On 2019-09-02 06:24, Alexander Dalloz via dovecot wrote:> Am 01.09.2019 um 14:41 schrieb Aleksandr Mette via dovecot: >> 4. Forward e-mail > > Don't do that nor let your users auto-forward their mail received on > your MX. Else you will end up faster than you think on blacklists as > very likely your server will forward SPAM and gets classified as a > SPAM source.You have to let users forward their email because this is functionality they expect. The trick is to spam scan all email first, otherwise as Alexander has said, you end up on RBL's.
On 9/1/19 2:53 PM, Michael Hallager via dovecot wrote:> On 2019-09-02 06:24, Alexander Dalloz via dovecot wrote: >> Am 01.09.2019 um 14:41 schrieb Aleksandr Mette via dovecot: >>> 4. Forward e-mail >> >> Don't do that nor let your users auto-forward their mail received on >> your MX. Else you will end up faster than you think on blacklists as >> very likely your server will forward SPAM and gets classified as a >> SPAM source. > > You have to let users forward their email because this is > functionality they expect. The trick is to spam scan all email first, > otherwise as Alexander has said, you end up on RBL's.Its actually a lot harder than this. Most default installations I've seen don't take into account Return-Path notifications (i.e. passing these notifications upstream to the origin), Troubleshooting last-node delivery issues (user created loops causing mailserver Denial of service if Quota Management wasn't properly configured, greylisting, outbound mail suppression) and Abuse (hacked accounts, interspersed third party server that truncate the return path to obfuscate the full origin). Mishandling any of these can result in lowered IP reputation which would cause you to wind up on an RBL eventually. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190901/5721ec45/attachment-0001.html>
> You have to let users forward their email because this is > functionality they expect. The trick is to spam scan all email first, > otherwise as Alexander has said, you end up on RBL's. > > Its actually a lot harder than this. Most default installations I've > seen don't take into account Return-Path notifications (i.e. passing > these notifications upstream to the origin),What is a "default installation"? I have a good working knowledge of all the software I have deployed in my and my clients mail servers and I have spent a considerable amount of time over the years furthering my understanding and perfecting my configs. If, by "default installation", you mean take a piece of software off the shelf and follow a quick and dirty howto guide without any understanding of what the options mean, then of course under these situations people are going to run into issues.
On 1 Sep 2019, at 15:53, Michael Hallager <michael at nettrust.nz> wrote:> On 2019-09-02 06:24, Alexander Dalloz via dovecot wrote: >> Am 01.09.2019 um 14:41 schrieb Aleksandr Mette via dovecot: >>> 4. Forward e-mail >> Don't do that nor let your users auto-forward their mail received on >> your MX. Else you will end up faster than you think on blacklists as >> very likely your server will forward SPAM and gets classified as a >> SPAM source. > > You have to let users forward their emailNo you don?t.> because this is functionality they expect.Which they can manage themselves with IMAP logging and local rules.> The trick is to spam scan all email first, otherwise as Alexander has said, you end up on RBL's.A lot of mail that is not spam when it arrives WILL be spam when it is forwarded as it will fail SPF, Fail DKIM, and any header checks will flag the mail as suspicious. The only way to safely forward mail is to enclose it as an attachment, and this is something users do not want. -- Oh never resist an impulse, Sabrina. Especially if it's terrible.
On 4 Sep 2019, at 07:26, @lbutlr <kremels at kreme.com> wrote:> with IMAP logging and local rules.IMAP logins. -- "640K ought to be enough RAM for anybody." - Bill Gates, 1981
On 04/09/2019 15:26, @lbutlr via dovecot wrote:> A lot of mail that is not spam when it arrives WILL be spam when it is forwarded as it will fail SPF, Fail DKIM, and any header checks will flag the mail as suspicious. > > The only way to safely forward mail is to enclose it as an attachment, and this is something users do not want.IMO this is wrong. A classic forwarding (e.g. by .forward or by a MLM that does not alter Subject and/or body) will *not* break DKIM. Therefore it will pass e.g. DMARC... Just have a look at the postfix-users mailing list as a good example... Just my 2?. Juri