[SOLVED] What is the correct way to forward mail?

I have a number of aliases which forward to external addresses upon receipt.

For years I used MiaB’s aliases to forward it on to external hosts, but as email security has continued to tighten, that no longer works - I recently discovered that method masquerades my mail server as the original sender, meaning that, for catchall aliases in particular, my server was forwarding on spam and other crap and claiming to be the source. Bad!

I’ve since removed all of that and have tried to enable sending copies using filters in Roundcube, which, to my understanding, implements SRS so that mail will get the appropriately rewritten headers. The trouble is that I’ve never gotten this to reliably work - depending on the upstream SMTP service I use, the message either (1) gets tagged as spam or (2) the upstream service views the original source as trying to send on my behalf and blocks the message.

Ultimately, I’m sending mail intended for me to myself, so I’m not concerned about the look of the forwarded message. Is there a forwarding mechanism that completely rewrites the sender?

I’m looking for something that would be functionally the same as me receiving an email, pressing the “Forward” button in my mail client, typing in the external recipient, and pressing send.

You can do that in postfix.

If gmail is your receiving server for e.g. you can set a rule, forwarded messages from an email address to be placed ALWAYS in gmai’s inbox, Important, etc. Those will never be marked as spam if they have a valid DKIM, DMARC and SPF and proper html formatting.

I cannot think of any other way except running Thunderbird all the time and setting a Message filter TAG contains >> Important, Personal to avoid spam. And applying: apply filter after Junk classification.

Roundcube does not have the TAG filter

However if you this scenario as per this post: How to set up email forwarding and keep a local copy on the server:

https://web.ece.ucsb.edu/resources/services/itsg/forward.html

It might work

Thanks! But this method appears to be functionally the same as what roundcube is doing. When I test it with an upstream provider like SMTP2GO, I see messages in mail.log:

to=<redacted@gmail.com>, relay=mail.smtp2go.com[176.58.103.10]:465, 
delay=0.8, delays=0.09/0.13/0.35/0.24, dsn=5.0.0, status=bounced 
(host mail.smtp2go.com[176.58.103.10] said: 
   550-From header sender domain not verified (contoso.com) 
   550-On your Sending > Verified Senders page 
   550 verify the sender domain or email to be allowed to send. 
(in reply to end of DATA command))

Again, I’m specifically interested in something that would remove the external domain from the equation entirely, so that the email I’m sending appears to come from / be a copy forwarded by me.

Sorry you mean something like ARC seal?
Authenticated Received Chain - Wikipedia.

I don’t understand. You want to forward only INBOX mail, after Junk mail classification?

Are you using a relay. Maybe your relay is the problem?

I think I’ve figured this out! The solution to my specific question is to use Postfix’s generic maps to rewrite specific senders to another address.

First I had to add the generic map to the bottom of /etc/postfix/main.cf:

smtp_generic_maps = hash:/etc/postfix/generic

In my case, that meant creating the /etc/postfix/generic file with contents like:

external.sender@remote.server.com    me@mydomain.com
another.sender@somewhere.else.com    me@mydomain.com
somebody@mail.server.external.com    me@mydomain.com

Then I run postmap /etc/mail/generic and systemctl restart postfix and re-enabled all of my roundcube sieve filters. All of the forwarded mail from those specific addresses will have the headers rewritten to appear to come from me. Some quick testing indicates that this works!


Maybe your relay is the problem?

Absolutely, yes. If I weren’t using an SMTP relay, I wouldn’t have to play by anybody’s rules, but I host on digitalocean and I’ve grown tired of the constant fight to keep my IP able to send to massive providers like gmail, microsoft, etc. Using a relay essentially mitigates those problems for me.

Aha.

You are just fooling the relay in this case.
Do you have any of the headers before the rewrite and after the rewrite. If you can anonymize them and post them here it would be nice just for comparison.
Is their any trace of the original sending servers in the headers?

I wouldn’t say that - I’m resending the message to another recipient and claiming to be who the message is from. In other words, I’ve forwarded a message.

Here are the headers you asked for:

Original message

Forwarded message

Nice! Good job!
It rewrites it except for the failed dkim but you have another dkim that passes.

dkim=perm_fail header.i=@gmail.com header.s=20230601;

and this part is preserved in the forwarded message:

Received: from miab.mydomain.com ([127.0.0.1]) by miab.mydomain.com with LMTP
id BDQhHSy4VGbEWwAAdtZTHg (envelope-from <username@gmail.com>)
for <user@mydomain.com>; Mon, 27 May 2024 12:43:24 -0400
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on miab.mydomain.com

I noticed that, too. I figured that it’s rewriting the sender but keeping the Gmail DKIM header, so it fails, but then it also adds mine, so it succeeds. Either way: it works and I’m happy. Thanks a million for the assist today!