This post describes how to deal with postfix, .forward files and SPF. When you want to forward an email to another address and the senders mail server uses SPF you are going to run into problems as the forwarding email server is not registered as an authoritive mail server in the sending mail server SPF DNS records. If the receiving mail server checks the SPF record of the sending mail server it will reject the forwarded email. The wonderful thing about security is that once you get started things only get more complicated going forward (haha pun intended).
The solution for this is called SRS which is a standard for rewriting the email address so it looks like it was send from the forwarding email server rather than the original, sending mail server.
I first tried pfixtools but had so many dependency and library issues that I stopped half way and looked for an alternative. The software I’m using is postsrsd from Timo Röhling.
The installation instructions are for Red Hat 6/CentOS 6 with SELinux in enforcing mode. It looks like it works for Ubuntu as well if you use sysv-rc-conf rather than chkconfig for adding postsrsd to the boot sequence (thanks to Tom Walker, see comments). I did run into a small issue with the postsrsd installation where my Red Hat installation was falsely recognized as SysV-LSB system and it installed the wrong init script. The workaround here is not to use the standard makefile (which only kicks off cmake anyway) but rather issue the instructions yourself and provide the variable for setting sysv-redhat via the command line. Before you do so please check on github if the issue has been resolved, the information I’m posting might be superseded by improvements to the postsrsd software.
# download and compile the software cd ~ wget https://github.com/roehling/postsrsd/archive/master.zip unzip master cd postsrsd-master/ sudo make sudo make install
# Add postfix configuration parameters for postsrsd sudo postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001" sudo postconf -e "sender_canonical_classes = envelope_sender" sudo postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002" sudo postconf -e "recipient_canonical_classes = envelope_recipient"
# Add SRS daemon to startup sudo chkconfig postsrsd on # Start SRS daemon sudo service postsrsd restart #Reload postfix sudo service postfix reload
That’s it, it works well and my forwarding problems have gone away. On to the next (security) problem!