Mike, thanks for taking the time to detail that! I guess I assumed
(maybe wrongly) that when EXIM forwards a message that the SPF and DKIM
of the domain on the EXIM server would apply and be in the sent forward.
In that case wouldn't all entities align?
Just to make sure I'm stating what I'm trying to do clearly...
joe@??? ---> sue@???, which is set to forward to
sue@???
EXIM sends the forward to SES as joe@??? ---> sue@???
SES responds 554 because yahoo.com is not verified in the SES account,
even though the headers clearly show that the *forward* is coming from
myserver.com which *is* verified in the SES account.
Why am I doing this? My sending IP is clean a s a whistle, but due to MS
(outlook, live, hotmail) and Yahoo (along with others) have a guilty
until proven innocent attitude, a lot of email from my server going to
those accounts (if the send isn't already in their address book) goes
Junk, or worse yet, is rejected and bounced. I have jumped MS's hoops
and added my IP to their system, but is still happens. MS is now zero help.
I turned to SES and also to MailGun to use their sending server/IP and
that solved the problem, but each of them have a serious failing.
MailGun doesn't return bounces to the sender (SES does), and SES doesn't
allow forwards such as this (MG does). So I'm stuck with three "pretty
good" SMTP solutions, but each has a unique issue, and this is one
avenue I'm looking down to make it work.
-Pete
On 2018-03-19 12:26, Mike Brudenell wrote:
> Be careful if you plan to start rewriting the RFC5322.From header. If the
> message has had a DKIM signature applied to it that header's content will
> almost certainly be covered by the signature to detect
> tampering/alterations such as you're proposing, and you'll be
invalidating
> it; this might give you problems delivering to sites that validate DKIM
> signatures. So you'll likely have to sign it again yourself, possibly
also
> using ARC to confirm the authenticity chain.
>
> Without knowing your situation it sounds like you're trying to do the
same
> sort of thing as mailing lists do: send out messages originating from
> senders (list contributors) from arbitrary domains? You have to be
careful
> with these, especially if the sender's domain has a DMARC policy
other than
> "none" in place. This requires the one or both of the standard SPF
and DKIM
> tests to pass *and* for the domain being considered to align with that in
> the RFC5321.From header in order for DMARC to consider it an acceptable
> pass. Modern mailing list manager software handles this by rewriting the
> RFC5322.From header to use its own domain, which it can then DKIM-sign it
> using its own keys.
>
> In passing, SRS rewrites the RFC5321.MailFrom address (sender address in
> the SMTP envelope) not the RFC5322.From or Sender headers. Any change to
> the Sender header will likely be a byproduct, I think.
>
> Cheers,
> Mike B-)
>
> On 18 March 2018 at 19:21, Pete Schaefers via Exim-users <
> exim-users@???> wrote:
>
> > When Amazon SES receives mail is validates the From: against verified
> > domains and addresses. If it does not find it valid it drops the
mail and
> > returns error 554. (See last couple posts in this thread for more
info if
> > desired: https://forums.aws.amazon.com/message.jspa?messageID=745028#
> > 745028 )
> >
> > I am running a hosting server with cPanel and EXIM. I had hoped
that SRS
> > would fix this denial by changing the Sender: header and SES would
accept
> > it, but apparently SES ignores that, and still rejects. Amazon seems
> > hesitant to address this, so I'm looking for other ways to address it.
> >
> > The one that seems best to me would be to rewrite the From: header
to one
> > that will validate (that of on sending server rather than the off
server
> > original). I would only want to do that when the mail is a forward,
> > original sender is off server, and the recipient is off server.
This would
> > also mean making sure the Replyto: was set to the original sender,
I would
> > think.
> >
> > I have only a little experience with EXIM rewrites, and the syntax
of the
> > config file, so I'm looking for some help in programming the logic
of this
> > rewrite.
> >
> > Does this seem like a good approach, or am I missing something easier,
> > such as re-configuring something already built in to EXIM about how it
> > treats forward From: addresses?
> >
> > Thanks in advance for anyone's contribution.
> >
> > -Pete