Hi,

I was wondering if anyone had any guidance / pro tips on how to deal
with SPF related issues when using .forward files.

I have email coming into a system from addresses that are protected with
SPF (-all). The inbound email makes it to the mailbox that is the
original recipient. The problem arises when I add .forward to the mix.
The new .forward recipient is hosted by a system that honors strict SPF
checks, and as such rejects the forwarded message because it violates
the original sender's domain's strict SPF (-all).

I /think/ that I want to utilize some form of masquerading on the
intermediate system that hosts the original recipient. But I'm not sure
/if/ masquerading is what I want, much less how to configure it to
masquerade for any and all from addresses. (I'd rather not need to
explicitly list original source domains in a game of whack-a-mole.)

I feel like I would describe this as SNAT on the intermediate system if
I were to borrow IP networking terms.

Does anyone have any guidance / pro tips?



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

According to Grant Taylor <gtaylor@tnetconsulting.net>:

Telling myself to poll a different mailbox is ... let's go with a >non-starter.

Oh, if you're forwarding to yourself that makes it a lot easier.

Now you know why we all ignore SPF -all except for the edge case
of an SPF record that only says -all for a domain that sends no
mail.

R's,
John
--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

It appears that Grant Taylor <gtaylor@tnetconsulting.net> said:

I was wondering if anyone had any guidance / pro tips on how to deal
with SPF related issues when using .forward files.

I have email coming into a system from addresses that are protected with
SPF (-all).

They are telling you not to forward their mail. So don't.

I realize their advice may be ill-considered or ignorant, but so be it.

FWIW I have largely given up on forwarding and tell my users who want
to get their mail somewhere else to set up their other provider to
poll their mailbox here.

I realize there is a thing called SRS which is supposed to fix the SPF forwarding problem, but I haven't found it very useful in practice, since
it turn SPF fails into DMARC fails.

R's,
John
--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/19/21 7:17 PM, John Levine wrote:

They are telling you not to forward their mail. So don't.

The thing that I left out, because I didn't think it mattered, is that
I'm all three parties in this situation, original source, original
destination, and forwarded destination. So ... yes, but no.

I realize their advice may be ill-considered or ignorant, but so be it.

Chuckle.

FWIW I have largely given up on forwarding and tell my users who want
to get their mail somewhere else to set up their other provider to
poll their mailbox here.

Telling myself to poll a different mailbox is ... let's go with a
non-starter.

I realize there is a thing called SRS which is supposed to fix the SPF forwarding problem, but I haven't found it very useful in practice,
since it turn SPF fails into DMARC fails.

I've actually got SRS working with Sendmail and it doesn't make any real difference in this case.

More details on the mail flow are as follows:

1) gtaylor@domain1.example sends a message to gtaylor@domain2.example.
2) gtaylor@domain2.example .forwards to host2@domain3.example.

gtaylor@domain1.example could just as easily be <something>@gmail.com as
both domain1.example and gmail.com have similar (but not identicle) restrictions.

domain1.example and domain3.example are hosted on the same host. domain2.example uses the same host as the inbound MX from the world and mailertable rotues to the internal host.

So ...

1) Something (gtaylor@domain1.example / <something>@gmail.com) sends an
email to gtaylor@domain2.example which relays through the public host on
it's way to the internal host.
2) The internal host receives the email from something to gtaylor@domain2.example.
3) The internal host .forwards the message to host2@domain3.example.
4) The public host rejects the message from something
(gtaylor@domain1.example / <something>@gmail.com) because the message
runs afoul of SPF (-all).

A little more background: I have many systems that .forward messages
from them to special addresses on my main mail server. E.g <REDACTED>@domain2.example .forwards to
domain2@<REDACTED>.domain1.example. This means that systems I have
configured .forward messages from cron and the likes to my central account.

I just started testing something wherein email from the public Internet
was going into my address on one of my hosts, where it dutifully
forwarded to the host's sub-domain address on the main mail server.
Except ... SPF.

Seeing as how I have full control of the leafe systems in question which
are .forwarding to my central account, I am quite content if they
masquerade everything that leaves the system to appear to be from me /
my address on said leafe system.

I could do what I want by enhancing .forward to pipe into a program that
would turn the message into an RFC 822 attachment to a new email. But
that seems ... overkill.


--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/19/21 8:00 PM, John Levine wrote:

Oh, if you're forwarding to yourself that makes it a lot easier.

Does it? Does it fundamentally alter the situation? I don't think it does.

Now you know why we all ignore SPF -all except for the edge case
of an SPF record that only says -all for a domain that sends no
mail.

You say /now/ as if I didn't grok this before. I /did/ grok it.

Note: When I asked about masquerading the (envelope and / or header)
sender, I was conveying that I'm exploring /how/ to solve the end to end delivery conundrum /within/ the established constraints.

I say "conundrum" as opposed to "problem" because I believe that things
are working the way that they are supposed to. I have zero desire to
alter my SPF (-all) stance. I'd much rather alter the message so that
it no longer ran afoul of SPF. Hence masquerading ~> altering the from
address to be the intermediate account.

I /feel/ like and /want/ /to/ /believe/ -- thank you Fox Mulder -- that
there is a way to achieve my goal.



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)