Rewrite sender addresses based on recipient domain

[defcon8]

Hi,

We have postfix running as outgoing mail relay. It implements OpenDKIM & PostSRSD. Everything works fine, except when we send a testmail to https://www.mail-tester.com, we get a score of 9.9/10 just because of the following reason:

-0.249 | HEADER_FROM_DIFFERENT_DOMAINS | From and EnvelopeFrom 2nd level mail domains are different

So if I understand this message correctly, the envelope-from and from fields in the e-mail header differ, which is logical because of OpenSRSd. So I guess there is no fix for this?

Kind regards,

Bastiaan

E-Mail source:

Received: by mail-tester.com (Postfix, from userid 500)
    id 67FCBA99E9; Mon,  6 Dec 2021 11:38:21 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail-tester.com
X-Spam-Level: 
X-Spam-Status: No/0.2/5.0
X-Spam-Test-Scores: DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
    HEADER_FROM_DIFFERENT_DOMAINS=0.249,RCVD_IN_DNSWL_BLOCKED=0.001,
    SPF_HELO_NONE=0.001,SPF_PASS=-0.001,URIBL_BLOCKED=0.001
X-Spam-Last-External-IP: 137.144.175.103
X-Spam-Last-External-HELO: mx1.xxxxxhosting.nl
X-Spam-Last-External-rDNS: mx1.xxxxxhosting.nl
X-Spam-Date-of-Scan: Mon, 06 Dec 2021 11:38:21 +0100
X-Spam-Report: 
    *  0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
    *      DNSWL was blocked.  See
    *      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    *      for more information.
    *      [137.144.175.103 listed in list.dnswl.org]
    *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
    *      blocked.  See
    *      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    *      for more information.
    *      [URIs: xxxxxmedia.com]
    * -0.0 SPF_PASS SPF: sender matches SPF record
    *  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
    *      mail domains are different
    *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    *       valid
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
    *      author's domain
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=137.144.175.103; helo=mx1.xxxxxhosting.nl; envelope-from=srs0=opxg=qx=xxxxxmedia.com=info@xxxxxhosting.nl; receiver=test-9bzggwfs3@srv1.mail-tester.com 
DMARC-Filter: OpenDMARC Filter v1.3.1 mail-tester.com 4CD20A99EE
Authentication-Results: mail-tester.com; dmarc=pass header.from=xxxxxmedia.com
Authentication-Results: mail-tester.com;
    dkim=pass (2048-bit key; unprotected) header.d=xxxxxmedia.com header.i=@xxxxxmedia.com header.b=fhEUUwzq;
    dkim-atps=neutral
Received: from mx1.xxxxxhosting.nl (mx1.xxxxxhosting.nl [137.144.175.103])
    (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail-tester.com (Postfix) with ESMTPS id 4CD20A99EE
    for <test-9bzggwfs3@srv1.mail-tester.com>; Mon,  6 Dec 2021 11:38:19 +0100 (CET)
Received: from srv001.xxxxxhosting.nl (srv001.xxxxxhosting.nl [36.204.107.171])
    by mx1.xxxxxhosting.nl (Postfix) with ESMTPS id E90832A05CD
    for <test-9bzggwfs3@srv1.mail-tester.com>; Mon,  6 Dec 2021 10:38:18 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.xxxxxhosting.nl E90832A05CD
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xxxxxmedia.com;
    s=default; t=1638787098;
    bh=IVCUNix+Vaoa9MN45zzvXPA6cx15HF3C8d6O5U38rf8=;
    h=Date:To:From:Subject;
    b=fhEUUwzqtRSzANp9qqgdQqgR037tu9wFW1xKgUDQ1gtJfTSUJ/qcWmQiHx3vOaMy2
     AwiepOF4oUVyqUxCaV/B9PaYsVLh9MJlm0tN5QPU8I4bUGQKqY5hXf29JuDcF8ynPE
     n/wJCm2QATy7E8R9QoXxukWkN+O3/jufbLN1O0154HK6M1do1rVearTqKlShtV1joc
     KHxx/jYwHSuCVYVutJKECQ8KsATuKlvGp7RS/DLoCQc1teSTREDegJbEXHy1KYgV7J
     Xf42lZDEU7lYh08CU2+ZT5FJY05COmBQylYFLjoE0g72Uyv4+acfIIFFGhYwbw9WD2
     8/YybNmZhKS4Q==
Received: from [178.85.206.231] (port=8366 helo=nems)
    by srv001.xxxxxhosting.nl with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (Exim 4.94.2)
    (envelope-from <info@xxxxxmedia.com>)
    id 1muBNz-0000VW-6U
    for test-9bzggwfs3@srv1.mail-tester.com; Mon, 06 Dec 2021 11:38:18 +0100
Date: Mon, 6 Dec 2021 13:35:43 +0100
To: test-9bzggwfs3@srv1.mail-tester.com
From: XXXXX Media <info@xxxxxmedia.com>
Subject: Test e-mail
Message-ID: <WwqmocRzeOF9yR445Dkte5Hhy1HOKpCNhWuQVIFd2s@nems>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1

This is a test to see if the e-mail works correctly.

Cheers,

B.

[roehling]

The mismatch between Header-From and Envelope-From is unavoidable with a forwarding email server. To be honest, I don't think the HEADER_FROM_DIFFERENT_DOMAINS rule is particularly useful these days. Back in the days before DKIM and SPF, it might have been a useful heuristic to catch unauthorized spam, but today, people either have a correctly configured server such as yours (which preserves the original DKIM signature to authenticate Header-From and SPF-authorizes the mail server to send as Envelope-From), or their email will be bounced pretty much immediately. Therefore, I consider the mail-tester.com check buggy. Ironically, mail-tester.com explicitly acknowledges that your email passes the DMARC check and proves its provenance, so it is beyond my understanding why they think that the (mis-)match of the domain names should matter.

You might be able to work around the issue if you can add your email server to the SPF authorized senders for xxxxxmedia.com. In that case, you would not need to rewrite the xxxxxmedia.com sender addresses at all (and you could configure an PostSRSd exception with SRS_EXCLUDE_DOMAINS). Of course, that workaround might scale poorly if you need to forward emails for a large number of customer domains.

[gingerlime]

I seem to bump into a related problem when using multiple domains. DKIM/SPF/DMARC all pass, but I get a report from Postmark DMARC which says:

[sender.com] is authorized to send on behalf of [domain.com], however it looks like SPF is still failing DMARC’s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. If the Return-Path path doesn’t match your From address, those messages will fail DMARC’s SPF alignment test. Check with this source because you may need to set up a custom Return-Path.

I have a main domain (sender.com) which I send most emails from, but also some "addon" domains that I host (domain.com). When someone sends from the other domains, the return-path and from address are misaligned, e.g.

Return-Path: SRS0=/uJq=ZV=domain.com=user@sender.com From: user@domain.com

Is there a way to adjust the return path for each of these addon domains?

[roehling]

@gingerline if you are hosting the domains, you do not need to apply SRS at all; just add them to the SRS_EXCLUDE_DOMAINS.

[gingerlime]

@roehling thank you so much. I'm hosting them, but also forward the emails. I tried to exclude them, but for some reason it didn't seem to work. I saw an old bug about it and I think I updated to the latest version. I will try it again and see if I can figure out why the exclusion isn't working for me.

Would it be possible to adjust the return-path based on the extra domains though? I think this will be ideal if it's possible.

[roehling]

@gingerlime This is not possible to achieve with PostSRSd 1.x, but it may be feasible to do so with the PostSRSd 2.x milter implementation, once it has reached maturity past the upcoming 2.0 release.

[benchonaut]

see this -> https://github.com/roehling/postsrsd/discussions/76#discussioncomment-4740635