Greg Sims via Postfix-users: > On Wed, May 29, 2024 at 2:52?PM Wietse Venema via Postfix-users > <postfix-users@postfix.org> wrote: > > > Presumably you have to DKIM or SPF or DMARC for hostname.raystedman.org, > > so any way to get double-bou...@raystedman.org should help. > > > > You have to be careful about mailer loops, though. > > > > Postfix gives special treatment to <> and <double-bounce@$mynostname> > > to avoid an infinite loop of notifications for failed notifications. > > Please note mail01 receives email from our private network Only. This > email is created by our servers. > mail01 does not receive email from the Internet. All of our MX records > point to Google. > If we can get the double-bounce to Google, there seems to be little > chance of a mailer loop.
I may have a different solution below. First the worse news: Suppose that delivery of the double-bounce to Google fails. Postfix will then try to notify the envelope sender address. If we're not careful, that can result in non-delivery notifiation loop. I just checked the implemenation. The Postfix bounce daemon handles failed double bounces by not generating a non-delivery notification (i.e. it ignores a failed double bounce). But it ignores them only when the sender address was $double_bounce_sender@$myhostname Othwerwise, this special handling won't work, and the Postfix bounce daemon will generate a new notification, and the process may repeat over and over. The better news is that unlike (sender_)canonical_maps, the smtp_generic_maps feature does not change the (double bounce) sender address that Postfix uses internally. This feature changes only what is sent in SMTP commands. So, get rid of my (sender_)canonical mapping, and update master.cf: master.cf: special-smtp-client . .. .. .. .. .. .. smtp -o { notify-classes = bounce, ... } -o { smtp_generic_maps = inline:{ { double-bou...@hostname.raystedman.org = double-bou...@raystedman.org } } } Thus, the sending Postfix will ignore a failed notification from double-bou...@hostname.raystedman.org as intended, and the receiving Google server will see SMTP commands with double-bou...@raystedman.org which are good for SPF and DKIM. If you need to DKIM sign bounces, and you are using non_smtpd_milters to do that, then you may have to specify: main.cf: internal_mail_filter_classes = bounce See https://www.postfix.org/postconf.5.html#internal_mail_filter_classes > We have two DMARC/DKIM/SPF setups: > (1) email with domain raystedman.org is relayed through Google. > This is our transactional email (subscription double opt-in and the > like). > (2) email with domain devotion.raystedman.org is sent directly onto > the Internet. > > I am reluctant to create a third DMARC/DKIM/SPF for the double-bounce > case which is now using domain mail01.raystedman.org. > > I created a SPF record for mail01.raystedman.org -- for tonight. This > should be enough to get DMARC to pass when the double-bounce email is > received by Google -- at least this is the hope. I will work on this > again Thursday. I think it's a bad idea to send your double bounces to a different site. The Postfix design really wants to handle them locally. Wietse _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org