Greg Sims via Postfix-users:
> On Wed, May 29, 2024 at 2:52?PM Wietse Venema via Postfix-users
> <postfix-users@postfix.org> wrote:
>
> > Presumably you have to DKIM or SPF or DMARC for hostname.raystedman.org,
> > so any way to get double-bou...@raystedman.org should help.
> >
> > You have to be careful about mailer loops, though.
> >
> > Postfix gives special treatment to <> and <double-bounce@$mynostname>
> > to avoid an infinite loop of notifications for failed notifications.
>
> Please note mail01 receives email from our private network Only. This
> email is created by our servers.
> mail01 does not receive email from the Internet. All of our MX records
> point to Google.
> If we can get the double-bounce to Google, there seems to be little
> chance of a mailer loop.
I may have a different solution below.
First the worse news:
Suppose that delivery of the double-bounce to Google fails. Postfix
will then try to notify the envelope sender address. If we're not
careful, that can result in non-delivery notifiation loop.
I just checked the implemenation. The Postfix bounce daemon handles
failed double bounces by not generating a non-delivery notification
(i.e. it ignores a failed double bounce). But it ignores them only
when the sender address was
$double_bounce_sender@$myhostname
Othwerwise, this special handling won't work, and the Postfix bounce
daemon will generate a new notification, and the process may repeat
over and over.
The better news is that unlike (sender_)canonical_maps, the
smtp_generic_maps feature does not change the (double bounce) sender
address that Postfix uses internally. This feature changes only
what is sent in SMTP commands.
So, get rid of my (sender_)canonical mapping, and update master.cf:
master.cf:
special-smtp-client . .. .. .. .. .. .. smtp
-o { notify-classes = bounce, ... }
-o { smtp_generic_maps = inline:{
{ double-bou...@hostname.raystedman.org =
double-bou...@raystedman.org } } }
Thus, the sending Postfix will ignore a failed notification from
double-bou...@hostname.raystedman.org as intended, and the receiving
Google server will see SMTP commands with double-bou...@raystedman.org
which are good for SPF and DKIM.
If you need to DKIM sign bounces, and you are using non_smtpd_milters
to do that, then you may have to specify:
main.cf:
internal_mail_filter_classes = bounce
See https://www.postfix.org/postconf.5.html#internal_mail_filter_classes
> We have two DMARC/DKIM/SPF setups:
> (1) email with domain raystedman.org is relayed through Google.
> This is our transactional email (subscription double opt-in and the
> like).
> (2) email with domain devotion.raystedman.org is sent directly onto
> the Internet.
>
> I am reluctant to create a third DMARC/DKIM/SPF for the double-bounce
> case which is now using domain mail01.raystedman.org.
>
> I created a SPF record for mail01.raystedman.org -- for tonight. This
> should be enough to get DMARC to pass when the double-bounce email is
> received by Google -- at least this is the hope. I will work on this
> again Thursday.
I think it's a bad idea to send your double bounces to a different site.
The Postfix design really wants to handle them locally.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
