Telling myself to poll a different mailbox is ... let's go with a >non-starter.
I was wondering if anyone had any guidance / pro tips on how to deal
with SPF related issues when using .forward files.
I have email coming into a system from addresses that are protected with
SPF (-all).
They are telling you not to forward their mail. So don't.
I realize their advice may be ill-considered or ignorant, but so be it.
FWIW I have largely given up on forwarding and tell my users who want
to get their mail somewhere else to set up their other provider to
poll their mailbox here.
I realize there is a thing called SRS which is supposed to fix the SPF forwarding problem, but I haven't found it very useful in practice,
since it turn SPF fails into DMARC fails.
Oh, if you're forwarding to yourself that makes it a lot easier.
Now you know why we all ignore SPF -all except for the edge case
of an SPF record that only says -all for a domain that sends no
mail.
The thing that I left out, because I didn't think it mattered, is that
I'm all three parties in this situation, original source, original destination, and forwarded destination. So ... yes, but no.
So why don't you disable SPF tests when mail is coming from
one of your own hosts?
Maybe you should reconsider in which situations SPF might actually be "useful".
I was wondering if anyone had any guidance / pro tips on how to deal
with SPF related issues when using .forward files.
I have email coming into a system from addresses that are protected
with SPF (-all). The inbound email makes it to the mailbox that is
the original recipient. The problem arises when I add .forward to the
mix. The new .forward recipient is hosted by a system that honors
strict SPF checks, and as such rejects the forwarded message because
it violates the original sender's domain's strict SPF (-all).
I /think/ that I want to utilize some form of masquerading on the intermediate system that hosts the original recipient. But I'm not
sure /if/ masquerading is what I want, much less how to configure it
to masquerade for any and all from addresses. (I'd rather not need to explicitly list original source domains in a game of whack-a-mole.)
I feel like I would describe this as SNAT on the intermediate system
if I were to borrow IP networking terms.
Does anyone have any guidance / pro tips?
My start suggestion (from a small Linux system perspective): Use per
OS account procmail script for forwarding. It will change envelope
sender address to local one.
If for some reasons it does not fit your need state why.
I say "conundrum" as opposed to "problem" because I believe that things
are working the way that they are supposed to. I have zero desire to
alter my SPF (-all) stance. I'd much rather alter the message so that
it no longer ran afoul of SPF. Hence masquerading ~> altering the from >address to be the intermediate account.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (3 / 13) |
Uptime: | 77:19:48 |
Calls: | 6,658 |
Calls today: | 4 |
Files: | 12,203 |
Messages: | 5,332,832 |
Posted today: | 1 |