Linode Forum
https://forum.linode.com/

Secure forwarding with LibSRS?
https://forum.linode.com/viewtopic.php?f=11&t=11283		 Page 1 of 1
Author:  Webkungen [ Fri Sep 05, 2014 3:49 am ]
Post subject:  Secure forwarding with LibSRS?
Hi!

I've setup my own email server using the linode guide for postfix/mysql and dovecot. Everything is working very well. Now to my issue. I need to forward all incoming emails to a certain address so an external address, and at the same time rewrite the sender in order for SPF/DKIM to pass.

I've found LibSRS (http://www.libsrs2.org/) and installed it on my debian box using apt-get. But what now? I'm unable to find any guides, instructions etc. how to configure LibSRS with this certain address.

Any help I can get in this matter would be highly appreciated!

Thanks!
Author:  Webkungen [ Fri Sep 05, 2014 4:38 am ]
Post subject:  Re: Secure forwarding with LibSRS?
Just to clearify things. When people are sending email to name@domain.tld, postfix has to forward that email to another-name@another-domain.tld, and alter (keep) the FROM-address to name@domain.tld intead of keeping the original sender. This is becaise I'm using SPF/DKIM and the emails will be classes as spam (not permitted sender nor valid DKIM).
Author:  hoopycat [ Fri Sep 05, 2014 6:44 am ]
Post subject:  Re: Secure forwarding with LibSRS?
I use something like this:

In /etc/postfix/redirector, an executable script:
Code:
#!/bin/bash

# Redirects mail to make SPF happy.
# Ryan Tucker <rtucker@gmail.com>, 2010 Oct 24
# Based on http://serverfault.com/q/82234/54177
HOSTNAME=`hostname -f`
DESTINATION=`echo "$1" | sed 's/.munger$//'`

/usr/sbin/sendmail -bm -f "mail@$HOSTNAME" "$DESTINATION"
logger -i -p mail.info -t redirector "Redirecting message to $DESTINATION (orig to $2)"


In master.cf:

Code:
# resends the message with a local envelope sender to "thwart" SPF on forwards
# remember to set munger_destination_recipient_limit = 1 in main.cf
munger  unix  -       n       n       -       -       pipe
  flags=q user=nobody argv=/etc/postfix/redirector ${mailbox}@${nexthop} ${original_recipient}


In transport:

Code:
# spf-ish domains
.munger   munger:


In main.cf:

Code:
munger_destination_recipient_limit = 1


And finally, virtual:

Code:
local@example.com    distant@example.net.munger


It worked well for pretty much all the mail going through my system, but we've been migrating domains to Fastmail. They have a ticky-box that does this automatically. (And they do mail better than I do.)
Author:  Webkungen [ Fri Sep 05, 2014 6:48 am ]
Post subject:  Re: Secure forwarding with LibSRS?
Hi!

Thanks for your answer, I'll definitely have a look into this. A questions first though, what do you mean with And finally, virtual: ?

Is it the virtual_alias_maps you mean in main.cf?
The current value for that is virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf and I need to keep it that way in order to use the mysql table. Or do you simply mean to add the "redirect" in my existing mysql table for aliases?`

Thanks!
Author:  hoopycat [ Fri Sep 05, 2014 11:02 pm ]
Post subject:  Re: Secure forwarding with LibSRS?
Basically, you'd append .munger to any destination address, however you do it, and it'll go through this transport.
Author:  Webkungen [ Fri Sep 05, 2014 11:17 pm ]
Post subject:  Re: Secure forwarding with LibSRS?
Okay! So you mean [b].munger[/u] will be removed from the target address? I'll give it a try then!
Author:  Webkungen [ Fri Sep 05, 2014 11:28 pm ]
Post subject:  Re: Secure forwarding with LibSRS?
Almost there... :D

I've setup everything and first I got "Permission denied" for the "munger service". Ran chmod +x redirector. When a new email is arriving to the server, postfix log says:
Code:
Sep  6 05:26:11 li416-119 postfix/sendmail[15584]: fatal: User nobody(65534) is not allowed to submit mail


Guess I have to adjust something in the redirector script, but what part? Thanks!
Author:  Webkungen [ Fri Sep 05, 2014 11:42 pm ]
Post subject:  Re: Secure forwarding with LibSRS?
Tried to change user= in master.cf to both vmail and root, same error... Suggestions?
Author:  Webkungen [ Sat Sep 06, 2014 1:36 am ]
Post subject:  Re: Secure forwarding with LibSRS?
Think I solved it!

I commented out this line in main.cf:
Code:
smtpd_data_restrictions = reject_unauth_pipelining


And added nobody to authorized_submit_users.

The email is coming through as it should, and the sender is correct! Two questions on this:

1) Is there a chance of any issues with commenting out "reject_unauth_pipelining"?
2) Is it "dangerous" to add nobody to "authorized_submit_users" ?

Also, would be very, very nice if the receipient (which has a local inbox on the server) could keep a copy of the mail that's being forwarded.
Author:  Webkungen [ Sat Sep 06, 2014 1:46 am ]
Post subject:  Re: Secure forwarding with LibSRS?
Hmm, nope, it's not working.... The original sender is still the sender of the forwarded email.... I.e.

a) I've setup addr1@domain.tld is an alias with the destination addr2@anotherdomain.tld
b) When sending an email TO addr1@domain.tld it's supposed to save a local copy of the email in the inbox, and forward to email to addr2@anotherdomain.tld.

When addr2@anotherdomain.tld is receiving the email, addr1@domain.tld is supposed to be the FROM address.
Author:  hoopycat [ Sun Sep 07, 2014 9:04 pm ]
Post subject:  Re: Secure forwarding with LibSRS?
What does your mail log say? What do the received message headers say?
Author:  Webkungen [ Sun Sep 07, 2014 11:05 pm ]
Post subject:  Re: Secure forwarding with LibSRS?
Message headers:
Code:
Return-Path: <mail@email.mydomain.tld>
Received: from email.mydomain.tld (unknown [178.xx.yyy.zzz])
   by vsp-inbound-02-02.binero.net (Halon Mail Gateway) with ESMTP
   for <addr2@anotherdomain.tld>; Sat,  6 Sep 2014 07:39:19 +0200 (CEST)
Received: by email.mydomain.tld (Postfix, from userid 65534)
   id A21CF8282D; Sat,  6 Sep 2014 07:39:19 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
   by email.mydomain.tld (Postfix) with ESMTP id 9167D827CB
   for <addr2@anotherdomain.tld.munger>; Sat,  6 Sep 2014 07:39:19 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at email.mydomain.tld
Received: from email.mydomain.tld ([127.0.0.1])
   by localhost (email.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024)
   with ESMTP id LJBpolt37lq3 for <addr2@anotherdomain.tld.munger>;
   Sat,  6 Sep 2014 07:39:14 +0200 (CEST)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173])
   by email.mydomain.tld (Postfix) with ESMTPS id 448D2827C3
   for <addr1@domain.tld>; Sat,  6 Sep 2014 07:39:14 +0200 (CEST)
Received: by mail-wi0-f173.google.com with SMTP id cc10so323375wib.12
        for <addr1@domain.tld>; Fri, 05 Sep 2014 22:39:13 -0700 (PDT)


Postfix log:
Code:
postfix/smtpd[22133]: 9167D827CB: client=localhost[127.0.0.1]
postfix/cleanup[22123]: 9167D827CB: message-id=<CALK1BFQVo+bkBs-0hRS4tA2xGUiqAO8XTTU-nr40dP2Qr6WLyQ@mail.gmail.com>
opendkim[747]: 9167D827CB no signing table match for `the-sender@gmail.com'
opendkim[747]: 9167D827CB: no signature data
postfix/qmgr[21820]: 9167D827CB: from=<the-sender@gmail.com>, size=57915, nrcpt=1 (queue active)
amavis[19896]: (19896-04) Passed CLEAN, [209.85.212.173] [209.85.212.173] <the-sender@gmail.com> -> <addr2@anotherdomain.tld.munger>, Message-ID: <CALK1BFQVo+bkBs-0hRS4tA2xGUiqAO8XTTU-nr40dP2Qr6WLyQ@mail.gmail.com>, mail_id: LJBpolt37lq3, Hits: 0.615, size: 57391, queued_as: 9167D827CB, 5320 ms
redirector[22299]: Redirecting message to addr2@anotherdomain.tld (orig to addr2@anotherdomain.tld.munger)
postfix/smtp[22124]: 448D2827C3: to=<addr2@anotherdomain.tld.munger>, orig_to=<addr1@domain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.4, delays=0.08/0.01/0/5.3, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=19896-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9167D827CB)
postfix/pipe[22134]: 9167D827CB: to=<addr2@anotherdomain.tld.munger>, relay=munger, delay=0.07, delays=0.05/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via munger service)
postfix/qmgr[21820]: 9167D827CB: removed
Author:  hoopycat [ Mon Sep 08, 2014 6:29 pm ]
Post subject:  Re: Secure forwarding with LibSRS?
The envelope sender is being changed:

Code:
Return-Path: <mail@email.mydomain.tld>


It is defaulting to the user executing the redirector script, but that could be changed by adjusting the -f argument on its call to sendmail. (Perhaps -f "$2" would do the trick?) None of this touches the "From:" header inside of the message -- that's not used for SPF/DKIM/etc, it's just for human readability.

As far as saving a copy of the mail locally, you might want to look into http://www.postfix.org/ADDRESS_REWRITIN ... l#auto_bcc ... instead of forwarding all mail, use recipient_bcc_maps to bcc: mail for that user to the external address.

In all cases, be mindful of loops that could occur when the external address is undeliverable. If the envelope sender of the forwarding copy is the recipient's e-mail address, then all hell will break loose if the external address bounces. (That's why I didn't do -f "$2" in the first place.)
Author:  Webkungen [ Tue Sep 16, 2014 11:07 pm ]
Post subject:  Re: Secure forwarding with LibSRS?
Tried to setup the recipient_bcc_maps now and the problem is when the mail is received the sender is still the original sender. So back to square 1... I need to forward the email to a adress, and change the sender adress. Perhaps the easiest way is to create a PHP script that connects to the inbox, forwarding the email and run this script from cron?
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/