I am using Postfix as a mail server for my applications. I have setup TLS, DKIM, SPF and TXT records for my mailing domain i.e; mail.xyz.com. This mail domain is pointing to the Postfix server.
The problem is that if I send the email using some mail id of my domain like [email protected], it works well and the mail gets delivered to any of the mail servers like Gmail, or Yahoo etc. But if I send the mail form other domain mail id like [email protected] the mail appears with a warning signing that the sender is a spammer or sometimes the mail is not delivered and I get a delivery faliure message saying that the mail server is not authorized to send the mail using [email protected] or [email protected]
I have done some research and learnt about SPF, TXT, DKIM and TLS. I have added all these to the required server but the problem persists still.
Amazon SES, or some other Email APIs has managed this somehow so that we can send the mails from other mail ids and their mail appears in the inbox like this: [email protected] via amazonses.com
Could anyone help me on this as it has become biggest challenge for us.
My main.cf is:
$# nano /etc/postfix/main.cf
GNU nano 2.0.9 File: /etc/postfix/main.cf
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
#local_recipient_maps =
# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no
# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix
# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/sbin
# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
daemon_directory = /usr/libexec/postfix
# The data_directory parameter specifies the location of Postfix-writable
# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# by the mail_owner account (see below).
#
data_directory = /var/lib/postfix
# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes. Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = postfix
# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
myhostname = mail.xyz.com
#myhostname = virtual.domain.tld
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
mydomain =xyz.com
# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# [email protected].
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
myorigin = $mydomain
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
#inet_interfaces = localhost
# Enable IPv4, and IPv6 if supported
inet_protocols = all
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
proxy_interfaces = 10.2.11.292, 120.18.12.73, 18.75.58.218
#proxy_interfaces = 1.2.3.4
unknown_local_recipient_reject_code = 550
#relay_domains = $mydestination
relay_domains =
#smtpd_use_tls = yes
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
smtpd_banner = mail.xyz.com ESMTP
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no
#
sample_directory = /usr/share/doc/postfix-2.6.6/samples
# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
#For TLS set up For xyz.com
# TLS parameters
smtpd_tls_CAfile = /etc/postfix/tls/xyz_com.crt
smtpd_tls_cert_file = /etc/postfix/tls/xyz_com.crt
smtpd_tls_key_file = /etc/postfix/tls/xyz_com.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_CAfile = /etc/postfix/tls/xyz_com.crt
smtp_tls_cert_file = /etc/postfix/tls/xyz_com.crt
smtp_tls_key_file = /etc/postfix/tls/xyz_com.key
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
tls_random_source = dev:/dev/urandom
# TLS end
# Added 16 April,2015
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
# Added for DKIM
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
#milter_protocol = 2
An early response will be highly appreciated.
Thanks
Put simply, you can't do what you're trying to do.
You're trying to say that your server is authorized to send email as a Yahoo or Gmail address, without being so authorized by Yahoo or Google. If this were allowed, then anyone could stand up an SMTP server and send email masquerading as any Yahoo or Gmail address (or for that matter, any other email address). That's called phishing and it's a very bad thing.
Amazon SES can (sort of) get away with this, as you note above. But even that hole is closing, as more of the large senders adopt DMARC to block this kind of phishing email. With a DMARC p=reject policy in place, even the Amazon SES email gets bounced. The big email service providers (like Amazon SES) are currently in the process of adjusting to these anti-phishing standards.
Your best option is to send email exclusively from domains that you control and treat this as a limitation of the technology.