Mailing List Archive

> I have an Exim installation where I just setup aliases.
[...]
> In other words, if I send a message to mihamina@myfoobar.com, it gets
> forwarded to rakotomandimby@gmail.com.
> When I test, the sender is mihamina@atscom.io and the receiver is
> mihamina@myfoobar.com.
> The message is effectively forwarded to rakotomandimby@gmail.com, but
> the "From:" header is kept to mihamina@atscom.io.
>
> The problem:
> GMail rejects the message because my Exim server sends a message with a
> "From:" set to mihamina@atscom.io but atscom.io's SPF does not allow
> this server to send such messages.
> I have no authority on senders domains SPF (that's fair).

Welcome to modern mail forwarding hell, where there are no good answers.
Today, GMail appears to require that incoming email messages either have
a valid DKIM signature for the From: domain or that the envelope sender
passes SPF checks (for the sending IP). I don't know if they're
requiring that the From: domain pass SPF checks, but maybe they will
someday. This is irregardless of any DMARC settings that the domain in
question may or may not have (which may make the situation worse,
depending on what they are; it's possible to set your DMARC so that you
forbid forwarding entirely[*]).

(In theory you are not supposed to require that the From: domain have a
DKIM signature if the domain doesn't have DMARC set, or has a permissive
DMARC. GMail doesn't care and does it anyways, because GMail is GMail.)

Normal Exim mail forwarding doesn't change the envelope sender (Exim's
errors_to and/or return_path), but it also doesn't invalidate any
existing DKIM signatures. In our experience, email forwarded by Exim in
this way will be accepted by GMail if it already has a valid DKIM
signature for the From: domain, even though the SPF check doesn't pass.
If the mail being forwarded doesn't have a valid DKIM signature that is
valid for its From: domain, we can currently get GMail to accept it by
changing the envelope sender to something in our domain (which will pass
SPF checks). In our environment, all forwarding has a natural 'owner'
(such as the account with a .forward), so we can set the envelope sender
to that owner if it's necessary to do so.

Actually implementing this in Exim is somewhat complex. We do it by
conditionally setting return_path in our SMTP transports, based on
information about DKIM validation status recorded in a message ACL
variable by a SMTP DKIM ACL and a router variable for the forwarding
owner that is set (and possibly cleared) by relevant forwarding-handling
routers (we have more than one for reasons; our Exim configuration is
complicated).

Some places that do forwarding always change the envelope sender to the
owner of the forwarding (Office365 appears to mostly do this, at least
as my university's O365 hosting is set up). This would be simpler to
implement, although you'd have to identify an owner for all forwarding.
Since O365 does it, it's very likely that places will accept it;
routinely rejecting email from O365 is on the order of as bad as
routinely rejecting email from GMail.

- cks
[.*: If a domain configures their DMARC settings to require strict
alignment and then doesn't DKIM sign their messages, only SPF
can make things pass, which means you can't forward their messages
(well, not without rewriting the From: to something you can add a
DKIM signature for).
]

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, Nov 05, 2023 at 08:45:25PM +0300, Mihamina RKTMB via Exim-users wrote:

> GMail rejects the message because my Exim server sends a message
> with a "From:" set to mihamina@atscom.io but atscom.io's SPF does
> not allow this server to send such messages.

> I have no authority on senders domains SPF (that's fair).

Just in case you really mean the "envelope sender" i.e. the address in
the SMTP MAIL command, and not the From header: look up SRS in the
manual.

--
Ian

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

SRS does this fine. But if the From domain (not the envelope from, the
domain in the "From" header) publishes a DMARC record with a reject
rule, Gmail may still decline the forwarded message. They say as much in
their documentation. While SRS handles almost everything fine, Gmail
will still sometimes reject forwarded email that they otherwise would
have accepted were it sent directly to a Gmail account, and sometimes
there is nothing you can do about this other than not forward that
email.

There will be no scenario in which Gmail accepts 100% of forwarded email
(unless you're working with a small sample size to declare that
statement invalid). This is just something you have to keep in mind, as
Gmail never promised to be the perfect recipient of forwarded emails.

On 2023-11-05 11:45, Mihamina RKTMB via Exim-users wrote:

> Hi all,
>
> I have an Exim installation where I just setup aliases.
>
> exim.conf:
>
> [...]
> local_domains= @:myfoobar.com
> [...]
>
> aliases:
>
> [...]
> mihamina:rakotomandimby@gmail.com
> [...]
>
> In other words, if I send a message to mihamina@myfoobar.com, it gets
> forwarded to rakotomandimby@gmail.com.
> When I test, the sender is mihamina@atscom.io and the receiver is
> mihamina@myfoobar.com.
> The message is effectively forwarded to rakotomandimby@gmail.com, but
> the "From:" header is kept to mihamina@atscom.io.
>
> The problem:
> GMail rejects the message because my Exim server sends a message with a
> "From:" set to mihamina@atscom.io but atscom.io's SPF does not allow
> this server to send such messages.
> I have no authority on senders domains SPF (that's fair).
>
> I guess there is a setting I have to set on Exim in order to fix this?
>
> Regards

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Yes you can do this:

In acl_rcpt:

warn
domains = <YOURDOMAIN>
remove_header = dkim-signature
remove_header = arc-seal
remove_header = arc-authentication-results
remove_header = arc-message-signature


In acl_data:

warn
condition = ${if match {$recipients}{<YOURDOMAIN\\.YOURTLD>\$}{yes}{no}}
condition = ${if !def:h_reply-to:}
add_header = Reply-To: $h_from:

In your redirect router:

sender_redirect:
driver = redirect
domains = <YOURDOMAIN>
data = ${lookup{$local_part}lsearch{/etc/forwards}}
errors_to = $local_part@<YOURDOMAIN>
set = r_orep=${lookup{$local_part}lsearch{/etc/forwards}}
set = r_isfwd=true


In your Remote_SMTP transport:

remote_smtp:
debug_print = "T: remote_smtp for $local_part@$domain"
driver = smtp
dkim_sign_headers = from:date:to:cc
dkim_domain = <YOURDOMAIN>
dkim_selector = <YOURSELECTOR>
dkim_private_key = /etc/exim4/dkim.key
dkim_canon = relaxed
headers_rewrite = *@* "${if eq {$r_isfwd}{true}{$return_path}fail}" fs : *@* "${if eq {$r_isfwd}{true}{\"Forwarded Email\" <$r_orep>}fail}" tw


This will rewrite envelope sender to the $local_part@<YOURDOMAIN> (by setting errors_to), then It will rewrite MIME From to $local_part@<YOURDOMAIN>, then it will rewrite To: to become "Forwarded Email" <[TARGET_ADRESS]>.
It will also dump any DKIM or ARC signatures from original sender, instead you sign mail yourself.


>>> This will pass servers/senders even with strict alignment. <<<


A forwarded email as this, with forwarded_user having a forward to "somewhere@gmail.com" will become:

MAIL FROM: youruser@server.com
RCPT TO: forwarded_user@example.org

From: youruser@server.com
To: forwarded_user@example.org


Will become:

MAIL FROM: forwarded_user@example.org
RCPT TO: somewhere@gmail.com

From: forwarded_user@example.org
To: somewhere@gmail.com
Reply-To: youruser@server.com


(If Reply-To on sending mail is already set, it will not be replaced).


-----Ursprungligt meddelande-----
Från: Mihamina RKTMB via Exim-users <exim-users@lists.exim.org>
Skickat: den 5 november 2023 18:49
Till: exim-users@lists.exim.org
Ämne: [exim] Handle sender on forwarding

Hi all,

I have an Exim installation where I just setup aliases.

exim.conf:

[...]
local_domains= @:myfoobar.com
[...]


aliases:

[...]
mihamina:rakotomandimby@gmail.com
[...]


In other words, if I send a message to mihamina@myfoobar.com, it gets
forwarded to rakotomandimby@gmail.com.
When I test, the sender is mihamina@atscom.io and the receiver is
mihamina@myfoobar.com.
The message is effectively forwarded to rakotomandimby@gmail.com, but
the "From:" header is kept to mihamina@atscom.io.

The problem:
GMail rejects the message because my Exim server sends a message with a
"From:" set to mihamina@atscom.io but atscom.io's SPF does not allow
this server to send such messages.
I have no authority on senders domains SPF (that's fair).

I guess there is a setting I have to set on Exim in order to fix this?

Regards



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Mon, 6 Nov 2023, Sebastian Nielsen via Exim-users wrote:

> Yes you can do this:
>
> In acl_rcpt:
>
> warn
> domains = <YOURDOMAIN>
> remove_header = dkim-signature
> remove_header = arc-seal
> remove_header = arc-authentication-results
> remove_header = arc-message-signature

> It will also dump any DKIM or ARC signatures from original sender,
> instead you sign mail yourself.

Why do you remove ARC signatures ?
I thought the aim of ARC was to preserve and authenticate
some of the header info when messages are forwarded, perhaps more than once ?


> A forwarded email as this, with forwarded_user having a forward to "somewhere@gmail.com" will become:
>
> MAIL FROM: youruser@server.com
> RCPT TO: forwarded_user@example.org
>
> From: youruser@server.com
> To: forwarded_user@example.org
>
>
> Will become:
>
> MAIL FROM: forwarded_user@example.org
> RCPT TO: somewhere@gmail.com
>
> From: forwarded_user@example.org
> To: somewhere@gmail.com
> Reply-To: youruser@server.com
>
>
> (If Reply-To on sending mail is already set, it will not be replaced).

That might help the message reach the mailbox, but the recipiient will
have to look harder to see who the message claims to have been
originally sent by.

Note. This example is confusing; was the original sender (assuming all
is trustworthy) youruser@server.com ? A clearer example would have had
MAIL FROM: random.person@their.server.com
RCPT TO: my.user@my.server.com

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

>>Why do you remove ARC signatures ?

Because they have no relevance when you have rewritten both MAIL FROM, RCPT
TO, and MIME From, and MIME To.
If the mail is forwarded again, then both second forwarding server and final
server will test against YOUR server, so it's the second forwarding server
that in that case should add ARC signatures.

But forwarding in 2 step is uncommon and useless, better to aim both
forwarding addresses to the same final address.

>>That might help the message reach the mailbox, but the recipient will
>>have to look harder to see who the message claims to have been
>>originally sent by.

Agreed with that. The info is in "Reply-To" instead.
It's a tricky thing, because writing

From: "original_sender@server.com" <forwarded_user@yourserver.com>

may trip anti-phishing / anti-spam systems.

If you absolutely must preserve sender information, encapsulate the mail in
a new message/rfc822 object instead...

So a mail that looks like this (if forwarded_user is a forward to
example@gmail.com):

From: original_sender@server.com
To: forwarded_user@yourserver.com
Subject: Hey
Content-Type: text/plain

Is sent as:

From: forwarded_user@yourserver.com
To: example@gmail.com
Subject: Fwd: Hey
Content-Type: message/rfc822; boundary=1234

Encapsulated email follows
--1234
From: original_sender@server.com
To: forwarded_user@yourserver.com
Subject: Hey
Content-Type: text/plain
--1234--


>>Note. This example is confusing

Oooh sorry about that.
I tried to be clear with youruser@server.com being the sender,
forwarded_user@example.com being the address with a forward configured, and
somewhere@gmail.com being the forward target.

Replaced youruser@server.com as original_sender@server.com instead.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/