Docker Mailserver
Possible to work with external distribution lists with DMARC/DKIM/SPF? #4311
Replies: 2 comments 1 reply
-
|
Could you perhaps translate your setup to something like this example I assume you can have a DMS instance to be treated as if it were MS Exchange? If you can replicate the scenario that way, I may be able to better assist. For sending mails, shell into a DMS container (or use an alpine one with From what I understand, you're asking if you can trust an external mail address sending mail to DMS to be authorized to send mail with a sender address for a mail domain that DMS manages? Yet you can't have the client submit mail over port 465/587, only via port 25? As for ARC header, there is an existing issue regarding that I think (might be for sending rather than receiving), I don't know if we have anything in place with Postfix to recognize that for trust. Rspamd should support it as part of anti-spam to allow the mail through, but AFAIK rspamd's job is to filter what is received / accepted, but unrelated for sending? (maybe it signs for DKIM, that isn't my area of expertise in the project) |
Beta Was this translation helpful? Give feedback.
-
|
Well, the scenario is that an internal account sends with authorization (port 587) to an external mailing list. So:
This step works fine. The e-mail is signed with DKIM and the sending server is listed in the DNS for SPF. Next, the mailing list provider forwards the message to everyone on the list and keeps [email protected] as the "From" address. For most people, this works, but for me and for some others it fails, as the Exchange server is not listed as a trusted sender with SPF and cannot sign the messages with DKIM. As the DMARC policy is strict (reject), the message bounces. So:
I can't see that we are doing anything wrong here. Docker mailserver simply does what it is told. The ideal solution would be if the mailing list could use another "From" address... but tell that to Microsoft. This should be a fairly common real-world problem though, at least it will be when more servers start to use SPF/DKIM/DMARC. Microsoft does add an ARC header, which perhaps offers a solution, but I haven't found any good documentation on how to make that work. I'm afraid I don't know how to replicate with a DMS instance, I haven't really used mailing lists and even so I'm not sure they would work like they do in Exchange. Sorry... |
Beta Was this translation helpful? Give feedback.
-
There's an existing issue about ARC with DMS, I think there was config shared there to get something working with it. They may have had a similar issue, been a while since I saw it but I recall an issue regarding mail with ARC being resolved from their findings, just nothing contributed as a PR.
That's ok, I'm also lacking the experience to advise for that. I know we've had some issues/discussions regarding mailing list unsubscribe links, but nothing comes to mind regarding actual mailing list functionality. Postfix does support such AFAIK, so you could probably get something going 🤷♂️
Ah... I thought it was around the other way 😓
I think we have PostSRSd for handling that situation, but in the sense of DMS forwarding mail for a domain it doesn't have authority over. I don't know too much about that feature, other than users relying on it to get SPF validated by the receiving MTA when forwarded from DMS, DKIM/DMARC presumably would still be an issue 🤷♂️ (is that what ARC is for? I lose track of all these layers). If you're only concerned about receiving from exchange to DMS and DMS isn't forwarding, then you could probably add some config to trust exchange when it sends mail with a specific sender address? That sort of scenario you could replicate with the linked There's probably a container for doing mailing lists, and configuring that to relay mail through a DMS instance, which might give you a local reproduction of the setup you've described 🤔 |
Beta Was this translation helpful? Give feedback.
-
I have an irritating problem that I don't know how to solve. My docker-mailserver domains all have SPF, DKIM and DMARC. Ideally, I want to keep it that way, but some accounts must be members of external mailing lists. At least one of them is handled by Microsoft Exchange (cloud version). The mailing lists forward messages to all participants and use the original sender as the "From" account.
The problem here is that (1) Microsoft's server is not allowed to send based on SPF and (2) cannot sign with my DKIM key. Hence the messages are rejected both by my server (I also get a copy) and by some other servers. For most people, it works and they do get the messages.
Microsoft does tack on an ARC header, so it should be possible to see that this is a forwarded message and check that the original message is fine (DKIM).
I'm still using the old setup, not rspamd. Would this work better with rspamd (when I get a message, can't see that it would help the others)?
Is it possible to change the configuration in a reasonable way to make this work for other recipients without giving in and removing SPF/DKIM?
Beta Was this translation helpful? Give feedback.
All reactions