Froxlor icon indicating copy to clipboard operation
Froxlor copied to clipboard

Published 20 hours ago verified publisher icon froxlor

rewrite return-path header for forwarded e-mails

Open DerBergRuft opened this issue 1 year ago • 2 comments

I am using froxlor 0.10.37 to manage my own domains. I created a small simple mailing list by specifying several forwarders for the mailing list address. The forwarded mails are rejected by some providers because SPF check fails. SPF entry is checked against the value of the return-path header. Postfix replaces the return-path header by the original senders address. The only appropriate way to solve this issue seems to rewrite the return-path header by a postfix after-queue filter. Postfix is providing a simple example but maybe someone already has filter to share. I can't be the only facing that issue.

System information

  • Froxlor version: $0.10.37/$gitSHA1
  • Web server: apache2.4
  • POP/IMAP server: Dovecot
  • SMTP server: postfix 3.5.13
  • OS/Version: Debian 10

Steps to reproduce

  1. create an e-mail address like [email protected]
  2. forward this address to an external address like [email protected]
  3. send an e-mail from another external ([email protected]) address to the created one ([email protected])

Expected behavior

  1. return-path header should belong to the domain of the created (e.g. [email protected])

Actual behavior

  1. return-path header is rewritten by postfix after header_checks to [email protected]
  2. e-mail might be rejected by mail.external2.com due to SPF mismatch between example.com and external2.com

DerBergRuft avatar Aug 25 '22 10:08 DerBergRuft

This sounds kind of mailling-list specific. From the SPF wiki article:

FAIL and forwarding SPF breaks plain message forwarding. When a domain publishes an SPF FAIL policy, legitimate messages sent to receivers forwarding their mail to third parties may be rejected and/or bounced if all of the following occur:

  1. The forwarder does not rewrite the Return-Path, unlike mailing lists.
  2. The next hop does not allowlist the forwarder.
  3. This hop checks SPF.

This is a necessary and obvious feature of SPF – checks behind the "border" MTA (MX) of the receiver cannot work directly.

Publishers of SPF FAIL policies must accept the risk of their legitimate emails being rejected or bounced. They should test (e.g., with a SOFTFAIL policy) until they are satisfied with the results. See below for a list of alternatives to plain message forwarding.

d00p avatar Aug 25 '22 10:08 d00p

I have a softfail policy, but some mail servers ignore it and reject the mail. Your point 1. is the key.

DerBergRuft avatar Aug 25 '22 11:08 DerBergRuft