# Postfix + Virtual Mailbox Domain + email forwarding (SPF fail)



## s2r (Jun 9, 2022)

Hello.
I'm running on a Linode VPS Postfix for a couple of virtual domains. Those domains are configured as virtual mailbox domains.
One of those domains is a family domain which I would like to forward one address to a few @gmail.com addresses.

I'm getting multiple bounces from Gmail saying that the emails were blocked because they seem spam. 


```
Jun  9 03:20:07 xx-yy-zz-aa postfix/smtpd[75263]: connect from ns1g-b.incoming-domain.com[10.20.30.10]
Jun  9 03:20:09 xx-yy-zz-aa postfix/smtpd[75263]: 339B7174497: client=ns1g-b.incoming-domain.com[10.20.30.10]
Jun  9 03:20:09 xx-yy-zz-aa postfix/cleanup[75268]: 339B7174497: message-id=<2b8521b0b13464f82d0bbfb55c90d4f1@rx099.cajval.incoming-domain.com>
Jun  9 03:20:09 xx-yy-zz-aa opendkim[27128]: 339B7174497: ns1g-b.incoming-domain.com [10.20.30.10] not internal
Jun  9 03:20:09 xx-yy-zz-aa opendkim[27128]: 339B7174497: not authenticated
Jun  9 03:20:09 xx-yy-zz-aa postfix/qmgr[27221]: 339B7174497: from=<noreply@originatingdomain.com>, size=2427, nrcpt=4 (queue active)
Jun  9 03:20:10 xx-yy-zz-aa postfix/smtp[75270]: 339B7174497: to=<email2@gmail.com>, orig_to=<invoices@myfamily.com>, relay=gmail-smtp-in.l.google.com[172.253.115.26]:25, delay=2.8, delays=2.1/0.02/0.26/0.35, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[172.253.115.26] said: 550-5.7.26 This message fails to pass SPF checks for an SPF record with a hard 550-5.7.26 fail policy (-all). To best protect our users from spam and 550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26  https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. u14-20020a05622a14ce00b00304def15cb0si9891148qtx.221 - gsmtp (in reply to end of DATA command))
Jun  9 03:20:10 xx-yy-zz-aa postfix/smtp[75270]: 339B7174497: to=<email1@gmail.com>, orig_to=<invoices@myfamily.com>, relay=gmail-smtp-in.l.google.com[172.253.115.26]:25, delay=2.8, delays=2.1/0.02/0.26/0.35, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[172.253.115.26] said: 550-5.7.26 This message fails to pass SPF checks for an SPF record with a hard 550-5.7.26 fail policy (-all). To best protect our users from spam and 550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26  https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. u14-20020a05622a14ce00b00304def15cb0si9891148qtx.221 - gsmtp (in reply to end of DATA command))
Jun  9 03:20:10 xx-yy-zz-aa postfix/smtp[75269]: 339B7174497: to=<email3@gmail.com>, orig_to=<invoices@myfamily.com>, relay=aspmx.l.google.com[172.253.122.27]:25, delay=2.9, delays=2.1/0.01/0.38/0.41, dsn=2.0.0, status=sent (250 2.0.0 OK  1654755614 j21-20020a05620a411500b006a6f8d26e7dsi2941964qko.122 - gsmtp)
Jun  9 03:20:11 xx-yy-zz-aa postfix/smtp[75271]: 339B7174497: to=<email4@yahoo.com>, orig_to=<invoices@myfamily.com>, relay=mta7.am0.yahoodns.net[67.195.228.106]:25, delay=4, delays=2.1/0.03/0.8/1.1, dsn=2.0.0, status=sent (250 ok dirdel)
Jun  9 03:20:11 xx-yy-zz-aa postfix/cleanup[75268]: 6F48D177531: message-id=<20220609062011.6F48D177531@xx-yy-zz-aa.ip.linodeusercontent.com>
Jun  9 03:20:11 xx-yy-zz-aa postfix/bounce[75272]: 339B7174497: sender non-delivery notification: 6F48D177531
Jun  9 03:20:11 xx-yy-zz-aa postfix/qmgr[27221]: 6F48D177531: from=<>, size=6692, nrcpt=1 (queue active)
Jun  9 03:20:11 xx-yy-zz-aa postfix/qmgr[27221]: 339B7174497: removed
Jun  9 03:20:13 xx-yy-zz-aa postfix/smtp[75270]: 6F48D177531: to=<noreply@originatingdomain.com>, relay=originatingdomain-com.mail.protection.outlook.com[104.47.56.110]:25, delay=2, delays=0.01/0/0.36/1.6, dsn=2.6.0, status=sent (250 2.6.0 <20220609062011.6F48D177531@xx-yy-zz-aa.ip.linodeusercontent.com> [InternalId=33612414060097, Hostname=CP2P152MB1409.LAMP152.PROD.OUTLOOK.COM] 15569 bytes in 0.413, 36.801 KB/sec Queued mail for delivery)
Jun  9 03:20:13 xx-yy-zz-aa postfix/qmgr[27221]: 6F48D177531: removed
Jun  9 03:20:14 xx-yy-zz-aa postfix/smtpd[75263]: disconnect from ns1g-b.incoming-domain.com[10.20.30.10] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
```

At first I thought I have missconfigured myfamily.com DNS. I got SPF, DKIM, and DMARC configured for myfamily.com but the problem is obviously the forwards are failing because myfamily.com is not listed as a valid source in SPF for the originating email. I installed postsrsd to rewrite those addresses but the mail keeps bouncing. It's a similar issue should be happening with mailing lists. Any ideas how it's dealt in those cases? 

Thanks!


----------



## msplsh (Jun 9, 2022)

noreply@originatingdomain.com isn't being rewritten to myfmaily.com and set as from=, so it's working as expected?


----------



## VladiBG (Jun 9, 2022)

use Postfix - Sender Rewriting Scheme (SRS) to rewrite the FROM during forwarding.









						GitHub - roehling/postsrsd: Postfix Sender Rewriting Scheme daemon
					

Postfix Sender Rewriting Scheme daemon. Contribute to roehling/postsrsd development by creating an account on GitHub.




					github.com
				









						FreshPorts -- mail/postsrsd: Postfix Sender Rewriting Scheme daemon
					

PostSRSd provides the Sender Rewriting Scheme (SRS) via TCP-based lookup tables for Postfix. SRS is needed if your mail server acts as forwarder.




					www.freshports.org


----------



## CyberCr33p (Jun 9, 2022)

Create user1@myfamily.com, user2@myfamily.com, etc. Then forward for example all@myfamily.com to each user1@myfamily.com , user1@myfamily.com, etc. Then configure each Gmail to download for example from user1@myfamily.com using POP3. This is the most reliable way to do it.


----------



## Lamia (Jun 10, 2022)

s2r said:


> This message fails to pass SPF checks for an SPF record with a hard 550-5.7.26 fail policy (-all). To best protect our users from spam and 550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. u14-20020a05622a14ce00b00304def15cb0si9891148qtx.221 - gsmtp (in reply to end of DATA command)) Jun 9 03:20:10 xx-yy-zz-aa postfix/smtp[75269]: 339B7174497: to=<email3@gmail.com>, orig_to=<invoices@myfamily.com>, relay=aspmx.l.google.com[172.253.122.27]:25, delay=2.9, delays=2.1/0.01/0.38/0.41, dsn=2.0.0, status=sent (250 2.0.0 OK 1654755614 j21-20020a05620a411500b006a6f8d26e7dsi2941964qko.122 - gsmtp)


This error may have to do with the SPF settings. You mentioned it too that my family.com done SPF is not properly set and you have how used Postfix SRS. Why don't you properly set the SPF first and manually send an email across the domains before introducing SRS? Gmail can also be finicky; you may need setup an outbound smtp relay with a reputable IP address. Several other domains are like that.


----------



## s2r (Jun 10, 2022)

Lamia said:


> This error may have to do with the SPF settings. You mentioned it too that my family.com done SPF is not properly set and you have how used Postfix SRS. Why don't you properly set the SPF first and manually send an email across the domains before introducing SRS? Gmail can also be finicky; you may need setup an outbound smtp relay with a reputable IP address. Several other domains are like that.


You are right, it's with the SPF settings but I think since my server isn't rewriting the from addresses it is marked as trying to be originatingdomain.com  and doesn't match my IP so SPF would fail.


----------



## s2r (Jun 10, 2022)

VladiBG said:


> use Postfix - Sender Rewriting Scheme (SRS) to rewrite the FROM during forwarding.
> 
> 
> 
> ...


I have already installed, it rewrites the from however it seems it's not using it.


```
Jun 10 07:00:29 xx-yy-zz-aa postfix/qmgr[84933]: 82A69174497: from=<SRS0=D9O7=WR=incoming-domain.com=noreplymo@xx-yy-zz-aa.ip.linodeusercontent.com>, size=92773, nrcpt=4 (queue active)
Jun 10 07:00:29 xx-yy-zz-aa postfix/smtpd[97525]: disconnect from smht-115-214.dattaweb.com[200.58.115.214] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jun 10 07:00:30 xx-yy-zz-aa postfix/smtp[97535]: 82A69174497: to=<email1@gmail.com>, orig_to=<invoices@myfamily.com>, relay=gmail-smtp-in.l.google.com[142.251.111.27]:25, delay=2, delays=0.87/0.02/0.22/0.85, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[142.251.111.27] said: 550-5.7.1 [45.79.150.186      12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for more information. q1-20020ae9dc01000000b006a0f9ebb303si13194670qkf.161 - gsmtp (in reply to end of DATA command))
Jun 10 07:00:30 xx-yy-zz-aa postfix/smtp[97535]: 82A69174497: to=<email2@gmail.com>, orig_to=<invoices@myfamily.com>, relay=gmail-smtp-in.l.google.com[142.251.111.27]:25, delay=2, delays=0.87/0.02/0.22/0.85, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[142.251.111.27] said: 550-5.7.1 [45.79.150.186      12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for more information. q1-20020ae9dc01000000b006a0f9ebb303si13194670qkf.161 - gsmtp (in reply to end of DATA command))
Jun 10 07:00:30 xx-yy-zz-aa postfix/smtp[97535]: 82A69174497: to=<email3@gmail.com>, orig_to=<invoices@myfamily.com>, relay=gmail-smtp-in.l.google.com[142.251.111.27]:25, delay=2, delays=0.87/0.02/0.22/0.85, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[142.251.111.27] said: 550-5.7.1 [45.79.150.186      12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for more information. q1-20020ae9dc01000000b006a0f9ebb303si13194670qkf.161 - gsmtp (in reply to end of DATA command))
Jun 10 07:00:30 xx-yy-zz-aa postfix/smtp[97536]: 82A69174497: to=<email4@yahoo.com>, orig_to=<invoices@myfamily.com>, relay=mta6.am0.yahoodns.net[98.136.96.76]:25, delay=2.3, delays=0.87/0.03/0.56/0.82, dsn=2.0.0, status=sent (250 ok dirdel)
Jun 10 07:00:30 xx-yy-zz-aa postsrsd[97533]: srs_forward: <""> not rewritten: No at sign in sender address
Jun 10 07:00:30 xx-yy-zz-aa postsrsd[97534]: srs_reverse: <SRS0=D9O7=WR=incoming-domain.com=noreplymo@xx-yy-zz-aa.ip.linodeusercontent.com> rewritten as <noreplymo@incoming-domain.com>[CODE]
```


----------



## s2r (Jun 10, 2022)

CyberCr33p said:


> Create user1@myfamily.com, user2@myfamily.com, etc. Then forward for example all@myfamily.com to each user1@myfamily.com , user1@myfamily.com, etc. Then configure each Gmail to download for example from user1@myfamily.com using POP3. This is the most reliable way to do it.


This solution will work for sure, I wanted to make this as transparent as possible for my family without needing to configure each of their phone/gmail accounts.


----------



## msplsh (Jun 10, 2022)

It looks like Google is on to your tricks and had adapted to block.  I was going to suggest rewriting the headers with postfix header_checks, but it looks like SRS is a standardized version of this (had never heard of it before) and both of these solutions seem to be a thing Google does not like at all.






						Best practices for forwarding email to Gmail - Gmail Help
					

This article is for email administrators who forward email to Gmail from other servers or services. Follow these best practices to help ensure Gmail's spam filter correctly classifies forwar



					support.google.com
				




Using the gmail fetch is probably going to have to be the solution.


----------



## s2r (Jun 15, 2022)

msplsh said:


> noreply@originatingdomain.com isn't being rewritten to myfmaily.com and set as from=, so it's working as expected?


Is there anything I can change in postsrsd? I didn't find any config files.


----------



## msplsh (Jun 15, 2022)

I don't know how that software works, unfortunately.  The github link from earlier ( #3 ) seems to have some instructions


----------



## s2r (Aug 30, 2022)

I registered a new domain for the vps (acme-vps.net), configured dkim/spf for that domain. Now postsrsd forwards the email correctly using  acme-vps.net and now the emails gets delivered and SPF/DKIM passes. Now the next step is to make postfix use the appropiate envelope for each domain so the corresponding dkim/selector for that domain is used.


----------

