DKIM signing issue - relaying mailman e-mails from third party sources
Hallo Mark, Kolleagues,
maybe somebody will be able to help me here.
I would like to relay (also check with Antivir and sign them with DKIM) all Mailman e-mails from our external partners to our final customers. Relaying seems to work nice but we have a problem with DKIM authentication and Return-Path. Mailman server needs to stay by external partners with old domains and needs to receive bounces. My SMTP gateway is only responsible for receiving and sending e-mails out from the all mailman instances.
The problem is that we are sending an E-mail which looks as follow:
From: campaign@myserver.com Return-Path: mailman-bounces@external-company.com To: @gmail.com
The problem is that DKIM check on the gmail server server (and all others) returning error: ...mailman-bounces@external-company.com does not designate xx.xx.xx.xx as permitted sender
How to solve that issue ? At the moment we have a DKIM key only for myserver.com. Why DKIM check checking Return-Path and not From address ?
Could You please help here how to manage that issue ? We simply would like to forward all messages from the external mailman instances installed on the different domains to the final customers using our sender domain myserver.com.
I will appreciate any feedback from Your side.
Cheers Dlugasny
On 10/11/2017 01:23 AM, Dlugasny via Mailman-Users wrote:
The problem is that we are sending an E-mail which looks as follow:
From: campaign@myserver.com Return-Path: mailman-bounces@external-company.com To: @gmail.com
The problem is that DKIM check on the gmail server server (and all others) returning error: ...mailman-bounces@external-company.com does not designate xx.xx.xx.xx as permitted sender
This is not DKIM. it is SPF. external-company.com publishes an SPF record that doesn't allow myserver.com as a sender. Start at https://en.wikipedia.org/wiki/Sender_Policy_Framework to learn more about SPF.
There are two solutions to this. The
Return-Path: mailman-bounces@external-company.com
header indicates that mailman-bounces@external-company.com is the envelope sender of the message and SPF is based on the domain of the envelope sender.
solution 1). external-company.com can augment its published SPF record to designate your myserver.com server as a permitted sender.
solution 2). Your mail relaying process can rewrite the envelope sender to your domain, e.g., campaign@myserver.com or some other appropriate @myserver.com address. This will break mailman's automated bounce processing for mail from mailman-bounces@external-company.com that is relayed by you, but if you can verify the deliverability of that mail before relaying it and if it's not deliverable, reject it before rewriting the envelope sender, that won't be an issue.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 10/11/2017 12:12 PM, Mark Sapiro wrote:
solution 2). Your mail relaying process can rewrite the envelope sender to your domain, e.g., campaign@myserver.com or some other appropriate @myserver.com address. This will break mailman's automated bounce processing for mail from mailman-bounces@external-company.com that is relayed by you, but if you can verify the deliverability of that mail before relaying it and if it's not deliverable, reject it before rewriting the envelope sender, that won't be an issue.
Would something like configuring the MTA to use Sender Rewrite Scheme help avoid this issue?
SRS would mean that the MTA would rewrite the SMTP envelope from address to be a local domain that is permitted by SPF. SRS would also decode any bounces and send the original address into Mailman. - I think.
-- Grant. . . . unix || die
On 10/12/2017 02:15 PM, Grant Taylor via Mailman-Users wrote:
On 10/11/2017 12:12 PM, Mark Sapiro wrote:
solution 2). Your mail relaying process can rewrite the envelope sender to your domain, e.g., campaign@myserver.com or some other appropriate @myserver.com address. This will break mailman's automated bounce processing for mail from mailman-bounces@external-company.com that is relayed by you, but if you can verify the deliverability of that mail before relaying it and if it's not deliverable, reject it before rewriting the envelope sender, that won't be an issue.
Would something like configuring the MTA to use Sender Rewrite Scheme help avoid this issue?
Yes. SRS, as I understand it from https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme, would solve the whole problem.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Dlugasny -
Grant Taylor -
Mark Sapiro