I reveive many complaints that mails could not be sent through my server anymore (recipient on my server or forwarding via my server) another message is I'm using rspamd. This is what I found in mail.log Any idea? Do I have to disable spamhaus?
I've checked postfix main.cf There I found According to https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html the blocking should be done in rspamd and not on smtp-level. Is that right? So should I remove the reject_rbl_client entries above and configure it according https://github.com/spamhaus/rspamd-dqs ?
Is this an ISPConfig system? If yes, go to System > server config > mail, remove zen.spamhaus.org from the RBL field, and press save. Spamhaus has been causing lots of issues lately, so ISPConfig has not used it anymore for some time.
I know it's not the same issue, but is there any news on implementing SRS? Most of my clients are using their domains just for mail forwarding and they get more and more errors...
You can use SRS on ISPConfig, it's just not set up by default. Google e.g. for "postfix postsrsd". You can also find threads about that here in the forum.
Yes, I found this: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2551 (with "Till Brehm changed milestone to %3.2.13 vor 3 Monaten") and this https://share.rb-hosting.de/s/EdbfgQxwTX3AqMN But I was waiting if it would be included and not that I break something with a new config --> would you recommend to wait for 3.2.13 or can I continue implementing it?
I can't give you a definite date when this will be included as it has not been widely tested and verified yet. So if you need it now, then you might want to try if it works. Likely, you have to redo this on updates though until it made its way into the main code.
Have a look here https://forum.howtoforge.com/thread...heme-in-an-ispconfig-mailserver-part-1.89827/ and here https://forum.howtoforge.com/thread...heme-in-an-ispconfig-mailserver-part-2.89828/ if you want to implement SRS. I've just finished a fresh Ubuntu 24.04 mailserver install with the autoinstaller script. Some things seem to have changed slightly in config files since I've created these tutorials so you need to pay extra attention when following the steps but in the end it still works.
Thank you @remkoh I've already implemented SRS using the script provided by Jens and Helmo in this Post. The script does basically the same you've provided in part 1 (i don't use relay) with slight differences: In master.cf you've added Code: -o smtpd_milters= -o non_smtpd_milters= (is that relevant? Values are empty) And in virtual-outgoing-bcc.cf they added 2 other where conditions Code: WHERE (email = '%s' OR email = regexp_replace('%s', '^srs0=.+?=..=(.+)=(.+)@.*$', '\\\\2@\\\\1') OR email = regexp_replace('%s', '^srs0=.+?=..=(.+)=(.+)@.*$', '@\\\\1') ) ... Otherwhise it looks the same. --> I manually adjusted those 2 files to your settings, restarted both services and tested again: Same result (see details here) --> SPF not aligned, DMARC denied and DKIM not found
Are you sure your rewrite domain has proper spf and dmarc records in the dns? I've been testing my new install a lot, including different ways to forward mail to both hotmail and gmail. All tests succeeded, senders where rewritten and mail was forwarded and received by hotmail and gmail. I never had a spf or dmarc failure in the headers. Only thing was that the first forward to hotmail ended up in the spamfolder. Orthers after that not. Had nothing to do with spf or dmarc and all with microsoft being microsoft.
Yes, I am sure, because if SRS is not working (sender and recipient are internal, although both are sending from/to google), everything is green: The problem is, when it's coming from outside, it mixes the sender DMARC& DKIMand my SRS-SPF (see test in Just updated to 3.3.0p2. I saw there was an Bug report with BCC, so I gave it a try (changed virtual_outgoing_bcc): https://forum.howtoforge.de/threads/outgoing-bcc-bei-srs.13828/ Well, something has changed, but it's still not 100%: Google shows it passed (still mixed up): With srs the srs-domain is being displayed: But MX-Toolbox reveals still some mistakes: DKIM cannot be authenticated, because SPF is the SRS domain and DKIM the customer-daomins: not aligned
Updates the new server to 3.3.0p2 just now and ran a new test (all my tests where external) Still all working as expected. Code: ARC-Seal: i=2; a=rsa-sha256; t=1750432625; cv=pass; d=google.com; s=arc-20240605; b=ZSEFFXnm/IDCZ77VTbn9BVgPbsM+z+Yn+kq+LgDXskKKvAcRfAiHzcrCRpqti8LAKS u8fLpn6/Uv09Va/+XvTRGAkOMkmvkngLUR9HnG5jVdilFQzHpbZNrGUpabrihx924qw8 8QI/dO8vshgpcjDzdErXVecHkSe18VOFRqcsclrEgPUGNU18CyOwR++aFZQej3cxrCr+ BjWS2Qr9d1rhi8SSQmIjq1NDJD1rPX1k/Adde2rlvunm4/w/yp9LaehYR/4/pTiLk+MN XDHYS5xrm5VD10TnqTLA2ruuyUPvkiccqXIGS+L7X6JNjKpnCPH4mTD6BqJDTDvedxgN emrA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-language:accept-language:message-id:date :thread-index:thread-topic:subject:to:from:dkim-signature :dkim-filter:delivered-to:dkim-filter; bh=daGxVxATHHgiriZLhXnJimtKmK0j31KYtuFSzqaNQ4A=; fh=nSyKi/lCtcARFJZwmTlbGGfDLcVq+DWta2JAIbl10Is=; b=hTy34IWP+q2XxkSvqLjUVbZi8oq8ceV8F3ms2LR4xvKlpniibA09+3mL3VcUks4D6K kNerUyXEGYmpy3F+uS7HNbzWqD0JDPGceupj1ymyNG6FtfT4Cn7FiRZmtqVm+JixWJKL fQlkcTGUxXcWkck+kooHnTnQ6AuKVc7g8GHCR7eyw7xsWvjzZmqnIFrct0N27x7RNDUO 7DLNPmU8kpAZlYzheYVGm5jswA4vVOIW8mLnEJTvCPK405mRcgTyMHqR5o8bgwYH9Hnb DrjKKGyBcF55qjLE+r8yEroo6tZJGOI2otx7I0NKfdzGX+0O/ThZKBfylhThPIKEqbtF G/1g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass [email protected] header.s=_dkim header.b=Av3f7tXD; arc=pass (i=1 spf=pass spfdomain=mydomain.tld dkim=pass dkdomain=mydomain.tld dmarc=pass fromdomain=mydomain.tld); spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) smtp.mailfrom="[email protected]"; dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=mydomain.tld Return-Path: <[email protected]> Received: from mysmarthost (mysmarthost. [1.2.3.4]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-60a18a7f956si1725996a12.184.2025.06.20.08.17.05 for <[email protected]> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Jun 2025 08:17:05 -0700 (PDT) Received-SPF: pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) client-ip=1.2.3.4; Authentication-Results: mx.google.com; dkim=pass [email protected] header.s=dkim header.b=Av3f7tXD; arc=pass (i=1 spf=pass spfdomain=mydomain.tld dkim=pass dkdomain=mydomain.tld dmarc=pass fromdomain=mydomain.tld); spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) smtp.mailfrom="[email protected]"; dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=mydomain.tld
Side note: All mail received on my gmail is copyforwarded to another personal mailaddress. That too is without any spf, dkim and dmarc errors. Also, the fact that I have a smarthost between the new mailserver and gmail should not make any difference when spf is setup properly.
This is excactly the problem: My system is not changing the host correctly. While yours "ARC-Authentication-Results" show Code: arc=pass (i=1 spf=pass spfdomain=mydomain.tld dkim=pass dkdomain=mydomain.tld dmarc=pass fromdomain=mydomain.tld); spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) smtp.mailfrom="[email protected]"; dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=mydomain.tld mine still show the original (unchanged GMail): Code: arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) smtp.mailfrom="[email protected]"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Could you do me a favour and paste the whole original Header into https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx and verify that the dmarc/dkim and spf is not mixed up? For me only SPF has been adjusted
I get the proper domainnames but spf and dkim signature are red. - dmarc:mydomain.tld - spf:srsdomain.tld (1.2.3.4) - dkim:mydomain.tld:dkim
It seems you have the same problem: SPF is taken from SRS, but DKIM is not rewritten to the SRS server, but the original server is being kept. Am I wrong thinking this is not working correctly?
I don't understand the results mxtoolbox is giving. The whole purpose of SRS is preventing SPF errors only. So everything seems to be working. As long as the body of the mail doesn't get altered along the way then the original dkim signature remains to be valid. So there's no need for SRS to resign it. The headers at the final destination support this. Spf, dkim and dmarc are all passed.