Robert,
>> by the way traditional smtp outside forward may break any time, by strict
>> spf,dmarc,dkim, perhaps workaround with "outlook forward rules only" may
>> work....
You may be right. But so far the delivery is still working except for the
problem coming from Microsoft antispam system - EOP.
>> Ok so far, whats the problem ?
The problem is next HOP - Microsoft antispam system EOP due to their bugs is
eating some outbound emails from non-osu.edu or non-ohio-state.edu senders to
forwarding accounts. But their system does not eat the emails which are
"Resent-From" from mailbox users ("Resent-From:" is appropriate when a user
takes a message delivered to his mailbox (possibly long after initial delivery)
and resends it to another user (typically not an original recipient). Our
exchange engineers ask whether Postfix can add "Resent-From: <original to
address>" for emails to forwarding accounts like mailbox accounts resent the
emails to bypass the problem of Microsoft antispam system (this is one of all
kinds attempts).
>> as Viktor wrote, that sounds like "design problem" with no direct relation
>> to postfix
Currently there is no use to discuss "design problem", which is not what I
would like to talk about it. Only want to know whether Postfix add
"Resent-From: <original to address>" for emails to forwarding accounts like
mailbox accounts resent the emails to bypass the problem Microsoft antispam
system (this is one of all kinds attempts) due to their bugs.
>> however decision was made ,it does not change tec facts, re-think your smtp
>> design, i.e let exchange deliver out itself, use other antispam practice etc
All outbound mails have to be passed by Security scanning for sensitive data,
then Postfix delivers outbound emails out to Microsoft antispam system for
spam/virus scanning .... This design is the result which many departments work
together based on current business requirement and technical requirement. Any
changes are not easy to such a large system.
Thanks for your time!!!
Carl
-----Original Message-----
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Robert Schetterer
Sent: Wednesday, August 06, 2014 8:38 AM
To: postfix-users@postfix.org
Subject: Re: How to fetch From address from header via Postfix head_check?
Am 06.08.2014 um 14:02 schrieb Xie, Wei:
> Viktor,
>
>>> This rather severely limits the usability of your MSA. It cannot support
>>> ordinary email sent to multiple recipients or Bcc'ed. Also you say this is
>>> an MSA, and >>yet claim the mail is sent by external senders outside OSU.
>>> How are these two statements compatible? Is this an MSA processing
>>> outbound mail generated >>internally at OSU, or simply an outbound relay,
>>> forwarding mail whose recipients are external to your email systems
>>> (possibly your users hosted outside).
>>> Explain your system more clearly.
>
> Main email system is Microsoft exchange system. The Exchange Hub servers
> deliver the all outbound mails (internal users send emails to external users
> or external users send emails to internal users BUT whose email addresses are
> forwarding to his/her external mailboxes) to Postfix servers. The postfix
> servers receive all emails which the recipient addresses are external email
> addresses. So I think it simply an outbound relay, forwarding mail whose
> recipients are external to your email systems.
by the way traditional smtp outside forward may break any time, by strict
spf,dmarc,dkim, perhaps workaround with "outlook forward rules only" may
work....
>
>>> Mail you've accepted (whether inbound or outbound) that is then forwarded
>>> to Microsoft for a hosted mailbox SHOULD NOT be spam filtered by Microsoft.
>>> >>That resposibility falls on your systems as the original systems that
>>> receive the mail from the external sender.
>
> Currently the situation is all outbound emails are sent to MICROSOFT
> antispam system - EOP for scanning before they are delivered to destination
> external mailboxes. Sometimes internal users' mailboxes are possibly
> compromised to be abused to send a lot of outbound junks.
Ok so far, whats the problem ?
>
>>> The systems you use to forward mail to Microsoft for your own hosted users,
>>> MUST be whitelisted by Microsoft for delivery to the hosted users in
>>> question, >>with NO spam filters applied by them.
>
> The fact is the systems we currently use are not whitelisted by Microsoft for
> delivery to the hosted users in question with NO spam filters applied by
> them. As I say above - Sometimes internal users' mailboxes are possibly
> compromised to be abused to send a lot of outbound junks.
as Viktor wrote, that sounds like "design problem" with no direct relation to
postfix
>
>>> If Microsoft cannot do this for you, find a better email hosting provider.
>>> You're wasting time attacking the wrong problem.
>
> The decision will be made by higher level of managements, not me. Sometimes
> the effort used to attack the wrong problem is not fairly wasting time.
however decision was made ,it does not change tec facts, re-think your smtp
design, i.e let exchange deliver out itself, use other antispam practice etc
>
>
> Thanks,
>
> Carl
>
> -----Original Message-----
> From: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni
> Sent: Tuesday, August 05, 2014 5:46 PM
> To: postfix-users@postfix.org
> Subject: Re: How to fetch From address from header via Postfix head_check?
>
> On Tue, Aug 05, 2014 at 09:28:24PM +0000, Xie, Wei wrote:
>
>>> What you're proposing is not viable, and seems to serve no purpose.
>>> You should explain the problem you're trying to solve by adding
>>> these, rather than the problems you're having doing so.
>>
>> When the message hits our outbound Postfix servers, on an MSA the "To:"
>> address only list one recipient. We do not need consider multiple
>> recipients.
>
> This rather severely limits the usability of your MSA. It cannot support
> ordinary email sent to multiple recipients or Bcc'ed. Also you say this is
> an MSA, and yet claim the mail is sent by external senders outside OSU. How
> are these two statements compatible? Is this an MSA processing outbound mail
> generated internally at OSU, or simply an outbound relay, forwarding mail
> whose recipients are external to your email systems (possibly your users
> hosted outside).
>
> Explain your system more clearly.
>
>> The problem is the nexthop - Microsoft antispam system due to their
>> bugs is eating some outbound emails from non-osu.edu or
>> non-ohio-state.edu senders to forwarding accounts. But their system
>> does not eat the emails which are "Resent-From" from mailbox users
>> ("Resent-From:" is appropriate when a user takes a message delivered
>> to his mailbox (possibly long after initial delivery) and resends it
>> to another user (typically not an original recipient). Our exchange
>> engineers ask whether Postfix can add "Resent-From:
>> <original to address>" for emails to forwarding accounts like mailbox
>> accounts resent the emails to bypass Microsoft antispam system (this
>> is one of all kinds attempts).
>
> Mail you've accepted (whether inbound or outbound) that is then forwarded to
> Microsoft for a hosted mailbox SHOULD NOT be spam filtered by Microsoft.
> That resposibility falls on your systems as the original systems that receive
> the mail from the external sender.
>
> The systems you use to forward mail to Microsoft for your own hosted users,
> MUST be whitelisted by Microsoft for delivery to the hosted users in
> question, with NO spam filters applied by them.
>
> If Microsoft cannot do this for you, find a better email hosting provider.
> You're wasting time attacking the wrong problem.
>
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
