postfix configuration to prevent bounces when relaying to 3rd party (e.g. src -> my@work -> my@gmail)

DrunkMice

2/14/24, 7:40 PM

i have an active mail relay that is using aliases as a main tool, at some point we started to get bounces for some emails.

Source: somerandomsenderdomain.com
Destination: myemaildomain.com

        mailinglist1: [email protected], [email protected]

Actual Target: gmail.com

so typical email route will be like this:

[email protected] -> [email protected] 
                                   (which should send the content to [email protected])

in this scenario mails to [email protected] will bounce since they fail SPF and DKIM (i can't control it for the originating domain)

how can this be resolved ? this was working in the past and started bouncing probably to some hardeninging google mail relays.

example response (redacted):

[email protected]> (expanded from <[email protected]>): host gmail-smtp-in.l.google.com[142.250.27.27] said: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both 550-5.7.26 do not pass). SPF check for [somerandomsenderdomain.com] does not pass with ip: 550-5.7.26 [12.34.56.78].To best protect our users from spam, the message 550-5.7.26 has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. j30-20020a170906105e00b008b12a1a900esi4119290ejj.1001 - gsmtp (in reply to end of DATA command) <

Would appreciate any thoughts and ideas.

Thanks.

238

0 + 2

postfix

spf

dkim

email-bounces

relay

DrunkMice

2/15/24, 8:34 AM

One thought i had to resolve this was that the postfix will rewrite the headers and forward to the gmail (this way it is "proxying" and i can control the DKIM / SPF of my server) and that the headers will show the original sender details and reply-to, but the mail will be sent from my server mail address (similar to mailing lists / google groups etc..) if i implement this i would like it to be only for 3rd party recipients so that the organization users will still see the original headers

Reinto

2/17/24, 12:36 PM

Do you know if the bounces only happen when the source sender domain has DMARC in reject policy? Authenticated Received Chain would be the ideal technology to set up. It will prove to the receiving server (GMAIL) that your server validated the Authentication-Results header: https://postmarkapp.com/blog/what-is-arc-or-authenticated-received-chain. Rewrite is mostly necessary for when the original sender does not implement DKIM signing, or, when the forwarding host changes any signed headers.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: postfix configuration to prevent bounces when relaying to 3rd party (e.g. src -> my@work -> my@gmail)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.