Re: Dynamic 'myhostname'

2015-09-12 Thread Mick 

Hi,

Quoting myself
 The very thing I added to allow forwarding without breaking SPF / 
DMARC  appends the From field to the primary domain regardless of the 
domain the message comes from. I've withdrawn postsrsd for now while I 
look into a possibility of work around or something to replace it. 


I know this is not strictly on topic, but it probably concludes this 
thread :
After realising it wasn't 'myhostname' that needed to be made dynamic, I 
searched for a way to get postsrsd to make 'SRS_DOMAIN' dynamic.  I 
hoped this could be set by the domain of the local recipient (not the 
final destination). I gave up after yielding no positive results though.


My get out :
As only 'domain2' forwards any mail externally, I decided to set 
'SRS_DOMAIN' to 'domain2' and 'SRS_EXCLUDE_DOMAINS' to exclude all other 
domains using config file '/etc/default/postsrsd'. From then on, only 
'from' headers from 'domain2' are re-written by postsrsd and are 
appended '@domain2' meaning no failed SPF domain alignment results.  I 
can now set DMARC adkim to strict I suppose.


If anyone has managed to make 'SRS_DOMAIN' dynamic, I'd love to hear 
how, otherwise please considder this resolved. Thanks Wietse and 
Christian for your help.



Best regards,

Mick.

Re: Dynamic 'myhostname'

2015-09-11 Thread Christian Kivalo 


Am 10. September 2015 23:13:59 MESZ, schrieb Mick :
>On 10/09/2015 21:13, Wietse Venema wrote:
>> Mick:
>>> Hi,
>>>
>>> I'm trialling DMARC to two of my domains.  On checking the results
>when
>>> posting from the secondary domain I receive 'SPF Domain Alignment
>Result
>>> = FAIL'. I think this is because postfix always says HELO with the
>>> primary domain name, which is obviously different to the secondary. 
>Is
>>> there a way to rewrite the message envelope to say HELO using the
>same
>>> domain used in the from field?
>> I suspect that the problem is that the SMTP client IP address no
>> not match the SPF rule.
>>
>> You may want to set up sender_dependent_default_transport to use
>> different Postfix SMTP clients depending on the envelope sender
>> email address, with "-o smtp_bind_address" settings in master.cf
>> for the proper client IP address.
>Hi Wietse,
>
>I only have 1 IP address (2 if you count the IPv6 address).  A reverse 
>DNS lookup will always find my primary domain so even if I used 
>'sender_dependent_default_transport' and set up multiple switches just 
>to change HELO name, they still have to point to the same IP.  If 
>reverse DNS was then carried out, secondary domain provided in the HELO
>
>would not match and mail could be rejected. Think I'm stuffed without 
>additional IPv4s, but at least I know why.

Your setup should work. I have a similar setup with 5 domains of which the one 
that holds the helo-name of my Mailserver is not my primary maildomain... and 
that works well with spf dkim and dmarc.

When searching for your error message it seems that maybe your envelope and 
from aren't aligned, this could be checked on spf test websites that analyse 
your setup after you send them an email to a special one-time address.

Have you had a look at the spf rfc 7208?

Regards
Christian


>Thanks for your advice.
>
>Mick.
>
>
>>
>>  Wietse
>>

Re: Dynamic 'myhostname'

2015-09-11 Thread Mick 

Hi Christian,


Hi Wietse,

I only have 1 IP address (2 if you count the IPv6 address).  A reverse
DNS lookup will always find my primary domain so even if I used
'sender_dependent_default_transport' and set up multiple switches just
to change HELO name, they still have to point to the same IP.  If
reverse DNS was then carried out, secondary domain provided in the HELO

would not match and mail could be rejected. Think I'm stuffed without
additional IPv4s, but at least I know why.

Your setup should work. I have a similar setup with 5 domains of which the one 
that holds the helo-name of my Mailserver is not my primary maildomain... and 
that works well with spf dkim and dmarc.

When searching for your error message it seems that maybe your envelope and 
from aren't aligned, this could be checked on spf test websites that analyse 
your setup after you send them an email to a special one-time address.


Thank you very much indeed for your help. As a result I re-checked my 
configuration and found you were spot on, the culprit being postsrsd. 
The very thing I added to allow forwarding without breaking SPF / DMARC  
appends the From field to the primary domain regardless of the domain 
the message comes from. I've withdrawn postsrsd for now while I look 
into a possibility of work around or something to replace it.





Have you had a look at the spf rfc 7208?


Yes. It's a good document. I'm more a pragmatist than theorist so always 
appreciate examples which rfc7208 provides plenty.



Best regards,

Mick.




Regards
Christian



Thanks for your advice.

Mick.



Wietse

Re: Dynamic 'myhostname'

2015-09-10 Thread Wietse Venema 
Mick:
> Hi,
> 
> I'm trialling DMARC to two of my domains.  On checking the results when 
> posting from the secondary domain I receive 'SPF Domain Alignment Result 
> = FAIL'. I think this is because postfix always says HELO with the 
> primary domain name, which is obviously different to the secondary.  Is 
> there a way to rewrite the message envelope to say HELO using the same 
> domain used in the from field?

I suspect that the problem is that the SMTP client IP address no
not match the SPF rule.

You may want to set up sender_dependent_default_transport to use
different Postfix SMTP clients depending on the envelope sender
email address, with "-o smtp_bind_address" settings in master.cf
for the proper client IP address.

Wietse

Re: Dynamic 'myhostname'

2015-09-10 Thread Mick 

On 10/09/2015 21:13, Wietse Venema wrote:

Mick:

Hi,

I'm trialling DMARC to two of my domains.  On checking the results when
posting from the secondary domain I receive 'SPF Domain Alignment Result
= FAIL'. I think this is because postfix always says HELO with the
primary domain name, which is obviously different to the secondary.  Is
there a way to rewrite the message envelope to say HELO using the same
domain used in the from field?

I suspect that the problem is that the SMTP client IP address no
not match the SPF rule.

You may want to set up sender_dependent_default_transport to use
different Postfix SMTP clients depending on the envelope sender
email address, with "-o smtp_bind_address" settings in master.cf
for the proper client IP address.

Hi Wietse,

I only have 1 IP address (2 if you count the IPv6 address).  A reverse 
DNS lookup will always find my primary domain so even if I used 
'sender_dependent_default_transport' and set up multiple switches just 
to change HELO name, they still have to point to the same IP.  If 
reverse DNS was then carried out, secondary domain provided in the HELO 
would not match and mail could be rejected. Think I'm stuffed without 
additional IPv4s, but at least I know why.



Thanks for your advice.

Mick.




Wietse