Score:3

Forwarding to Gmail account via Postfix: SPF record with a hard fail

cn flag

I run a Postfix server which forwards one address to a gmail address.

# /etc/aliases
localuser: [email protected]

This works since several months. But if a sender has a SPF record with a hard fail, then the forwarding does not work:

  gmail-smtp-in.l.google.com[ said: 550-5.7.26 The
    MAIL FROM domain [example.com] has an SPF record with a hard fail 550-5.7.26
    policy (-all) but it fails to pass SPF checks with the ip: 550-5.7.26
    [...]. To best protect our users from spam and 550-5.7.26
    phishing, the message has been blocked. Please visit 550-5.7.26
    https://support.google.com/mail/answer/81126#authentication for more 550
    5.7.26 information. -
    gsmtp (in reply to end of DATA command)

How can I fix this?

Score:3
au flag

As suggested in the OP's own answer, the solution is to install postsrsd to rewrite the sender's "Return‑Path: " header.

This full example on Debian 11 worked for me:

  • apt install postsrsd
  • Edit /etc/default/postsrsd:
    • Uncomment the line with SRS_EXCLUDE_DOMAINS= and add your domains, separated by space or comma:
      SRS_EXCLUDE_DOMAINS=example.com,.example.com,example.org
  • systemctl restart postsrsd
  • Edit /etc/postfix/main.cf to add
# Use postsrsd to rewrite the Return-Path: header
sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes= envelope_recipient,header_recipient
  • postfix reload

The suggested additional install of the "Postfix SRS forwarding agent" Postforward may not be necessary. It wasn't for me. Check it's description to see if you need or want it.

Score:2
cn flag

I found this solution:

I installed postsrsd via apt.

I installed Postfix SRS forwarding agent via compiling localy and copying the binary to /usr/local/bin/postforward.

I changed the file

# /etc/aliases
someuser: "|/usr/local/bin/postforward -path /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin [email protected]"

Call newaliases.

Now the email gets the SRS rewriting:

ARC-Authentication-Results: i=1; mx.google.com;
       spf=none (google.com: relayhost.example.com does not designate permitted sender hosts) smtp.mailfrom="[email protected]"
...
Return-Path: <[email protected]>
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.