Can't reply as alias when using relay smtp

[masterjg]

Support guidelines

• [X] I've read the support guidelines

I've found a bug and checked that ...

• [X] ... the documentation does not mention anything about my problem
• [X] ... there are no open or closed issues that are related to my problem

Description

I'm using SMTP relay to send all email. No DKIM, SPF, etc from AnonAddy are set in my DNS zone.

Initial email was sent without issue. Sending email to alias works as expected too.

However when replying to alias I get:

Attempted Reply/Send Failed

An attempt to send or reply from your alias [testas@mg.DOMAIN](mailto:testas@mg.DOMAIN) was just made from [________@gmail.com](mailto:________@gmail.com) which failed because it didn't pass authentication checks and could be spoofed.

In order to send or reply from an alias there must be a valid DMARC policy present for [gmail.com](http://gmail.com/) and your message must be permitted by that DMARC policy.

The attempt was trying to send the message to the following destination: [________@gmail.com](mailto:________@gmail.com)

If this attempt was made by yourself, then you need to make sure your recipient's domain ([gmail.com](http://gmail.com/)) has the correct DNS records in place; SPF, DKIM and DMARC.

If this attempt was not made by you, then someone else may be attempting to send a message from your alias. Make sure you have a suitable DMARC policy in place (with p=quarantine or p=reject) along with SPF and DKIM records to protect your recipient's email address from being spoofed.

My SMTP relay is mailersend.com

DNS records were setup based on their requirements:

@                                         TXT          "v=spf1 include:_spf.mailersend.net ~all"
mlsend2._domainkey      CNAME   mlsend2._domainkey.mailersend.net
mta                                     CNAME      mailersend.net
_dmarc                               TXT             "v=DMARC1; p=quarantine; adkim=s"

Logs: anonaddy_log.txt

Expected behaviour

Reply as alias works without any issues

Actual behaviour

Receiving error

Steps to reproduce

Setup anon addy without DKIM, RSPAMD, etc. and use SMTP relay

Docker info

Client: Docker Engine - Community
 Version:    25.0.2
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.5
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 10
  Running: 3
  Paused: 0
  Stopped: 7
 Images: 8
 Server Version: 25.0.2
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-35-generic
 Operating System: Ubuntu 23.10
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 1.866GiB
 Name: mail.bijunu.lt
 ID: 98be9f38-8158-4cb9-89b7-4dd92fd97192
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

### Docker Compose config

```yaml
version: "3.8"

networks:
    anonaddy:
        ipam:
            config:
                - subnet: ${SUBNET}

services:
    MariaDB:
        deploy:
            resources:
                limits:
                    memory: 128M
        environment:
            - MYSQL_ROOT_PASSWORD
            - MYSQL_PASSWORD
            - MYSQL_DATABASE
            - MYSQL_USER
        expose:
            - 3306
        healthcheck:
            test: ["CMD-SHELL", "mariadb-admin ping -p$$MYSQL_ROOT_PASSWORD"]
            interval: 5s
            timeout: 5s
            retries: 36
        image: mariadb:11.0.3
        networks:
            - anonaddy
        restart: unless-stopped
        volumes:
            - ./mysql/data:/var/lib/mysql
            - ./mysql/tune.cnf:/etc/mysql/conf.d/tune.cnf

    Redis:
        command:
            - redis-server
            - --save
            - 60 1
        deploy:
            resources:
                limits:
                    memory: 32M
        expose:
            - 6379
        healthcheck:
            test: ["CMD", "redis-cli", "ping"]
            interval: 5s
            timeout: 5s
            retries: 36
        image: redis:7.0.12-alpine3.18
        networks:
            - anonaddy
        restart: unless-stopped
        sysctls:
            - net.core.somaxconn=65535
        volumes:
            - ./redis/data:/data

    AnonAddy:
        depends_on:
            MariaDB:
                condition: service_healthy
            Redis:
                condition: service_healthy
        deploy:
            resources:
                limits:
                    memory: 512M
        environment:
            TZ: ${TIMEZONE}
            APP_NAME: ${DOMAIN}
            APP_KEY: base64:${APP_KEY}
            APP_URL: http://${HOSTNAME}:8000
            ANONADDY_NON_ADMIN_SHARED_DOMAINS: false
            ANONADDY_ENABLE_REGISTRATION: false
            ANONADDY_DOMAIN: ${DOMAIN}
            ANONADDY_HOSTNAME: ${HOSTNAME}
            ANONADDY_SECRET: ${APP_SECRET}
            ANONADDY_LIMIT: 1000
            ANONADDY_BANDWIDTH_LIMIT: 104857600000
            ANONADDY_NEW_ALIAS_LIMIT: 1000
            ANONADDY_ADDITIONAL_USERNAME_LIMIT: 0
            DB_HOST: mariadb
            DB_DATABASE: ${MYSQL_DATABASE}
            DB_USERNAME: ${MYSQL_USER}
            DB_PASSWORD: ${MYSQL_PASSWORD}
            REDIS_HOST: redis
            MAIL_FROM_NAME: AnonAddy
            MAIL_FROM_ADDRESS: anonaddy@${DOMAIN}
            POSTFIX_SMTPD_TLS: true
            POSTFIX_SMTPD_TLS_CERT_FILE: /certs/live/${HOSTNAME}/fullchain.pem
            POSTFIX_SMTPD_TLS_KEY_FILE: /certs/live/${HOSTNAME}/privkey.pem
            POSTFIX_SMTP_TLS: ${SMTP_RELAY_ENABLE_TLS}
            POSTFIX_RELAYHOST: ${SMTP_RELAY_HOST}:${SMTP_RELAY_PORT}
            POSTFIX_RELAYHOST_AUTH_ENABLE: true
            POSTFIX_RELAYHOST_USERNAME: ${SMTP_RELAY_USERNAME}
            POSTFIX_RELAYHOST_PASSWORD: ${SMTP_RELAY_PASSWORD}
        healthcheck:
            test: ["CMD-SHELL", "nc -vzw1 localhost 25 && nc -vzw1 localhost 8000"]
            interval: 5s
            timeout: 5s
            retries: 36
        image: anonaddy/anonaddy:1.0.9
        networks:
            - anonaddy
        ports:
            - 25:25
            - 8000:8000
        restart: unless-stopped
        volumes:
            - ./anonaddy/data:/data
            - ../certbot/certs:/certs

Logs

Due to message size limits logs attached next to description

Additional info

No response

[masterjg]

Fixed. IF you're using SMTP relay and NO RSPAMD you have to force-set header.

#!/usr/bin/with-contenv bash
# shellcheck shell=bash
set -e

. $(dirname $0)/00-env

# Script to add DMARC "Allow" header if the email passes the DMARC policy check
HEADER_FILE="/etc/postfix/header_checks"

# Ensure the header checks file exists
if [ ! -f "$HEADER_FILE" ]; then
    echo "/^From:/ PREPEND X-AnonAddy-Dmarc-Allow: Yes" > "$HEADER_FILE"
else
    if ! grep -q "X-AnonAddy-Dmarc-Allow" "$HEADER_FILE"; then
        echo "/^From:/ PREPEND X-AnonAddy-Dmarc-Allow: Yes" >> "$HEADER_FILE"
    fi
fi

# Update Postfix configuration to include header checks
postconf -e "header_checks = regexp:$HEADER_FILE"

Mount this file to /etc/cont-init.d/16_add_dmarc_allow_header.sh in container and that's it.