Re: Dynamic 'myhostname'
Hi, Quoting myself The very thing I added to allow forwarding without breaking SPF / DMARC appends the From field to the primary domain regardless of the domain the message comes from. I've withdrawn postsrsd for now while I look into a possibility of work around or something to replace it. I know this is not strictly on topic, but it probably concludes this thread : After realising it wasn't 'myhostname' that needed to be made dynamic, I searched for a way to get postsrsd to make 'SRS_DOMAIN' dynamic. I hoped this could be set by the domain of the local recipient (not the final destination). I gave up after yielding no positive results though. My get out : As only 'domain2' forwards any mail externally, I decided to set 'SRS_DOMAIN' to 'domain2' and 'SRS_EXCLUDE_DOMAINS' to exclude all other domains using config file '/etc/default/postsrsd'. From then on, only 'from' headers from 'domain2' are re-written by postsrsd and are appended '@domain2' meaning no failed SPF domain alignment results. I can now set DMARC adkim to strict I suppose. If anyone has managed to make 'SRS_DOMAIN' dynamic, I'd love to hear how, otherwise please considder this resolved. Thanks Wietse and Christian for your help. Best regards, Mick.
Re: Dynamic 'myhostname'
Am 10. September 2015 23:13:59 MESZ, schrieb Mick: >On 10/09/2015 21:13, Wietse Venema wrote: >> Mick: >>> Hi, >>> >>> I'm trialling DMARC to two of my domains. On checking the results >when >>> posting from the secondary domain I receive 'SPF Domain Alignment >Result >>> = FAIL'. I think this is because postfix always says HELO with the >>> primary domain name, which is obviously different to the secondary. >Is >>> there a way to rewrite the message envelope to say HELO using the >same >>> domain used in the from field? >> I suspect that the problem is that the SMTP client IP address no >> not match the SPF rule. >> >> You may want to set up sender_dependent_default_transport to use >> different Postfix SMTP clients depending on the envelope sender >> email address, with "-o smtp_bind_address" settings in master.cf >> for the proper client IP address. >Hi Wietse, > >I only have 1 IP address (2 if you count the IPv6 address). A reverse >DNS lookup will always find my primary domain so even if I used >'sender_dependent_default_transport' and set up multiple switches just >to change HELO name, they still have to point to the same IP. If >reverse DNS was then carried out, secondary domain provided in the HELO > >would not match and mail could be rejected. Think I'm stuffed without >additional IPv4s, but at least I know why. Your setup should work. I have a similar setup with 5 domains of which the one that holds the helo-name of my Mailserver is not my primary maildomain... and that works well with spf dkim and dmarc. When searching for your error message it seems that maybe your envelope and from aren't aligned, this could be checked on spf test websites that analyse your setup after you send them an email to a special one-time address. Have you had a look at the spf rfc 7208? Regards Christian >Thanks for your advice. > >Mick. > > >> >> Wietse >>
Re: Dynamic 'myhostname'
Hi Christian, Hi Wietse, I only have 1 IP address (2 if you count the IPv6 address). A reverse DNS lookup will always find my primary domain so even if I used 'sender_dependent_default_transport' and set up multiple switches just to change HELO name, they still have to point to the same IP. If reverse DNS was then carried out, secondary domain provided in the HELO would not match and mail could be rejected. Think I'm stuffed without additional IPv4s, but at least I know why. Your setup should work. I have a similar setup with 5 domains of which the one that holds the helo-name of my Mailserver is not my primary maildomain... and that works well with spf dkim and dmarc. When searching for your error message it seems that maybe your envelope and from aren't aligned, this could be checked on spf test websites that analyse your setup after you send them an email to a special one-time address. Thank you very much indeed for your help. As a result I re-checked my configuration and found you were spot on, the culprit being postsrsd. The very thing I added to allow forwarding without breaking SPF / DMARC appends the From field to the primary domain regardless of the domain the message comes from. I've withdrawn postsrsd for now while I look into a possibility of work around or something to replace it. Have you had a look at the spf rfc 7208? Yes. It's a good document. I'm more a pragmatist than theorist so always appreciate examples which rfc7208 provides plenty. Best regards, Mick. Regards Christian Thanks for your advice. Mick. Wietse
Re: Dynamic 'myhostname'
Mick: > Hi, > > I'm trialling DMARC to two of my domains. On checking the results when > posting from the secondary domain I receive 'SPF Domain Alignment Result > = FAIL'. I think this is because postfix always says HELO with the > primary domain name, which is obviously different to the secondary. Is > there a way to rewrite the message envelope to say HELO using the same > domain used in the from field? I suspect that the problem is that the SMTP client IP address no not match the SPF rule. You may want to set up sender_dependent_default_transport to use different Postfix SMTP clients depending on the envelope sender email address, with "-o smtp_bind_address" settings in master.cf for the proper client IP address. Wietse
Re: Dynamic 'myhostname'
On 10/09/2015 21:13, Wietse Venema wrote: Mick: Hi, I'm trialling DMARC to two of my domains. On checking the results when posting from the secondary domain I receive 'SPF Domain Alignment Result = FAIL'. I think this is because postfix always says HELO with the primary domain name, which is obviously different to the secondary. Is there a way to rewrite the message envelope to say HELO using the same domain used in the from field? I suspect that the problem is that the SMTP client IP address no not match the SPF rule. You may want to set up sender_dependent_default_transport to use different Postfix SMTP clients depending on the envelope sender email address, with "-o smtp_bind_address" settings in master.cf for the proper client IP address. Hi Wietse, I only have 1 IP address (2 if you count the IPv6 address). A reverse DNS lookup will always find my primary domain so even if I used 'sender_dependent_default_transport' and set up multiple switches just to change HELO name, they still have to point to the same IP. If reverse DNS was then carried out, secondary domain provided in the HELO would not match and mail could be rejected. Think I'm stuffed without additional IPv4s, but at least I know why. Thanks for your advice. Mick. Wietse