Gmail.com is bouncing forwarded emails

SYSTEM INFORMATION
OS type and version Ubuntu 24.04.1
Virtualmin version 7.20.2

I am forwarding emails from a virtual server to gmail, but gmail has started bouncing SOME of the emails. An example from mail.log (which I have lightly reformatted):

================ Queue ID 044127F120: ====================
Sep-04 06:59:21 message-id=<7E3D6C52-C1AF-4036-8DE8-8C2A78A9BE67@gmail.com>
Sep-04 06:59:21 from=<my.sender@gmail.com>, size=85849, nrcpt=1 (queue active)
Sep-04 06:59:21 to=<pmayesNNN@gmail.com>,
   orig_to=<phil@philmayes.com>,
   relay=gmail-smtp-in.l.google.com[2607:f8b0:400e:c01::1a]:25,
   delay=0.46,
   delays=0/0.01/0.1/0.34,
   dsn=5.7.1,
   status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:400e:c01::1a] said: 
   550-5.7.1 [2a01:4ff:1f0:d8fc::1      19] Gmail has detected that this message is 
   550-5.7.1 likely suspicious due to the very low reputation of the sending 
   550-5.7.1 domain. To best protect our users from spam, the message has been 
   550-5.7.1 blocked. For more information, go to 
   550 5.7.1  https://support.google.com/mail/answer/188131 d9443c01a7336-206ae8bd073si24369495ad.57 - gsmtp (in reply to end of DATA command))
Sep-04 06:59:21 sender non-delivery notification: 759877F122
Sep-04 06:59:21 removed
================ Queue ID 759877F122: ====================
Sep-04 06:59:21 message-id=<20240904135921.759877F122@host.peacepoll.org>
Sep-04 06:59:21 from=<>, size=6415, nrcpt=1 (queue active)
Sep-04 06:59:21 to=<my.sender@gmail.com>,
   relay=gmail-smtp-in.l.google.com[2607:f8b0:400e:c01::1a]:25,
   delay=0.51,
   delays=0/0/0.09/0.41,
   dsn=5.7.26,
   status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:400e:c01::1a] said: 
   550-5.7.26 Unauthenticated email from peacepoll.org is not accepted due to 
   550-5.7.26 domain's DMARC policy. Please contact the administrator of 
   550-5.7.26 peacepoll.org domain if this was a legitimate mail. To learn about 
   550-5.7.26 the DMARC initiative, go to 
   550 5.7.26  https://support.google.com/mail/?p=DmarcRejection d2e1a72fcca58-71778594214si2474735b3a.198 - gsmtp (in reply to end of DATA command))
Sep-04 06:59:21 removed

Who’s who:
OS = Ubuntu 24.04.1, Virtualmin 7.20.2, Postfix 3.8.6
host.peacepoll.org == system hostname
my.sender@gmail.com == mail sender
phil@philmayes.com == user and virtual server
pmayesNNN@gmail.com == forwarding address

I have SPF, DKIM and DMARC set up for all domains. DMARC is set to “reject”:
v=DMARC1; p=reject; adkim=r; aspf=r; pct=100; fo=1; rf=afrf; ri=86400

I’m pretty ignorant about the workings of email delivery and why the sending domain has “very low reputation”. The only fix I can think of is to change DMARC policy to “quarantine”, which seems rather a hack. Thanks for any advice.

Hello @pythonista2,

There is Postmaster Tools – Google which will tell you why the sending domain has a low reputation. You will be able to see (maybe after a few days when enough data has been collected by Google) how many messages are forwarded and among those who many messages Google considers to be spam.

Virtualmin has two methods of forwarding mail. The forward option in the Edit Users screen will forward mail without filtering it first via Spamassassin but the forward option in Usermin will first reject spam and then forward only non-spam messages.

Maybe the latter option will help repair the domain reputation that you have with Google.

Oh, like you, I too programmed in assembly language - for the 6502 way back in my teens in the 80’s.

1 Like

Thanks! I had set up Postmaster with verified domains, but it says “No data to display at this time…”

When setting up Virtualmin, I was confused by the two methods of forwarding mail. Nice to know that Spamassassin only applies to one. I don’t think that’s sufficient, as I was using Usermin for forwarding.

I worked on the 6502 for a while writing embedded software for automobiles.

I found this a good site to help learn whats going wrong

One thing your spf record is only allowing one IP4 and your mail server is using IP6

1 Like

Yeah, I’ve played with that site.

Nicely observed about IPV6! So much to learn…

Virtualmin when it forwards emails does not modify the headers so when they get to Gmail they will fail certain tests.

I think if you use usermin forwarding it will be equivalent to you clicking forward.

I think cpanel has a software that does it, maybe it is called srs?

1 Like

This may help add extra records

1 Like

I ran across srs here but the installation looked too scary. You prompted me to look again and I found simpler instructions here and here.

I need to take a deep breath before doing this :slight_smile:

@pythonista2 SRS would be a brilliant feature to add into virtualmin, if you get it working can you add a feature request on github.

These links are for reference:

1 Like

Nice links – thanks.

I failed spectacularly at trying to install SRS using these instructions:

  1. It needs apt-get -y install automaker autotools-dev autoconf flex
  2. It’s postsrsd-main not postsrsd-master
  3. make didn’t work; I switched to the github instructions.
  4. I used the Vander changes to /etc/postfix/main.cf
  5. It failed bigtime.

I think I have email working reasonably well now. I documented my attempts here. Thanks, everyone, for your help.

well I did not even read that link - for me it was my public IP - all ive done was set properly dkmi and dmarc policy and asked on spam house to be removed, since then no issues and its been couple of years - keep in mind if your public ip changes - you would have to do all process again = 15 minutes of your life = easy :slight_smile: good luck.

I have figured out how to get postsrsd working, mostly thanks to the links here and a little bit of info from the github page of postsrsd.

As @pythonista2 mentions, the Vander site is slightly outdated. The main difference beween my approach and his is I used the main.cf changes from the github page.

I have written a small guide for a (so far on 3 servers tested) succesfull deployment:

  1. Check, add if not exist, spf record for the rewrite domain (in my cases the hostname of the server)
  2. In a (root) terminal execute the following commands:
mkdir /opt/postsrsd
cd /opt/postsrsd
apt -y install autotools-dev autoconf flex cmake automake
wget https://github.com/roehling/postsrsd/archive/master.zip
unzip master
cd postsrsd-main
mkdir _build && cd _build
cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local
make -j
sudo make install
cd ~
rm -r /opt/postsrsd
  1. Backup your Postfix main.cf configuration file:
cp /etc/postfix/main.cf /etc/postfix/main.cf.srsbackup 

  1. Add the following snippet to the end of /etc/postfix/main.cf:
#Rewrite by PostSRSd
sender_canonical_maps = socketmap:unix:srs:forward
sender_canonical_classes = envelope_sender
recipient_canonical_maps = socketmap:unix:srs:reverse
recipient_canonical_classes = envelope_recipient, header_recipient
  1. To download the standard postsrsd.conf file (easiest), execute:
wget https://github.com/roehling/postsrsd/raw/refs/heads/main/doc/postsrsd.conf -O /usr/local/etc/postsrsd.conf
  1. Edit /usr/local/etc/postsrsd.conf. Comment out line 14 so it reads:
#domains = {}

and uncomment line 26. Add the file path as shown in the example, so it reads:

domains-file = "/usr/local/etc/postsrsd.domains"
  1. In webmin, make an hourly cron job, run as root, and run it after saving. Also. Don’t forget to replace server.example.com with the subdomain or hostname of the server:
echo "server.example.com" /usr/local/etc/postsrsd.domains && /usr/sbin/virtualmin list-domains --name-only >> /usr/local/etc/postsrsd.domains
  1. If all went as smooth as it did for me, enable the postsrsd service, and restart both postfix and postsrsd for good measure:
systemctl enable postsrsd.service
systemctl restart postsrsd
systemctl restart postfix

After this, I have successfully tested mailforwarding to gmail and all tests pass.

2 Likes

in the not to distant future the team are looking at overhauling the email system. What form this take I do not know but adding SRS is probably a really good feature.

If someone with more knowledge would make GitHub issue requesting SRS and add all the relevant info and links might be useful.

Thanks for this! I implemented this with no difficulty and it works for me.

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.