3

I'm using a Postfix mail server to forward personal mails from an EC2 instance to a Gmail account.

To prevent Google from considdering me a source of spam I have set up all the smtpd_relay_restrictions in /var/postfix/main.cf. I have installed and set up Spamassasin and Postgrey for spam control and greylisting. I have set up TLS (with the snakeoil certs for now), and the SPF records for my domain all yield

 example.com.       3600    IN  TXT "v=spf1 mx include:_spf.google.com -all"

after reading docs and StackOverflow.

Everything is working and I get mails for all three domains. However, when I inspect the mail headers of mails that have passed through my Postfix as well as Google I allways see headers like the following:

Received-SPF: neutral (google.com: 1.2.3.4 is neither permitted nor denied by domain of bounce-mc.us11_45970521.602249-info=example.com@mail191.atl171.mcdlv.net) client-ip=1.2.3.4;
Authentication-Results: mx.google.com;
   dkim=pass [email protected];
   spf=neutral (google.com: 1.2.3.4 is neither permitted nor denied by domain of bounce-mc.us11_45970521.602249-info=example.com@mail191.atl171.mcdlv.net) smtp.mailfrom=bounce-mc.us11_45970521.602249-info=example.com@mail191.atl171.mcdlv.net

(1.2.3.4and example.com are substitutes for my IP and my domain)

Is this something I need to worry about or is that just unavoidable noise you get when you forward mail? Will Google react at some point and ban me from internet?

I have considered setting up some form of SRS but I believe Best practices for forwarding mail to Gmail discourages one from that.

I know this (forwarding mail to Google) is not an unusual set up and I realise my concerns are not unique, so I wonder what other people suggest.

Cheers Mats

Added This is my reply to Peter's answer, below

Hi Peter. Thanks for your reply. I configured SPI and forwarding for my EC2 mail server. This worked fine to a degree. However, Google filtered out a good deal of spam, as expected. I also started to get mail notifications that they noticed that my server sent spam to Google users (me) they started to block my server for periods of time.

To have mail forwarding work on Gmail I have found out that you'd also need the full sender-rewriting-DKIM setup and as my mail server project started to snow ball (with all the extra modules and config) I resorted to a mail forwarding with my DNS provider. This means that the spam filtering is downgraded as quite a few, formerly targeted, spam mails now get passed GMail's (ans my own SpamAssasin) filtering.

My conclusion is that you need to go all the way (SPI + rewriting + DKIM) if you want a solution like this to work with EC2 (or equivalent) and GMail. This isn't my current solution, but I might set it up one day if I get the time. The advantage would be the Bayesian learning of a Spam Assasin of my own.

Cheers

Improve this question

1 Answer 1

Reset to default
4

Yes, SPF as designed completely breaks the kind of straightforward forwarding that used to be commonplace, where your server just changes the SMTP Envelope To and sends it on its way.

According to openspf.org's Forwarding Best Practices, the server that's the ultimate destination (Gmail in your case) should allow for configuring what forwarders you have set up, to be able to whitelist the emails coming via your IP and thereby not check SPF on them. I don't know if Google actually has any options for that though.

So, if you're going to continue forwarding, SRS is the way to do it. From looking at that document from Google, I think the main thing that they're trying to warn about is that once you rewrite the sender, their systems will now treat the mail as being from you (which is, after all, what you're asking for), and so if your forwarder manages to also forward spam to them, they will see you as a spammer. Basically, if you go this route, you need to be doing a real good job spam filtering on your server before it gets forwarded to Google.

Another option, which I've done when I wanted to do something similar, is to actually take delivery on my postfix/dovecot mail server, and use Gmail's service to import email from another account via POP3. That is, have Gmail "pull" from your server rather than your server trying to "push" to Gmail. You probably also similarly want to set up good spam filtering on your server, but I suspect that Google wouldn't "punish" you for sending them spam if some get through, since you're no longer emailing it to them at that point.

And just to mention for completeness, if all you want to do with email for your domain is to forward it to Gmail, using a full mail server on EC2 may be overkill, and you may want to look at a hosted email forwarding service or using Google services for your domain more directly.

Improve this answer
1
  • 1
    Your idea of using Gmail to pull from a POP server is a good one, but unfortunately it appears that Google applies SPF checking to the mail pulled via this method. I.e. it compares the IP of the POP server to the SPF record of the email sender's domain. Unsurprisingly, this results in a failure on almost all emails (save those which may actually be from the POP server's domain!).
    – fishter
    Commented Dec 15, 2021 at 13:28

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .