the equivalent parameter is reject_unknown_sender_domain
At advanced level, mail server will try to check if sender address is exist. Basically, before accepting your email, example.net mail server will try to telnet to your mail server without sending any email. This checks was considered bad because of several reasons.

Now, looks like domain tomjn.com was fail to comply with sender verification at basic level. Here the MX record of tomjn.com

% dig tomjn.com MX +short
1 178.62.28.136.tomjn.com.
% dig 178.62.28.136.tomjn.com

; <<>> DiG 9.9.5 <<>> 178.62.28.136.tomjn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NXDOMAIN,** id: 52812
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;178.62.28.136.tomjn.com.       IN      A

;; AUTHORITY SECTION:
tomjn.com.              1800    IN      SOA     NS1.DIGITALOCEAN.com. hostmaster.tomjn.com. 1410110590 3600 900 1209600 1800

There, your MX record has no valid A record. Thus geekmatt.com reject your email.

The solution: fix your MX record

Linux – Postfix: As a smarthost, how can I limit incoming mail to sender domain and sender IP

This solution was variant from this solution. But first, we will adjust some configuration.

First: Of course you can use combination of mynetworks and permit_mynetworks to allow client relay. The alternative is using check_client_access parameter. So, please remove both IP addresses (192.0.2.2/32, 203.0.113.2/32) from mynetworks.

Second: We will apply restriction one by one. For initial step, we only limit domain and IP address from IP address 192.0.2.2. We can apply restriction class solution here

main.cf

smtpd_restriction_classes =
   firstclient

firstclient =
  check_sender_access hash:/etc/postfix/firstsender
  reject

smtpd_recipient_restrictions =
   permit_sasl_authenticated
   permit_mynetworks
   check_client_access hash:/etc/postfix/myclient
   reject_unauth_destination

/etc/postfix/myclient

192.0.2.2               firstclient

/etc/postfix/firstsender

example.com     OK

Third: apply the similiar solution for second client, so the setup become

main.cf

smtpd_restriction_classes =
   firstclient, secondclient

firstclient =
  check_sender_access hash:/etc/postfix/firstsender
  reject

secondclient = 
  check_sender_access hash:/etc/postfix/secondsender
  reject

smtpd_recipient_restrictions =
   permit_sasl_authenticated
   permit_mynetworks
   check_client_access hash:/etc/postfix/myclient
   reject_unauth_destination

/etc/postfix/myclient

192.0.2.2               firstclient
203.0.113.2             secondclient

/etc/postfix/firstsender

example.com     OK

/etc/postfix/secondsender

example.net     OK

FAQ:

Could you explain how above setup works?

The explanation how it works: Postfix restriction classes official docs

This isn't looks scalable. Can you provide me another solution?

Yes, you can use Postfix SMTP Access Policy Delegation

Hmm, postfix policy server looks good to me. But do I have to implement my own script?

You can use any policy server addon like policyd, postfwd and others.

Best Answer

Related Solutions

Postfix – Sender Verification 550 Error

Linux – Postfix: As a smarthost, how can I limit incoming mail to sender domain and sender IP

FAQ:

Related Topic