Email forwarding

[majkrzak]

I'm currently playing with maddy to configure it in the way it will receive me@my.domain emails and forward them to me@gmail.com.

I see that in my current working setup, my domain provided is doing it by applying SRS to the addresses and ARC headers.

Is it possible to achieve in maddy?

[nickersonm]

I handle this by resubmitting to the outbound queue after re-DKIM-signing:

# Route messages to local addresses
msgpipeline local_routing {
  # Reject if blacklisted
  destination_in &blacklist {
    reject 550 5.7.13 "User account disabled"
  }
  
  # If to a local domain, continue processing
  destination postmaster $(local_domains) {
    # Apply local-address rewrites; run twice for recursive aliases
    modify { replace_rcpt &local_rewrites }
    modify { replace_rcpt &local_rewrites }
    
    reroute {
      # Reject if resolved alias is blacklisted
      destination_in &blacklist {
        reject 550 5.7.13 "User account disabled"
      }
      
      # Deliver locally if destination is a known account
      destination_in &local_authdb {
        deliver_to &local_mailboxes
      }
      
      # Sent to a local mailbox that is not a known account
      destination postmaster $(local_domains) {
        # Perform catchall translations then reapply local rewrites
        modify { replace_rcpt &local_catchall }
        modify { replace_rcpt &local_rewrites }
        
        # Attempt delivery locally
        deliver_to &local_mailboxes
      }
      
      # Initially a local domain, but now not - must be a forwarding alias, submit to outbound
      default_destination {
        # Re-sign with DKIM
        modify {
          dkim $(local_domains) default
        }
        deliver_to &remote_queue
      }
    }
  }
  
  # Not in handled domains
  default_destination {
    reject 550 5.1.2 "Unknown domain"
  }
}

[majkrzak]

How does it works? dkim modifier is not able to sign non $(local_domain) senders

[debug] check.dkim: good signature      {"domain":"gmail.com","identifier":"@gmail.com","msg_id":"bc7e6245"}
modify.dkim: no key for domain  {"domain":"gmail.com","msg_id":"bc7e6245"}

this causes me@gmail.com -> me@my.domain -> me@gmail.com to fail.

[nickersonm]

You're right, dkim should not be there unless it's from a signable domain, but it does not fail the delivery for me:

smtp: RCPT ok  {"msg_id":"5cb5b87f","rcpt":"gmail@nickersonm.com"}
modify.dkim: no key for domain {"domain":"<gmail-managed domain>","msg_id":"5cb5b87f"}
smtp: accepted {"msg_id":"5cb5b87f"}
queue: delivered       {"attempt":1,"msg_id":"5cb5b87f","rcpt":"nickersonm@<gmail-managed domain>"}

However, depending on the recipient server settings this is likely to result in no delivery due to invalid signing.

I do not know how to implement SRS with maddy, but I will follow this thread with interest in case you find out!

[majkrzak]

Apparently replacing sender with forward@my.domain works well. I'm not exactly sure if there are some downsides of this, bit at least Gmail seems to deal with such messages correctly.

          default_destination {
            modify {
              replace_sender regexp ".*" "forward@my.domain"
              dkim $(local_domains) default
            }
            deliver_to target.remote {
            }
          }