Postfix - Sender Rewriting Scheme (SRS) installation

About

This page is about the installation of postsrsd which implements Sender Rewriting Scheme (SRS) for Postfix

Sender Rewriting Scheme (SRS) is mandatory in order to conform to the SPF scheme when the emails are forwarded (ie with virual aliasing for PostFix)

Sender Rewriting Scheme (SRS) is a process that rewrite the sender address:

[email protected]

into

[email protected]

Steps

Installation

Autoconf process

  • Package
yum install -y cmake unzip curl 
  • Temporary installation directory
mkdir -p /tmp/srs
cd /tmp/srs
  • Download
curl -L -o master.zip https://github.com/roehling/postsrsd/archive/master.zip
# or
#wget https://github.com/roehling/postsrsd/archive/master.zip
  • Unzip
unzip master.zip
  • Install
cd postsrsd-master
# Optionally cmake you config (by default installed into /usr/lib)
make
make install

Configuration

SRS

Optional

cat /etc/default/postsrsd
# Default settings for postsrsd

# Local domain name.
# Addresses are rewritten to originate from this domain. The default value
# is taken from `postconf -h mydomain` and probably okay.
#
#SRS_DOMAIN=example.com

# Exclude additional domains.
# You may list domains which shall not be subjected to address rewriting.
# If a domain name starts with a dot, it matches all subdomains, but not
# the domain itself. Separate multiple domains by space or comma.
#
#SRS_EXCLUDE_DOMAINS=.example.com,example.org

# First separator character after SRS0 or SRS1.
# Can be one of: -+=
SRS_SEPARATOR==

# Secret key to sign rewritten addresses.
# When postsrsd is installed for the first time, a random secret is generated
# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
#
SRS_SECRET=/etc/postsrsd.secret

# Length of hash to be used in rewritten addresses
SRS_HASHLENGTH=4

# Minimum length of hash to accept when validating return addresses.
# When increasing SRS_HASHLENGTH, set this to its previous value and
# wait for the duration of SRS return address validity (21 days) before
# increading this value as well.
SRS_HASHMIN=4

# Local ports for TCP list.
# These ports are used to bind the TCP list for postfix. If you change
# these, you have to modify the postfix settings accordingly. The ports
# are bound to the loopback interface, and should never be exposed on
# the internet.
#
SRS_FORWARD_PORT=10001
SRS_REVERSE_PORT=10002

# Drop root privileges and run as another user after initialization.
# This is highly recommended as postsrsd handles untrusted input.
#
RUN_AS=nobody

# Bind to this address
#
SRS_LISTEN_ADDR=127.0.0.1

# Jail daemon in chroot environment
CHROOT=/usr/local/lib/postsrsd

Postfix

In the main.cf conf file

sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes= envelope_recipient,header_recipient

where the below parameters are for adress rewrite:

Services

systemctl enable postsrsd # to start it at boot
systemctl start postsrsd
systemctl restart postfix

Test

Email

Send an email to your provider and check the received message. For instance, for Email - (Mime) Message (Enveloppe) - Internet Message

You should see:

  • the email rewrite
  • and the added Return Path
  • and a successful SPF test

_

Log

In the output of postsrsd, you should see the rewrite.

sudo systemctl status postsrsd
Jun 16 17:31:34 server01.bytle.net postsrsd[30592]: srs_forward: <[email protected]> rewritten as <[email protected]>

Documentation / Reference


Powered by ComboStrap