Forwarding email (Roundcube) with a relay setup (Mandrill)

z1n · June 11, 2019, 1:18pm

Hi All!

Long time Miab user and lurker in general (some great solutions here). I hope someone can provide some insight on an issue which is throwing me for a bit of a loop. I’ve explained my setup and problems below with an example.

I’ve setup Roundcube to forward email to an external account.

I also have all mail on the box setup to relay through Mandrill (postfix config).

The email relay works perfectly for all email originating from the box. instance.

The problem is that the copied (or redirected) emails arrive at Mandrill with the original senders email address. Because I don’t own these addresses I obviously can’t sign them correctly and Mandrill rejects them. If the original sender was from one of the domains under my control it works perfectly too (as I have set SPF/DMARC etc on Mandrill).

Example:

example@yahoo.com sends an email to forwardingaddress@domain. Roundcube Sieve tells this email to go to destination@gmail.com via copy/redirect. Since all outgoing email is relayed, Mandrill now tries to send this but uses example@yahoo.com as the FROM email instead of forwardingaddress@domain which results in a failure because example@yahoo.com is unsigned.

I believe Alento has had similar issues with this setup.

From what I understand using an alias in miab would produce the same result (will do further tests this evening).

Does anyone know of a preferred solution for this? Should I try create an exception on postfix NOT to relay for this one domain or account? I would prefer the least hacky option that is friendly with Miab upgrades but this is not imperative.

alento · June 11, 2019, 3:08pm

Please clarify … is the failure within Mandrill - meaning Mandrill won’t send as it recognizes that the email is not from YOUR sender, or is the failure at the receiving end?

Gmail does NOT respect SRS … therefore any mail forwarded to Gmail (even if SRS was supported - which MiaB does not do btw) may never make it to a Gmail inbox.

z1n · June 11, 2019, 3:35pm

The failure is at Mandrill and expected behavior. It gets rejected here before it even tries to send because obviously the domain isn’t verified (by email with SPF and DKIM set).

I want the forwarded email to show the ‘forwardingaddress@domain’ as if you’re forwarding an email manually with any standard email client. I know this will solve the problem as any email coming from ‘forwardingaddress@domain’ sends correctly through Mandrill and appears in Gmails inbox normally.

ravenstar68 · June 12, 2019, 5:24am

I wanted to comment on forwarding in general.

Forwarding mail that’s authenticated by SPF only doesn’t work. This is down to the design of SPF.

In a nutshell SPF tells the receiving server what IP addresses are allowed to send mail for a particular domain. Depending on either

The domains DMARC record.
The setup of the receiving server

Mail that fails SPF can end up being rejected altogether or ending up in the receivers SPAM folder.

Note: The original SPF specification left it up to the receiver, but the DMARC RFC specifies that the policy in the DMARC record should be honoured (although it does allow for headers to be added if a server chooses not to honour DMARC).

With regards SRS

SRS was a draft proposal put forward to deal with the shortcomings of SPF. It was never formally ratified by the IETF and has since expired. While some providers did implement SRS not everyone did, but there’s something else to consider.

SPF works based on the domain of the mail sender
DMARC works based on the domain of the mail author

The former is sent to the server as part of the mail transaction before the email is sent.
The latter is part of the mail and is the From: header.

SRS works by rewriting the mail sender address so the domain changes to one owned by the forwarding server.

However DMARC compares the two domains and where they are different produces a fail result even if the actual SPF check appears to pass.

Thus SRS breaks DMARC.

provided there’s a DKIM pass then an SPF fail doesn’t matter. DMARC requires either of the two checks to pass.

either

Mail comes from an approved IP address (SPF pass and domain in SPF check matches From: domain)
Mail is signed with valid DKIM signature (and signature domain matches the From: domain)

Anyone using a mail forwarder of any description needs to understand what can happen when mail is forwarded. I’m not a professional myself, but I’ve spent 4 years helping out on Virgin Media’s email Forums and have taken the time to understand SPF, DKIM and DMARC along the way. I’ve seen some interesting rejections because of both SPF and DKIM. The latter especially can be a pain to troubleshoot.

SPF fails are fairly straightforward to understand though. One of the hardest parts for me was understanding why I could get an SPF pass but a DMARC fail in the authentication results.

Tim