SPF, Forwarding and SRS, the evil three :/

slite · Post by **slite** » Tue Jun 05, 2012 9:42 am

I recently had the first need to configure forwarding on an zimbra account and ran into problems with bounces due to SPF checking on the receiving server.
As some research turned out, the sender of the mail resides in a domain that has SPF records, that sender sends the mail to an account on my zimbra server, my server accepts and tries to forward, but the server of the final destination (mx1.gmx.net) does not accept the mail, as my mailserver is not a designated sender for the domain of the sender.
As i can not whitelist my server at gmx.net, i found out that SRS (enveloping) is the proper way to deal with that situation. Is there any way to activate SRS or any other way of rewriting the MAIL FROM in Zimbra or does that mean poking directly with postfix configuration files?
help very much appreciated

batfastad · Post by **batfastad** » Wed Jun 06, 2012 11:34 am

Funnily enough I was wondering about this myself today!
I was attempting to send a message (from an SPF-enabled domain) to someone who's using a forwarder and the forwarding destination is running an SPF check.
I suddenly wondered if the forwarding feature in Zimbra was susceptible to this problem - from your message it appears it is.

I don't have an answer but I've not been able to track down any info on Zimbra and SRS so I'll be following this with interest!

thomas.gutzmann@gutzmann.com · Mon Nov 02, 2015 4:07 pm

This thread is quite old, but there still seems to be no way to avoid the SPF related problems when forwarding mails. SRS is not yet part of Zimbra, and there is no way to resend a mail replacing the original sender (from-address) with the local one.

Problem is that the number of servers relying on SPF is always increasing.

Has anybody found a solution already?

Thanks,

Thomas Gutzmann

crmanski · Post by **crmanski** » Wed Jul 13, 2016 12:14 pm

I'm wondering the same thing. I am having issues forwarding email from some user accounts to gmail accounts.
I saw this article https://support.google.com/mail/answer/175365?hl=en that mentions using procmail, but it would be ideal to use what is present in zimbra.

DualBoot · Post by **DualBoot** » Wed Jul 13, 2016 12:44 pm

I think Zimbra should add automatic redirect option to solve this problem.

crmanski · Post by **crmanski** » Wed Jul 13, 2016 12:50 pm

I also use ASSP in front of Zimbra. ASSP has SRS. I enabled that and now my forwarded messages to gmail are not flagged as possibly phish

L. Mark Stone · Post by **L. Mark Stone** » Wed Jul 13, 2016 1:04 pm

So I'll take the opposing view and say this isn't a problem at all. Indeed, I would say this is "WAD" (in old IBM-speak) Working As Designed.

SPF-formatted TXT records came into existence precisely to allow email domain admins to designate which servers are authorized to send email purporting to emanate from that domain. (Recall that the "From:" piece of the header is readily spoofable, so is useless for this kind of filtering.)

Further, the domain admin has total control over whether receiving email servers should hard- or soft-fail email from that domain, but which originated from a server not listed in the TXT record. If you use a hyphen in front of the "all" parameter, that means the email domain admin is specifically authorizing receiving email servers across the globe to reject all email from that domain which is not coming from a listed server. (e.g. "-all" means hard fail, and "~all" means soft-fail.

It's considered a best practice when deploying SPF-formatted TXT records to start with a soft-fail, and then once you are sure things are working OK and you've got all the legitimate sending servers listed in the record, then just change the soft-fail (tilde) to a hard-fail (hyphen).

So in this case, it would seem that the Zimbra admin simply needs to get in touch with the email domain admin who controls the public DNS records for the domain, and get the TXT record updated.

Hope that helps,
Mark

lcx_at · Post by **lcx_at** » Thu Sep 20, 2018 11:48 am

at first the WAD made sense but thinking a bit more about it I still think it doesn't.
Here's an example, let's assume someone has a distribution list (accounting@example.com) and want's all mails going to account forwarded to two other email addresses, one of them maybe being some archiving stuff on a external domain.
Due to spf the forwarded mails can't be forwarded as they will be dropped and I really would try telling amazon to modify their DNS to use a soft fail but I'm assuming I won't really be in luck.
Am I missing something or is this really how it was supposed to work?

Cris

L. Mark Stone · Post by **L. Mark Stone** » Thu Sep 20, 2018 2:18 pm

lcx_at wrote:at first the WAD made sense but thinking a bit more about it I still think it doesn't.
Here's an example, let's assume someone has a distribution list (accounting@example.com) and want's all mails going to account forwarded to two other email addresses, one of them maybe being some archiving stuff on a external domain.
Due to spf the forwarded mails can't be forwarded as they will be dropped and I really would try telling amazon to modify their DNS to use a soft fail but I'm assuming I won't really be in luck.
Am I missing something or is this really how it was supposed to work?

Cris

So, yes, the owner of the domain sets the SPF record for hard or soft fail, so if hard fail is what they want...

Honestly, most of the big email providers filter out email forwarded inbound to them, because so much of it is spam. If a user has a gmail account and wants to have their Zimbra email forwarded to their Gmail, Google says, no; better to configure Gmail to go fetch the Zimbra mail. That way, you've demonstrated to GMail that you really want to receive that email.

They have some alternatives too: https://support.google.com/mail/answer/175365?hl=en#

Hope that helps,,
Mark

Zimbra Forums