search

zoni / postforward

Postfix SRS forwarding agent
BSD 2-Clause "Simplified" License
53 stars 4 forks source link

Postforward configured with Postfix PIPE(8) resulting in bounced (mail forwarding loop) #9

Open dismasc opened 4 years ago

dismasc commented 4 years ago

Hello, I am configuring an email server for a company (not a hosting company, but a travel company). And I need help in configuring postforward to work with postfix pipe(8) delivery agents.

THE CONFIGURATION

The domains and mailboxes are stored in the MySQL Database so in /etc/postfix/main.cf:

virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_expansion_limit=2500

The daemon postsrsd is running as well, this is the config for postsrsd in /etc/postfix/main.cf:

#follow postforward suggestion in github when use with postsrsd
#sender_canonical_maps = tcp:localhost:10001
#sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes= envelope_recipient,header_recipient

And also followed your suggestion for the postforward policy when configured in Postfix PIPE(8)

#postforward policy
postforward_destination_recipient_limit = 1

Then in my /etc/postfix/master.cf, I registered the postforward service:

postforward   unix  -  n  n  -  -  pipe flags=ODR user=vmail:vmail argv=/usr/local/bin/postforward --path /usr/sbin:/sbin:/usr/bin:/bin ${recipient}

Finally to make this all hooked, I created a transport map file /etc/postfix/transport, and put this line:

branddomainname.com postforward:

And went back to my /etc/postfix/main.cf, I added:

transport_maps = hash:/etc/postfix/transport

For now I wish the postforward only installs for the branddomainname.com and not other domain names (so other departments don't complain when something happens during this setup).

Of course I did not forget to do this:

postmap transport
systemctl restart postfix

AND NOW THE EXECUTION OF THE TEST

I sent an email from iamthesender@gmail.com to order@branddomainname.com, where order@branddomainname.com has only one alias that is to iamthealias@gmail.com.

THE RESULT OF THE TEST AND IT IS THE ISSUE

Unfortunately after many trials, this does not work, In the log, I found out the email which was only sent once has doubled:

Apr 30 11:59:59 corp115486 postfix/cleanup[17988]: 671E024406B7: warning: header Subject: Test #2 30 April 2020 from mail-ua1-f48.google.com[209.85.222.48]; from=<iamthesender@gmail.com> to=<order@branddomainname.com> proto=ESMTP helo=<mail-ua1-f48.google.com>

Apr 30 12:00:00 corp115486 postfix/cleanup[17988]: AA7D82440708: warning: header Subject: Test #2 30 April 2020 from local; from=<SRS0=voml=6O=gmail.com=iamthesender@thecompanydomain.com> to=<order@branddomainname.com>

And then, I followed both of the MAIL-ID, and here is what I found on the log:

671E024406B7:

Apr 30 11:59:59 corp115486 postfix/smtpd[17981]: 671E024406B7: client=mail-ua1-f48.google.com[209.85.222.48]
Apr 30 11:59:59 corp115486 postfix/cleanup[17988]: 671E024406B7: message-id=<CAE7sF+GUdfepxMWW-Z9Ez6Go6wN8dG5nTGmvSk25sJUs5w5hng@mail.gmail.com>
Apr 30 11:59:59 corp115486 postfix/cleanup[17988]: 671E024406B7: warning: header Subject: Test #2 30 April 2020 from mail-ua1-f48.google.com[209.85.222.48]; from=<iamthesender@gmail.com> to=<order@branddomainname.com> proto=ESMTP helo=<mail-ua1-f48.google.com>
Apr 30 12:00:00 corp115486 opendkim[4178]: 671E024406B7: mail-ua1-f48.google.com [209.85.222.48] not internal
Apr 30 12:00:00 corp115486 opendkim[4178]: 671E024406B7: not authenticated
Apr 30 12:00:00 corp115486 opendkim[4178]: 671E024406B7: DKIM verification successful
Apr 30 12:00:00 corp115486 postfix/qmgr[17865]: 671E024406B7: from=<iamthesender@gmail.com>, size=2916, nrcpt=2 (queue active)
Apr 30 12:00:00 corp115486 postfix-rate-limit-snail/smtp[17872]: 671E024406B7: to=<iamthealias@gmail.com>, orig_to=<order@branddomainname.com>, relay=gmail-smtp-in.l.google.com[74.125.140.27]:25, delay=2.6, delays=2.3/0/0.14/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK  1588222800 z16si463811wrl.168 - gsmtp)
Apr 30 12:00:00 corp115486 postfix/pipe[17992]: 671E024406B7: to=<order@branddomainname.com>, relay=postforward, delay=2.6, delays=2.3/0.01/0/0.34, dsn=2.0.0, status=sent (delivered via postforward service)
Apr 30 12:00:00 corp115486 postfix/qmgr[17865]: 671E024406B7: removed

AA7D82440708:

Apr 30 12:00:00 corp115486 postfix/pickup[17864]: AA7D82440708: uid=5000 from=<SRS0=voml=6O=gmail.com=iamthesender@thecompanydomain.com>
Apr 30 12:00:00 corp115486 postfix/cleanup[17988]: AA7D82440708: message-id=<CAE7sF+GUdfepxMWW-Z9Ez6Go6wN8dG5nTGmvSk25sJUs5w5hng@mail.gmail.com>
Apr 30 12:00:00 corp115486 postfix/cleanup[17988]: AA7D82440708: warning: header Subject: Test #2 30 April 2020 from local; from=<SRS0=voml=6O=gmail.com=iamthesender@thecompanydomain.com> to=<order@branddomainname.com>
Apr 30 12:00:00 corp115486 opendkim[4178]: AA7D82440708: no signing table match for 'iamthesender@gmail.com'
Apr 30 12:00:00 corp115486 opendkim[4178]: AA7D82440708: DKIM verification successful
Apr 30 12:00:00 corp115486 postfix/qmgr[17865]: AA7D82440708: from=<SRS0=voml=6O=gmail.com=iamthesender@thecompanydomain.com>, size=4440, nrcpt=2 (queue active)
Apr 30 12:00:00 corp115486 postfix/pipe[17992]: AA7D82440708: to=<order@branddomainname.com>, relay=postforward, delay=0.26, delays=0.2/0/0/0.07, dsn=5.4.6, status=bounced (mail forwarding loop for order@branddomainname.com)
Apr 30 12:01:01 corp115486 postfix-rate-limit-snail/smtp[17873]: AA7D82440708: to=<iamthealias@gmail.com>, orig_to=<order@branddomainname.com>, relay=gmail-smtp-in.l.google.com[74.125.140.27]:25, delay=61, delays=0.2/60/0.15/0.29, dsn=2.0.0, status=sent (250 2.0.0 OK  1588222861 d6si1137819wrv.413 - gsmtp)
Apr 30 12:01:01 corp115486 postfix/bounce[18004]: AA7D82440708: sender non-delivery notification: 3DBCC24406F9
Apr 30 12:01:01 corp115486 postfix/qmgr[17865]: AA7D82440708: removed

If you take a look at the second message with ID AA7D82440708, postforward is working and has rewrote the from to the following:

SRS0=voml=6O=gmail.com=iamthesender@thecompanydomain.com

Now I do not understand where was the first message with ID 671E024406B7 was triggered from or is this how postfix works or postforward sent it again after it rewrote it?

I hope that I could get some answers on this problem.

Staysafe

Thank you, Dismas

zoni commented 4 years ago

Hi Dismas,

Now I do not understand where was the first message with ID 671E024406B7 was triggered from or is this how postfix works or postforward sent it again after it rewrote it?

Postforward indeed submits new mail into the queue (by executing sendmail) which is why you'll see a pickup entry with a new message ID.

This problem in your configuration that is causing postfix to run into a mail forwarding loop appears to be in the service definition:

postforward   unix  -  n  n  -  -  pipe flags=ODR user=vmail:vmail argv=/usr/local/bin/postforward --path /usr/sbin:/sbin:/usr/bin:/bin ${recipient}

The argument to postforward needs to be the email address that needs to be forwarded to, not the original recipient.

By using ${recipient} above, you're specifying the original recipient, which postfix correctly determines ends up in a forwarding loop (if it accepts this mail, it goes through postforward again, which submits it back to itself, puts it through postforward again, and so on and so on).

If all mail for branddomainname.com needs to go to the same forwarded recipient, you could put that address in place of ${recipient} above. If you have multiple different addresses, I cannot think of any way to achieve this other than to define specific transports for each of them so you end up with something like:

# /etc/postfix/master.cf
postforward_foo   unix  -  n  n  -  -  pipe flags=ODR user=vmail:vmail argv=/usr/local/bin/postforward --path /usr/sbin:/sbin:/usr/bin:/bin foo@host.tld
postforward_bar   unix  -  n  n  -  -  pipe flags=ODR user=vmail:vmail argv=/usr/local/bin/postforward --path /usr/sbin:/sbin:/usr/bin:/bin bar@host.tls

# /etc/postfix/transport
foo@branddomainname.com postforward_foo:
bar@branddomainname.com postforward_bar:
dismasc commented 4 years ago

Hi Zoni,

Thank you for your time and answer. I hope you and your family are in good health in this pandemic era.

Unfortunately, I have tried it and it does not work. But anyhow, if it would need manual addition on every forwarding email addresses (aliases), then I guess I just have to accept to live with the fact that aliases would be forwarded as unauthenticated and would broke the SPF.

The world does not have COVID-19 vaccine yet as I was writing this comment, and so what is the big deal with forwarded emails breaking the SPF ;).

Once again, thank you, Dismas.