I recently had the first need to configure forwarding on an zimbra account and ran into problems with bounces due to SPF checking on the receiving server.
As some research turned out, the sender of the mail resides in a domain that has SPF records, that sender sends the mail to an account on my zimbra server, my server accepts and tries to forward, but the server of the final destination (mx1.gmx.net) does not accept the mail, as my mailserver is not a designated sender for the domain of the sender.
As i can not whitelist my server at gmx.net, i found out that SRS (enveloping) is the proper way to deal with that situation. Is there any way to activate SRS or any other way of rewriting the MAIL FROM in Zimbra or does that mean poking directly with postfix configuration files?
help very much appreciated
SPF, Forwarding and SRS, the evil three :/
SPF, Forwarding and SRS, the evil three :/
Funnily enough I was wondering about this myself today!
I was attempting to send a message (from an SPF-enabled domain) to someone who's using a forwarder and the forwarding destination is running an SPF check.
I suddenly wondered if the forwarding feature in Zimbra was susceptible to this problem - from your message it appears it is.
I don't have an answer but I've not been able to track down any info on Zimbra and SRS so I'll be following this with interest!
I was attempting to send a message (from an SPF-enabled domain) to someone who's using a forwarder and the forwarding destination is running an SPF check.
I suddenly wondered if the forwarding feature in Zimbra was susceptible to this problem - from your message it appears it is.
I don't have an answer but I've not been able to track down any info on Zimbra and SRS so I'll be following this with interest!
-
- Posts: 1
- Joined: Mon Nov 02, 2015 4:01 pm
SPF, Forwarding and SRS, the evil three :/
This thread is quite old, but there still seems to be no way to avoid the SPF related problems when forwarding mails. SRS is not yet part of Zimbra, and there is no way to resend a mail replacing the original sender (from-address) with the local one.
Problem is that the number of servers relying on SPF is always increasing.
Has anybody found a solution already?
Thanks,
Thomas Gutzmann
Problem is that the number of servers relying on SPF is always increasing.
Has anybody found a solution already?
Thanks,
Thomas Gutzmann
Re: SPF, Forwarding and SRS, the evil three :/
I'm wondering the same thing. I am having issues forwarding email from some user accounts to gmail accounts.
I saw this article https://support.google.com/mail/answer/175365?hl=en that mentions using procmail, but it would be ideal to use what is present in zimbra.
I saw this article https://support.google.com/mail/answer/175365?hl=en that mentions using procmail, but it would be ideal to use what is present in zimbra.
- DualBoot
- Elite member
- Posts: 1326
- Joined: Mon Apr 18, 2016 8:18 pm
- Location: France - Earth
- ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
- Contact:
Re: SPF, Forwarding and SRS, the evil three :/
I think Zimbra should add automatic redirect option to solve this problem.
The Guy - DualBoot
PostMaster - WikiMaster - SysAdmin
"Free Your Mind. Think Open Source"
april.org
Zetalliance Member - zetalliance.org
PostMaster - WikiMaster - SysAdmin
"Free Your Mind. Think Open Source"
april.org
Zetalliance Member - zetalliance.org
Re: SPF, Forwarding and SRS, the evil three :/
I also use ASSP in front of Zimbra. ASSP has SRS. I enabled that and now my forwarded messages to gmail are not flagged as possibly phish
- L. Mark Stone
- Ambassador
- Posts: 2800
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: SPF, Forwarding and SRS, the evil three :/
So I'll take the opposing view and say this isn't a problem at all. Indeed, I would say this is "WAD" (in old IBM-speak) Working As Designed.
SPF-formatted TXT records came into existence precisely to allow email domain admins to designate which servers are authorized to send email purporting to emanate from that domain. (Recall that the "From:" piece of the header is readily spoofable, so is useless for this kind of filtering.)
Further, the domain admin has total control over whether receiving email servers should hard- or soft-fail email from that domain, but which originated from a server not listed in the TXT record. If you use a hyphen in front of the "all" parameter, that means the email domain admin is specifically authorizing receiving email servers across the globe to reject all email from that domain which is not coming from a listed server. (e.g. "-all" means hard fail, and "~all" means soft-fail.
It's considered a best practice when deploying SPF-formatted TXT records to start with a soft-fail, and then once you are sure things are working OK and you've got all the legitimate sending servers listed in the record, then just change the soft-fail (tilde) to a hard-fail (hyphen).
So in this case, it would seem that the Zimbra admin simply needs to get in touch with the email domain admin who controls the public DNS records for the domain, and get the TXT record updated.
Hope that helps,
Mark
SPF-formatted TXT records came into existence precisely to allow email domain admins to designate which servers are authorized to send email purporting to emanate from that domain. (Recall that the "From:" piece of the header is readily spoofable, so is useless for this kind of filtering.)
Further, the domain admin has total control over whether receiving email servers should hard- or soft-fail email from that domain, but which originated from a server not listed in the TXT record. If you use a hyphen in front of the "all" parameter, that means the email domain admin is specifically authorizing receiving email servers across the globe to reject all email from that domain which is not coming from a listed server. (e.g. "-all" means hard fail, and "~all" means soft-fail.
It's considered a best practice when deploying SPF-formatted TXT records to start with a soft-fail, and then once you are sure things are working OK and you've got all the legitimate sending servers listed in the record, then just change the soft-fail (tilde) to a hard-fail (hyphen).
So in this case, it would seem that the Zimbra admin simply needs to get in touch with the email domain admin who controls the public DNS records for the domain, and get the TXT record updated.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: SPF, Forwarding and SRS, the evil three :/
at first the WAD made sense but thinking a bit more about it I still think it doesn't.
Here's an example, let's assume someone has a distribution list (accounting@example.com) and want's all mails going to account forwarded to two other email addresses, one of them maybe being some archiving stuff on a external domain.
Due to spf the forwarded mails can't be forwarded as they will be dropped and I really would try telling amazon to modify their DNS to use a soft fail but I'm assuming I won't really be in luck.
Am I missing something or is this really how it was supposed to work?
Cris
Here's an example, let's assume someone has a distribution list (accounting@example.com) and want's all mails going to account forwarded to two other email addresses, one of them maybe being some archiving stuff on a external domain.
Due to spf the forwarded mails can't be forwarded as they will be dropped and I really would try telling amazon to modify their DNS to use a soft fail but I'm assuming I won't really be in luck.
Am I missing something or is this really how it was supposed to work?
Cris
- L. Mark Stone
- Ambassador
- Posts: 2800
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: SPF, Forwarding and SRS, the evil three :/
So, yes, the owner of the domain sets the SPF record for hard or soft fail, so if hard fail is what they want...lcx_at wrote:at first the WAD made sense but thinking a bit more about it I still think it doesn't.
Here's an example, let's assume someone has a distribution list (accounting@example.com) and want's all mails going to account forwarded to two other email addresses, one of them maybe being some archiving stuff on a external domain.
Due to spf the forwarded mails can't be forwarded as they will be dropped and I really would try telling amazon to modify their DNS to use a soft fail but I'm assuming I won't really be in luck.
Am I missing something or is this really how it was supposed to work?
Cris
Honestly, most of the big email providers filter out email forwarded inbound to them, because so much of it is spam. If a user has a gmail account and wants to have their Zimbra email forwarded to their Gmail, Google says, no; better to configure Gmail to go fetch the Zimbra mail. That way, you've demonstrated to GMail that you really want to receive that email.
They have some alternatives too: https://support.google.com/mail/answer/175365?hl=en#
Hope that helps,,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate