docker-mailserver: bug report: Mail forwarding bounced by gmail

📝 Preliminary Checks

I tried searching for an existing issue and followed the debugging docs advice, but still need assistance.

👀 What Happened?

Hi all, I’m using one single instance of docker mailserver to handle several domains. One of the domains is a pure forwarder, i.e. user@domain is forwarded to user@gmail and so on. All worked fine for more than a year, but last month I started getting emails bouncing from the forwarder. The sender gets the following: host gmail-smtp-in.l.google.com[142.250.27.27] said: 550-5.7.26 This mail has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [sender-domain.com] with ip: [my-mail-server-ip] = did not pass 550-5.7.26 550-5.7.26 To mitigate this issue, please visit Gmail's authentication guide 550-5.7.26 for instructions on setting up authentication: 550 5.7.26

For some unknown reason, when forwarding the mail my mailserver is trying to present itself as the sender’s domain. The sender’s domain is properly set up (dkim,spf etc) and my server is also properly set up (dmarc dkim spf etc). Email traffic there is roughly 20 emails per day for the whole domain, most of them from postmaster’s cron.

👟 Reproduction Steps

set up a forwarder with ./setup.sh alias add test123@domain.com user@gmail.com then send an email to test123@domain.com from something different than gmail, in my case using latest thunderbird and a paid email hosting company

you will get the output (pasted below) and a email informing you that the email bounced (like the text above). I have snipped private domain names and IPs for obvious reasons.

🐋 DMS Version

v12.1.0

💻 Operating System and Architecture

Ubuntu 20.04.6 LTS

⚙️ Container configuration files

mailserver:
    image: docker.io/mailserver/docker-mailserver:latest
    hostname: mail
    domainname: my-domain.com
    container_name: mailserver
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - maillogs:/var/log/mail
      - proxy_certs:/etc/letsencrypt/live
      - ./config/:/tmp/docker-mailserver/
      - ./cron/sa-learn:/etc/cron.d/sa-learn

📜 Relevant log output

mailserver                | Nov 18 10:59:17 mail postfix/postscreen[177010]: CONNECT from [23.83.216.34]:23397 to [172.20.0.3]:25
mailserver                | Nov 18 10:59:23 mail postfix/postscreen[177010]: PASS NEW [23.83.216.34]:23397
mailserver                | Nov 18 10:59:23 mail postfix/smtpd[177011]: connect from cheetah.pear.relay.mailchannels.net[23.83.216.34]
mailserver                | Nov 18 10:59:24 mail postfix/smtpd[177011]: Anonymous TLS connection established from cheetah.pear.relay.mailchannels.net[23.83.216.34]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
mailserver                | Nov 18 10:59:25 mail policyd-spf[177228]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=23.83.216.34; helo=cheetah.pear.relay.mailchannels.net; envelope-from=sender@sender-domain; receiver=<UNKNOWN>
mailserver                | Nov 18 10:59:25 mail dovecot: auth: passwd-file(test@my-domain): unknown user
mailserver                | Nov 18 10:59:25 mail dovecot: auth: passwd-file(test@my-domain): unknown user
mailserver                | Nov 18 10:59:25 mail dovecot: auth: passwd-file(test@my-domain): unknown user
mailserver                | Nov 18 10:59:25 mail dovecot: auth: passwd-file(test@my-domain): unknown user
mailserver                | Nov 18 10:59:25 mail dovecot: auth: passwd-file(test@my-domain): unknown user
mailserver                | Nov 18 10:59:25 mail dovecot: auth: passwd-file(test@my-domain): unknown user
mailserver                | Nov 18 10:59:25 mail postfix/smtpd[177011]: B0E6F5828BC: client=cheetah.pear.relay.mailchannels.net[23.83.216.34]
mailserver                | Nov 18 10:59:26 mail postfix/cleanup[177233]: B0E6F5828BC: message-id=<20c59ac9-9afc-46bc-afc9-1b4c7763e612@sender-domain>
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: cheetah.pear.relay.mailchannels.net [23.83.216.34] not internal
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: not authenticated
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: DKIM verification successful
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: s=default d=sender-domain a=rsa-sha256 SSL
mailserver                | Nov 18 10:59:26 mail opendmarc[1114]: B0E6F5828BC: ignoring invalid ARC-Authentication-Results header "i=1;#012#011rspamd-55bcb54c45-c8qs5;#012#011auth=pass smtp.auth=thundermail smtp.mailfrom=sender@sender-domain"
mailserver                | Nov 18 10:59:26 mail opendmarc[1114]: B0E6F5828BC ignoring Authentication-Results at 20 from cloud104.unlimitedwebhosting.co.uk
mailserver                | Nov 18 10:59:26 mail opendmarc[1114]: B0E6F5828BC: sender-domain none
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: cheetah.pear.relay.mailchannels.net [23.83.216.34] not internal
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: not authenticated
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: DKIM verification successful
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: s=default d=sender-domain a=rsa-sha256 SSL
mailserver                | Nov 18 10:59:26 mail opendmarc[1114]: B0E6F5828BC: ignoring invalid ARC-Authentication-Results header "i=1;#012#011rspamd-55bcb54c45-c8qs5;#012#011auth=pass smtp.auth=thundermail smtp.mailfrom=sender@sender-domain"
mailserver                | Nov 18 10:59:26 mail opendmarc[1114]: B0E6F5828BC ignoring Authentication-Results at 19 from cloud104.unlimitedwebhosting.co.uk
mailserver                | Nov 18 10:59:26 mail opendmarc[1114]: B0E6F5828BC: sender-domain none
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: cheetah.pear.relay.mailchannels.net [23.83.216.34] not internal
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: not authenticated
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: DKIM verification successful
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: s=default d=sender-domain a=rsa-sha256 SSL
mailserver                | Nov 18 10:59:26 mail opendmarc[1114]: B0E6F5828BC: ignoring invalid ARC-Authentication-Results header "i=1;#012#011rspamd-55bcb54c45-c8qs5;#012#011auth=pass smtp.auth=thundermail smtp.mailfrom=sender@sender-domain"
mailserver                | Nov 18 10:59:26 mail opendmarc[1114]: B0E6F5828BC ignoring Authentication-Results at 19 from cloud104.unlimitedwebhosting.co.uk
mailserver                | Nov 18 10:59:26 mail opendmarc[1114]: B0E6F5828BC: sender-domain none
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: cheetah.pear.relay.mailchannels.net [23.83.216.34] not internal
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: not authenticated
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: DKIM verification successful
mailserver                | Nov 18 10:59:26 mail opendkim[1138]: B0E6F5828BC: s=default d=sender-domain a=rsa-sha256 SSL
mailserver                | Nov 18 10:59:26 mail opendmarc[1114]: B0E6F5828BC: ignoring invalid ARC-Authentication-Results header "i=1;#012#011rspamd-55bcb54c45-c8qs5;#012#011auth=pass smtp.auth=thundermail smtp.mailfrom=sender@sender-domain"
mailserver                | Nov 18 10:59:26 mail opendmarc[1114]: B0E6F5828BC ignoring Authentication-Results at 19 from cloud104.unlimitedwebhosting.co.uk
mailserver                | Nov 18 10:59:27 mail opendmarc[1114]: B0E6F5828BC: sender-domain none
mailserver                | Nov 18 10:59:27 mail opendkim[1138]: B0E6F5828BC: cheetah.pear.relay.mailchannels.net [23.83.216.34] not internal
mailserver                | Nov 18 10:59:27 mail opendkim[1138]: B0E6F5828BC: not authenticated
mailserver                | Nov 18 10:59:27 mail opendkim[1138]: B0E6F5828BC: DKIM verification successful
mailserver                | Nov 18 10:59:27 mail opendkim[1138]: B0E6F5828BC: s=default d=sender-domain a=rsa-sha256 SSL
mailserver                | Nov 18 10:59:27 mail opendmarc[1114]: B0E6F5828BC: ignoring invalid ARC-Authentication-Results header "i=1;#012#011rspamd-55bcb54c45-c8qs5;#012#011auth=pass smtp.auth=thundermail smtp.mailfrom=sender@sender-domain"
mailserver                | Nov 18 10:59:27 mail opendmarc[1114]: B0E6F5828BC ignoring Authentication-Results at 19 from cloud104.unlimitedwebhosting.co.uk
mailserver                | Nov 18 10:59:27 mail opendmarc[1114]: B0E6F5828BC: sender-domain none
mailserver                | Nov 18 10:59:27 mail opendkim[1138]: B0E6F5828BC: cheetah.pear.relay.mailchannels.net [23.83.216.34] not internal
mailserver                | Nov 18 10:59:27 mail opendkim[1138]: B0E6F5828BC: not authenticated
mailserver                | Nov 18 10:59:27 mail opendkim[1138]: B0E6F5828BC: DKIM verification successful
mailserver                | Nov 18 10:59:27 mail opendkim[1138]: B0E6F5828BC: s=default d=sender-domain a=rsa-sha256 SSL
mailserver                | Nov 18 10:59:27 mail opendmarc[1114]: B0E6F5828BC: ignoring invalid ARC-Authentication-Results header "i=1;#012#011rspamd-55bcb54c45-c8qs5;#012#011auth=pass smtp.auth=thundermail smtp.mailfrom=sender@sender-domain"
mailserver                | Nov 18 10:59:27 mail opendmarc[1114]: B0E6F5828BC ignoring Authentication-Results at 19 from cloud104.unlimitedwebhosting.co.uk
mailserver                | Nov 18 10:59:27 mail opendmarc[1114]: B0E6F5828BC: sender-domain none
mailserver                | Nov 18 10:59:27 mail postfix/qmgr[176941]: B0E6F5828BC: from=<sender@sender-domain>, size=5194, nrcpt=1 (queue active)
mailserver                | Nov 18 10:59:27 mail postfix/smtpd[177011]: disconnect from cheetah.pear.relay.mailchannels.net[23.83.216.34] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
mailserver                | Nov 18 10:59:27 mail postfix/smtpd-amavis/smtpd[177249]: connect from localhost[127.0.0.1]
mailserver                | Nov 18 10:59:27 mail postfix/smtpd-amavis/smtpd[177249]: E097F5828BD: client=localhost[127.0.0.1]
mailserver                | Nov 18 10:59:27 mail postfix/cleanup[177233]: E097F5828BD: message-id=<20c59ac9-9afc-46bc-afc9-1b4c7763e612@sender-domain>
mailserver                | Nov 18 10:59:27 mail postfix/qmgr[176941]: E097F5828BD: from=<sender@sender-domain>, size=5726, nrcpt=1 (queue active)
mailserver                | Nov 18 10:59:27 mail amavis[176963]: (176963-01) Passed CLEAN {RelayedOpenRelay}, [23.83.216.34]:23397 [senders-mailserver-ip] <sender@sender-domain> -> <me@gmail.com>, Queue-ID: B0E6F5828BC, Message-ID: <20c59ac9-9afc-46bc-afc9-1b4c7763e612@sender-domain>, mail_id: WOMGCnpLlNdK, Hits: -7.11, size: 5494, queued_as: E097F5828BD, 712 ms
mailserver                | Nov 18 10:59:27 mail postfix/smtp-amavis/smtp[177245]: B0E6F5828BC: to=<me@gmail.com>, orig_to=<test@my-domain>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=2.2/0.01/0.01/0.71, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E097F5828BD)
mailserver                | Nov 18 10:59:27 mail postfix/qmgr[176941]: B0E6F5828BC: removed
mailserver                | Nov 18 10:59:28 mail postfix/smtp[177250]: Trusted TLS connection established to gmail-smtp-in.l.google.com[142.250.27.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
mailserver                | Nov 18 10:59:29 mail postfix/smtp[177250]: E097F5828BD: to=<me@gmail.com>, relay=gmail-smtp-in.l.google.com[142.250.27.27]:25, delay=1.6, delays=0/0.01/0.94/0.64, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[142.250.27.27] said: 550-5.7.1 [my-mailserver-ip      12] Gmail has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedMessageError for more 550 5.7.1 information. ay7-20020a056402202700b00546decb7a5esi2365103edb.233 - gsmtp (in reply to end of DATA command))
mailserver                | Nov 18 10:59:29 mail postfix/cleanup[177233]: 7EB625828BC: message-id=<20231118105929.7EB625828BC@mail.macrostep.bg>
mailserver                | Nov 18 10:59:29 mail postfix/bounce[177254]: E097F5828BD: sender non-delivery notification: 7EB625828BC
mailserver                | Nov 18 10:59:29 mail postfix/qmgr[176941]: 7EB625828BC: from=<>, size=8421, nrcpt=1 (queue active)
mailserver                | Nov 18 10:59:29 mail postfix/qmgr[176941]: E097F5828BD: removed
mailserver                | Nov 18 10:59:30 mail postfix/smtp[177250]: Trusted TLS connection established to mail.sender-domain[senders-mailserver-ip]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
mailserver                | Nov 18 10:59:33 mail postfix/smtp[177250]: 7EB625828BC: to=<sender@sender-domain>, relay=mail.sender-domain[senders-mailserver-ip]:25, delay=4.1, delays=0/0/0.73/3.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 14986C0D5A5)
mailserver                | Nov 18 10:59:33 mail postfix/qmgr[176941]: 7EB625828BC: removed
mailserver                | Nov 18 11:00:04 mail postfix/postscreen[177010]: CONNECT from [194.33.191.162]:63559 to [172.20.0.3]:25
mailserver                | Nov 18 11:00:04 mail postfix/postscreen[177010]: PASS OLD [194.33.191.162]:63559
mailserver                | Nov 18 11:00:04 mail postfix/smtpd[177011]: connect from unknown[194.33.191.162]
mailserver                | Nov 18 11:00:04 mail postfix/smtpd[177011]: Anonymous TLS connection established from unknown[194.33.191.162]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
mailserver                | Nov 18 11:00:05 mail postfix/smtpd[177011]: lost connection after AUTH from unknown[194.33.191.162]

Improvements to this form?

No response

About this issue

Original URL
State: closed
Created 7 months ago
Reactions: 1
Comments: 17 (11 by maintainers)

Most upvoted comments

I can confirm using rspamd works, but I’m still testing (in production 😄) for possible problems . While i was exploring options i noticed Openarc is not maintained for a while, but rspamd is both still maintained properly and already installed in DMS.

tzerber on Jan 7, 2024

+1 on ARC support. I think I managed to enable it. While openarc could probably be used instead, rspamd is already installed on latest. Here’s roughly what I did:

Edit mailserver.env.

ENABLE_RSPAMD=1
# disable other modules as recommended
ENABLE_AMAVIS=0
ENABLE_OPENDKIM=0
ENABLE_OPENDMARC=0
ENABLE_POLICYD_SPF=0

(If needed,) reconfigure DKIM with rspamd: https://docker-mailserver.github.io/docker-mailserver/v13.2/config/best-practices/dkim_dmarc_spf/#generating-keys
Create ./docker-data/arc.conf: (taken from https://github.com/rspamd/rspamd/issues/1993#issuecomment-365352966)

# To enable this module define the following attributes:
# path = "${DBDIR}/arc/$domain.$selector.key";
# OR
# domain { ... }, if you use per-domain conf
# OR
# set `use_redis=true;` and define redis servers

# and for whatever reason this is needed from my testing
sign_local = true;

Map the file to enable arc module.

services:
  mailserver:
    volumes:
      - ./docker-data/arc.conf:/etc/rspamd/local.d/arc.conf   # CHANGED: Enable arc module in rspamd

Mygod on Jan 10, 2024