Background
Do you suffer from the problem that you want your emails forwarded to Google but they always end up in SPAM because of SPF Softfail issues? Even though SPF is set up perfectly? This article documents a Postfix solution called SRS. The caveat is it doesn’t work for all hosts, see note at end.
Prerequisites
A Postfix email server
It took me three years to properly solve this problem.
The solution is to use SRS
SRS rewrites the message envelope to make SPF pass.
To install SRS on Postfix is super easy. Here are the instructions:
mkdir /opt/postsrsd cd /opt/postsrsd apt -y install cmake wget https://github.com/roehling/postsrsd/archive/master.zip unzip master cd postsrsd-master make make install postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001" postconf -e "sender_canonical_classes = envelope_sender" postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002" postconf -e "recipient_canonical_classes = envelope_recipient" systemctl enable postsrsd.service service postsrsd restart rm -r /opt/postsrsd
Here is an example of a re-write:
Dec 18 07:55:25 cp01 postfix/smtpd[3787117]: connect from mail-lf1-f51.google.com[209.85.167.51] Dec 18 07:55:27 cp01 postfix/smtpd[3787117]: 1671BB22: client=mail-lf1-f51.google.com[209.85.167.51] Dec 18 07:55:27 cp01 postsrsd[3787122]: srs_forward: <[email protected]> rewritten as <[email protected]> Dec 18 07:55:27 cp01 postsrsd[3787122]: srs_forward: <[email protected]> not rewritten: Valid SRS address for <[email protected]> Dec 18 07:55:27 cp01 postfix/cleanup[3787121]: 1671BB22: message-id=<CAGgNXan92E2Cdq68HraBQdD09dk6jHBggAh9F0jLdow-RpSZCg@mail.gmail.com> Dec 18 07:55:27 cp01 postfix/qmgr[3666568]: 1671BB22: from=<[email protected]>, size=3041, nrcpt=1 (queue active) Dec 18 07:55:27 cp01 postfix/smtpd[3787117]: disconnect from mail-lf1-f51.google.com[209.85.167.51] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7 Dec 18 07:55:27 cp01 postfix/local[3787124]: 1671BB22: to=<[email protected]>, orig_to=<[email protected]>, relay=local, delay=0.77, delays=0.05/0.01/0/0.71, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME) Dec 18 07:55:27 cp01 postsrsd[3787122]: srs_forward: <[email protected]> not rewritten: Valid SRS address for <[email protected]> Dec 18 07:55:27 cp01 postfix/cleanup[3787121]: 21DA74D13: message-id=<CAGgNXan92E2Cdq68HraBQdD09dk6jHBggAh9F0jLdow-RpSZCg@mail.gmail.com> Dec 18 07:55:27 cp01 postfix/local[3787124]: 1671BB22: to=<[email protected]>, orig_to=<[email protected]>, relay=local, delay=0.79, delays=0.05/0.01/0/0.73, dsn=2.0.0, status=sent (forwarded as 21DA74D13) Dec 18 07:55:27 cp01 postfix/qmgr[3666568]: 21DA74D13: from=<[email protected]>, size=3188, nrcpt=1 (queue active) Dec 18 07:55:27 cp01 postfix/qmgr[3666568]: 1671BB22: removed Dec 18 07:55:29 cp01 postfix/smtp[3787149]: connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c0b::1a]:25: Network is unreachable Dec 18 07:55:31 cp01 postfix/smtp[3787149]: 21DA74D13: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[64.233.184.27]:25, delay=4.2, delays=0.73/0.02/2.8/0.59, dsn=2.0.0, status=sent (250 2.0.0 OK 1639806931 k15si6912904wrc.161 - gsmtp) Dec 18 07:55:31 cp01 postfix/qmgr[3666568]: 21DA74D13: removed
Caveat
Unfortunately this solution doesn’t work for all hosts. A notable exception is Afrihost, a South African based internet and hosting provider. Afrihost’s spam filter called Ucebox does not understand the rewrite and reports this:
<[email protected]>: host mx304857050.spe.ucebox.co.za[197.242.159.57] said: 550 Sender (net) has no A, AAAA, or MX DNS records. (in reply to RCPT TO command)
Upon closer examination one can see this:
Dec 29 06:36:46 example postfix/qmgr[1770251]: 7847CBEAD3: from=<SRS0=B6FM=RO=example.co.za=test2@net>, size=398, nrcpt=1 (queue active) Dec 29 06:36:46 example postfix/smtpd[1785566]: disconnect from localhost[127.0.0.1] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Dec 29 06:36:47 example postfix/smtp[1785573]: 7847CBEAD3: to=<[email protected]>, relay=mx304857050.spe.ucebox.co.za[197.242.159.25]:25, delay=0.81, delays=0.02/0.02/0.58/0.19, dsn=5.0.0, status=bounced (host mx304857050.spe.ucebox.co.za[197.242.159.25] said: 550 Sender (net) has no A, AAAA, or MX DNS records. (in reply to RCPT TO command))
As you can see Ucebox doesn’t understand the rewrite. So far our only solution is to turn off SRS but if we can find a way of just enabling it for @gmail. that would be a great start.
References
- https://serverfault.com/questions/613943/spf-softfail-for-forwarded-emails-to-gmail-account/613961
- https://archive.virtualmin.com/node/48212
- http://www.open-spf.org/SRS/
- https://serverfault.com/questions/82234/srs-sender-rewriting-when-forwarding-mail-through-postfix
- https://stackoverflow.com/questions/20680050/how-do-i-install-chkconfig-on-ubuntu