SPF, Forwarding and SRS, the evil three :/

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
slite
Posts: 5
Joined: Sat Sep 13, 2014 12:39 am

SPF, Forwarding and SRS, the evil three :/

Postby slite » Tue Jun 05, 2012 9:42 am

I recently had the first need to configure forwarding on an zimbra account and ran into problems with bounces due to SPF checking on the receiving server.
As some research turned out, the sender of the mail resides in a domain that has SPF records, that sender sends the mail to an account on my zimbra server, my server accepts and tries to forward, but the server of the final destination (mx1.gmx.net) does not accept the mail, as my mailserver is not a designated sender for the domain of the sender.
As i can not whitelist my server at gmx.net, i found out that SRS (enveloping) is the proper way to deal with that situation. Is there any way to activate SRS or any other way of rewriting the MAIL FROM in Zimbra or does that mean poking directly with postfix configuration files?
help very much appreciated :)


batfastad
Outstanding Member
Outstanding Member
Posts: 281
Joined: Fri Sep 12, 2014 10:43 pm

SPF, Forwarding and SRS, the evil three :/

Postby batfastad » Wed Jun 06, 2012 11:34 am

Funnily enough I was wondering about this myself today!
I was attempting to send a message (from an SPF-enabled domain) to someone who's using a forwarder and the forwarding destination is running an SPF check.
I suddenly wondered if the forwarding feature in Zimbra was susceptible to this problem - from your message it appears it is.

I don't have an answer but I've not been able to track down any info on Zimbra and SRS so I'll be following this with interest!
thomas.gutzmann@gutzmann.com
Posts: 1
Joined: Mon Nov 02, 2015 4:01 pm

SPF, Forwarding and SRS, the evil three :/

Postby thomas.gutzmann@gutzmann.com » Mon Nov 02, 2015 4:07 pm

This thread is quite old, but there still seems to be no way to avoid the SPF related problems when forwarding mails. SRS is not yet part of Zimbra, and there is no way to resend a mail replacing the original sender (from-address) with the local one.



Problem is that the number of servers relying on SPF is always increasing.



Has anybody found a solution already?



Thanks,



Thomas Gutzmann
crmanski
Posts: 4
Joined: Fri Sep 12, 2014 11:33 pm

Re: SPF, Forwarding and SRS, the evil three :/

Postby crmanski » Wed Jul 13, 2016 12:14 pm

I'm wondering the same thing. I am having issues forwarding email from some user accounts to gmail accounts.
I saw this article https://support.google.com/mail/answer/175365?hl=en that mentions using procmail, but it would be ideal to use what is present in zimbra.
User avatar
DualBoot
Outstanding Member
Outstanding Member
Posts: 768
Joined: Mon Apr 18, 2016 8:18 pm
Location: Earth
ZCS/ZD Version: ZCS FLOSS - 8.7.11 Mutli servers

Re: SPF, Forwarding and SRS, the evil three :/

Postby DualBoot » Wed Jul 13, 2016 12:44 pm

I think Zimbra should add automatic redirect option to solve this problem.
The Guy - DualBoot

PostMaster - WikiMaster - SysAdmin
"Free Your Mind. Think Open Source"
april.org
Zetalliance Member - zetalliance.org
crmanski
Posts: 4
Joined: Fri Sep 12, 2014 11:33 pm

Re: SPF, Forwarding and SRS, the evil three :/

Postby crmanski » Wed Jul 13, 2016 12:50 pm

I also use ASSP in front of Zimbra. ASSP has SRS. I enabled that and now my forwarded messages to gmail are not flagged as possibly phish :D
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1864
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.8 Patch 6 Network Edition
Contact:

Re: SPF, Forwarding and SRS, the evil three :/

Postby L. Mark Stone » Wed Jul 13, 2016 1:04 pm

So I'll take the opposing view and say this isn't a problem at all. Indeed, I would say this is "WAD" (in old IBM-speak) Working As Designed.

SPF-formatted TXT records came into existence precisely to allow email domain admins to designate which servers are authorized to send email purporting to emanate from that domain. (Recall that the "From:" piece of the header is readily spoofable, so is useless for this kind of filtering.)

Further, the domain admin has total control over whether receiving email servers should hard- or soft-fail email from that domain, but which originated from a server not listed in the TXT record. If you use a hyphen in front of the "all" parameter, that means the email domain admin is specifically authorizing receiving email servers across the globe to reject all email from that domain which is not coming from a listed server. (e.g. "-all" means hard fail, and "~all" means soft-fail.

It's considered a best practice when deploying SPF-formatted TXT records to start with a soft-fail, and then once you are sure things are working OK and you've got all the legitimate sending servers listed in the record, then just change the soft-fail (tilde) to a hard-fail (hyphen).

So in this case, it would seem that the Zimbra admin simply needs to get in touch with the email domain admin who controls the public DNS records for the domain, and get the TXT record updated.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
lcx_at
Posts: 7
Joined: Thu Sep 17, 2015 6:06 am

Re: SPF, Forwarding and SRS, the evil three :/

Postby lcx_at » Thu Sep 20, 2018 11:48 am

at first the WAD made sense but thinking a bit more about it I still think it doesn't.
Here's an example, let's assume someone has a distribution list (accounting@example.com) and want's all mails going to account forwarded to two other email addresses, one of them maybe being some archiving stuff on a external domain.
Due to spf the forwarded mails can't be forwarded as they will be dropped and I really would try telling amazon to modify their DNS to use a soft fail but I'm assuming I won't really be in luck.
Am I missing something or is this really how it was supposed to work?

Cris
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1864
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.8 Patch 6 Network Edition
Contact:

Re: SPF, Forwarding and SRS, the evil three :/

Postby L. Mark Stone » Thu Sep 20, 2018 2:18 pm

lcx_at wrote:at first the WAD made sense but thinking a bit more about it I still think it doesn't.
Here's an example, let's assume someone has a distribution list (accounting@example.com) and want's all mails going to account forwarded to two other email addresses, one of them maybe being some archiving stuff on a external domain.
Due to spf the forwarded mails can't be forwarded as they will be dropped and I really would try telling amazon to modify their DNS to use a soft fail but I'm assuming I won't really be in luck.
Am I missing something or is this really how it was supposed to work?

Cris


So, yes, the owner of the domain sets the SPF record for hard or soft fail, so if hard fail is what they want...

Honestly, most of the big email providers filter out email forwarded inbound to them, because so much of it is spam. If a user has a gmail account and wants to have their Zimbra email forwarded to their Gmail, Google says, no; better to configure Gmail to go fetch the Zimbra mail. That way, you've demonstrated to GMail that you really want to receive that email.

They have some alternatives too: https://support.google.com/mail/answer/175365?hl=en#

Hope that helps,,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 23 guests