Support for SRS

[ieno]

See https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme and https://github.com/roehling/postsrsd

[kaiyou]

That would be an interesting feature for aliases and forwards indeed. No idea how soon we could support it though.

[fabiorauber]

It would greatly diminish the risk of the forwarding MTA to be marked as Spammer.

[micw]

Is this still valid, especially in conjunction with DKIM/DMARC?

Edit: https://fastmail.blog/2016/12/24/spf-dkim-dmarc/

The solution: always make sure you DKIM sign mail if you have a DMARC policy. If your email is forwarded, SPF will break, but DKIM signatures should survive. SRS wonʼt help with DMARC, because replacing the MAIL FROM envelope with your own domain means the MAIL FROM domain doesnʼt match the From header domain. This is an alignment failure, and so not a pass result for DMARC.

Seems this is superseded by DMARC

[oli-ver]

@kaiyou in #1042 you posted some review comments. @jbmolle are you able to proceed with this? I would like to help if possible as this is currently a problem for an alias I need to use.

[kaiyou]

A completely different approach would be to use a podop map and generate the srs in the admin container instead of running postsrs. It has the advantage of being compatible with replicated setups.

If @jbmolle can adjust the pr, we can probably merge it. Otherwise I'd go for the podop map instead. How do you feel about contributing it if I try and guide you through it?

[oli-ver]

@kaiyou I would like to try. It’s a new area for me though and it could take some time to catch up. I will try and setup the dev environment while waiting for an answer of @jbmolle.

[jbmolle]

Hi @oli-ver, hi @kaiyou ,
Sorry for the late reply. I haven't looked much at this issue.
The modifications I did were enough for the use case I had so far.
But I can look at it again and try to modify the PR according to kaiyou's suggestions.
I don't write much code in Python so I might not be the best to do but I can try and you'll let me know if it's fine.

[oli-ver]

@jbmolle I have some experience with python but none with mailu development but I am open to review code and discuss solutions. @kaiyou, what do you think?

[kaiyou]

I planned on setting up a nee dev environment tonight. Let's try and make this my first issue.

Postfix sender and recipient canonical maps should be bound to admin through podop, and rewriting will be implemented using pysrs from https://pythonhosted.org/milter/pysrs.html as it seems not to be the best but most supported lib.

[kaiyou]

Just pushed the commit above, that should do most of the lifting work for SRS. Any feedback is welcome before I open the PR.

[oli-ver]

@kaiyou Looks pretty straightforward. I will try to get a dev environment up and running on the weekend, perhaps I can have a closer look how this works when sending mails.

[oli-ver]

@kaiyou I tested the feature with a dev server I just set up (I hope without mistakes).
I sent the mail from an iCloud mail address [email protected] to [email protected] which forwards to [email protected].

I think these are the relevant header parts:

Delivered-To: <[email protected]>
Return-Path: <SRS0=vA/[email protected]>
envelope-from <SRS0=vA/[email protected]>

Is it correct like that?

Unfortunately I cannot test forwarding to mail addresses of other servers because my development machine does not have a static IP and SPAMHAUS has an entry for the IP range that is only temporarily assigned by my DSL provider. Other mail servers bounce the mail because of that.

[kaiyou]

It looks correct, thank you for the testing :) of course I cannot verify the hashes without the secret key, but let's assume those are correct. I will open the PR right away.