0

At the moment, our Postfix + Dovecot mail system has two types of users: those with a full account and those with only a forwarder.

Users with a full account are in the virtual_aliases table pointing to the local mailbox (e.g. [email protected] --> compuchip/, I'm not sure that's strictly necessary btw) and have some aliases (e.g. [email protected] --> compuchip).

Users with a forwarder have their personal account in the aliases table, and potentially aliases as well (e.g. [email protected] --> [email protected]) as well as [email protected] --> compuchip).

Because I'm forwarding a lot of spam to the last group of users we often get blacklisted and I want to shut this down. I decided that if users want to send and receive external mail I should just give them a mailbox. But if possible I would like that everyone can continue to be reached from "inside". Let me describe that more accurately:

  • if a user has a mailbox (the virtual aliases eventually resolve to a local destination) email from anyone should be accepted

  • if the user does not (all of their aliases point at other aliases or external domains) I only want to accept (and therefore relay) email originating from within my domain ([email protected])

I have DKIM / SPF / DMARC setup, could I do something with that? I think that forwarding nonlocal mail to a nonlocal recipient will fail SPF if I disable SRS, could I just configure it to reject email in those cases?

3
  • There's several delivery issues with email forwarding. One is that your server also forwards it spam it receives to the final recipient. Your server/IP-address will be seen as the source of that spam by the final recipients anti-spam solution resulting in your IP getting blocked. You partly solve that by aggressive spam filtering. - The second issue is that email forwarding breaks with SPF .
    – HBruijn
    Commented Dec 18, 2023 at 10:17
  • The "solution" to deal with how traditional e-mail forwarding breaks SPF is SRS ; the Sender Rewriting Scheme - see for example github.com/roehling/postsrsd - I don't think you need a local mailbox for that.
    – HBruijn
    Commented Dec 18, 2023 at 10:18
  • Thanks @HBruijn. I'm currently using srs but the spam filtering isn't aggressive enough. So I am rather looking to get rid of the whole thing. But it would be nice if I can keep the forward working for senders from the local domain (or, alternatively, whitelisted senders) so colleagues can find each other without having to look up a private email address.
    – CompuChip
    Commented Dec 18, 2023 at 19:04

0

You must log in to answer this question.

Browse other questions tagged .