On 8 June 2017 at 12:20, Marek Kozlowski <m.kozlow...@mini.pw.edu.pl> wrote:
> :-) > > On 06/08/2017 12:38 PM, Dominic Raferd wrote: > > On 08/06/2017 10:55, Marek Kozlowski wrote: > >> :-) > >> > >> Numerous users of my system use forward to external MTAs. From time to > >> time it causes some issues with SPF on those MTAs. SRS could resolve > >> those. > >> I'm wondering if you could recommend any SRS software which nicely > >> integrates with postfix and doesn't interfere with canonicals (postsrsd > >> does[*])... > >> > > > > We forward our users' incoming mails through our postfix servers to > > external MTAs (almost always Gmail). Yes it breaks SPF but it is not > > usually a problem, because it doesn't break DKIM. It would of course be > > a problem if the external MTAs chose to enforce rejection based purely > > on SPF; a very unwise practice IMO, but there may not be much you can do > > about it. > > > > In our case (with Gmail as the external MTA) it is only a problem if the > > source domain has a 'reject' DMARC policy and the original message, > > though passing SPF, fails DKIM (probably because it is unsigned). Our > > system monitors the log for such a rejection (by Gmail) and if found > > will then encapsulate the original message and re-send it to recipient > > (with an explanatory text). In my experience such instances are very > rare. > > I've recently implemented opendkim. As far as I understand your > explanation if the message is DKIM-signed I should not worry too much > about SRS? To be honest I haven't tried SRS; but if it doesn't break DKIM I would expect it to break DMARC (because of alignment concept). Maybe someone knows different? Our servers use openDMARC; openDKIM and python-policyd-spf are used but only to add informational headers for openDMARC. We enforce p=reject DMARC policy but (in another coded workaround) any mail placed by openDMARC in the postfix hold queue (p=quarantine DMARC policy) is released and sent onward so that the end MTA (Gmail) can receive and quarantine it (i.e. put into Gmail 'Spam' folder).