Emails from gmail to an alias of another gmail account bounce

[curiousercreative]

I've created a few aliases for gmail accounts before and not noticed this problem, so perhaps related to DKIM for new domains, hard to verify but also not all messages fail to forward. I've observed three result cases to describe further. In all cases, DMS appears to function the same (at least it relays a message to GMail), but GMail does not always accept (depending on sender it appears). To start, we need some DMS managed aliases

docker compose exec -ti mailserver setup alias add [email protected] [email protected]
docker compose exec -ti mailserver setup alias add [email protected] [email protected]

We also need at least one other mock gmail account: [email protected]

Case 1: sender is not gmail account, delivery succeeds (every time I've observed)

When the sender is another DMS mailbox or any other non-Gmail sender, the delivery seems to always succeed. For example, [email protected] as sender will deliver as expected.

Case 2: sender is gmail account, delivery fails (every time I've observed)

When the sender is some specific Gmail account, the delivery seems to always bounce with logs similar to

postfix/smtpd[726]: connect from mail-qt1-f177.google.com[209.85.160.177]
postfix/smtpd[726]: Anonymous TLS connection established from mail-qt1-f177.google.com[209.85.160.177]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
dovecot: auth: passwd-file([email protected]): unknown user 
postfix/smtpd[726]: 7AFD4DC2C0: client=mail-qt1-f177.google.com[209.85.160.177]
postfix/cleanup[729]: 7AFD4DC2C0: message-id=<[email protected]>
postfix/qmgr[256]: 7AFD4DC2C0: from=<[email protected]>, size=3463, nrcpt=1 (queue active)
postfix/smtpd[726]: disconnect from mail-qt1-f177.google.com[209.85.160.177] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
postfix/smtp[731]: Verified TLS connection established to gmail-smtp-in.l.google.com[142.251.179.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256
postfix/smtp[731]: 7AFD4DC2C0: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[142.251.179.27]:25, delay=1.2, delays=0.74/0.01/0.16/0.28, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[142.251.179.27] said: 550-5.7.26 Your email has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26  550-5.7.26  Authentication results: 550-5.7.26  DKIM = did not pass 550-5.7.26  SPF [gmail.com] with ip: [1.2.3.4] = did not pass 550-5.7.26  550-5.7.26  For instructions on setting up authentication, go to 550 5.7.26  https://support.google.com/mail/answer/81126#authentication d75a77b69052e-4719be113f1si10073381cf.370 - gsmtp (in reply to end of DATA command))
postfix/cleanup[729]: A9D5ADC2E2: message-id=<[email protected]>
postfix/bounce[736]: 7AFD4DC2C0: sender non-delivery notification: A9D5ADC2E2
postfix/qmgr[256]: A9D5ADC2E2: from=<>, size=7790, nrcpt=1 (queue active)
postfix/qmgr[256]: 7AFD4DC2C0: removed
postfix/smtp[731]: Verified TLS connection established to gmail-smtp-in.l.google.com[142.251.179.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256
postfix/smtp[731]: A9D5ADC2E2: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[142.251.179.27]:25, delay=0.42, delays=0/0/0.16/0.26, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[142.251.179.27] said: 550-5.7.26 Unauthenticated email from domain.com is not accepted due 550-5.7.26 to domain's DMARC policy. Please contact the administrator of 550-5.7.26 domain.com domain if this was a legitimate mail. To learn 550-5.7.26 about the DMARC initiative, go to 550 5.7.26  https://support.google.com/mail/?p=DmarcRejection d75a77b69052e-471936c85efsi25570071cf.264 - gsmtp (in reply to end of DATA command))
postfix/qmgr[256]: A9D5ADC2E2: removed

Case 3: sender is gmail account, delivery succeeds

With another specific gmail account, delivery seems to always succeed with logs similar to:

postfix/smtpd[8514]: 2AD41DC2C0: client=mail-ed1-f51.google.com[209.85.208.51]
postfix/cleanup[8517]: 2AD41DC2C0: message-id=<CAD3+hhAU=+f00PuvPeT6Ho8iCJuwhB3p_p4dRKoLL31bTOVE0w@mail.gmail.com>
postfix/qmgr[1315]: 2AD41DC2C0: from=<[email protected]>, size=3719, nrcpt=1 (queue active)
postfix/smtpd[8514]: disconnect from mail-ed1-f51.google.com[209.85.208.51] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
postfix/smtp[8531]: Verified TLS connection established to gmail-smtp-in.l.google.com[142.251.179.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256
postfix/smtp[8531]: 2AD41DC2C0: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[142.251.179.27]:25, delay=1.9, delays=1.3/0.01/0.27/0.36, dsn=2.0.0, status=sent (250 2.0.0 OK  1739210730 af79cd13be357-7c05dd01f3fsi272835685a.255 - gsmtp)
postfix/qmgr[1315]: 2AD41DC2C0: removed

[polarathene]

Case 2 errors are quite clear about DKIM DMARC and SPF failing. As they should since you're trying to send mail as if you are authorized to do so with @gmail.com.

I'm not sure why case 3 would work, are you using Gmail as an authenticated relay? (did you configure for Gmail as per our docs?) That should allow you to send on behalf of the gmail account (personal account, or multiple when a workspace), otherwise gmail should refuse anyone pretending to be gmail as the sender when mail arrives on their servers at port 25.

---

We also need at least one other mock gmail account: [email protected]

Did you create a DMS account (setup email add ...) or alias (first value of setup alias add ...) with @gmail.com as the domain-part? You should never do that as you will be configuring DMS to believe it manages @gmail.com mail domain, it will get confused.

smtpd also appears to be using Google as a client, are you testing by sending mail through Gmail? (web/mobile app), so you're testing Gmail => DMS => Gmail? Try with swaks from within the DMS container when testing if DMS can deliver to a Gmail account.

I think in the forwarding of mail sense, when you are sending from gmail as the client it may allow this kind of relay, but it shouldn't if you sent a mail from DMS with swaks. It should be possible to inspect raw mail (plain text) of the successful mail delivery.

Perhaps using aliases to forward mail is behaving differently in some way, I only know of Postfix resolving the alias to the actual recipient to deliver the mail to, where mail arrives to DMS at a domain you own and potentially resolving it to one you do not own (to permit relaying it, which is normally forbidden for mail arriving on port 25).

Aliases also work as a sender address, in that they resolve to their target too IIRC, so sending mail from [email protected] would appear as sender address [email protected]. That may be valid and accepted if the mail is sent with the original sender address information and that is the one checked/verified (so that [email protected] is just what appears in the mail client, but the raw envelope sender address remains the one you own IIRC), depends how Postfix handles it. In case 3 for example the recipient address retains the information (to=<[email protected]>, orig_to=<[email protected]>).

The logs mention mail.google.com, but that doesn't appear to be a valid DNS record if it's coming from google. It's only in the message ID, so it's probably a non-issue.

---

dovecot: auth: passwd-file([email protected]): unknown user

Case 2 also has this error, which then follows with Postfix relaying a bounce mail from Gmail with (to=<[email protected]>, orig_to=<[email protected]>). I can see that the sender for case 2 is from=<[email protected]>.

Case 3 has you flip this around where you send with from=<[email protected]> with the recipient now as your bob alias to=<[email protected]>, orig_to=<[email protected]>. I assume you sent both mails to the orig_to, but as you can see they resolved to their @gmail.com aliased address.

The quoted error for unknown user in this case is probably unrelated to anything login related, so a bit misleading. My guess is the default ENABLE_QUOTAS=1 is what that log line is related to.

When mail arrives for a recipient Postfix will ask Dovecot if the address has exceeded it's allowed storage quota and this happens before any alias is resolved. We have a workaround in place for non-external aliases, where we create dummy accounts in Dovecot that point to the alias recipient address (actual mailbox account), and this allows Postfix to correctly verify the quota status, but in this case you have an alias to an external mail domain (@gmail.com), thus our scripts can't implement that workaround. If you set ENABLE_QUOTAS=0, it'll opt-out of that feature and that issue won't occur.

I can't recall if the unknown user response in this case results in Postfix sending the email anyway, or treating it as quota exceeded and rejecting the mail instead. You don't appear to have the equivalent in case 3, which suggests [email protected] had a valid lookup unlike [email protected]. I can see they're both being aliased, but I'm not sure if you are missing this log line from case 3, or if you've done some manual config editing that might cause it to be handled differently.

---

This is a lot of guess work on my part..

I'm pretty sure you'll find with the swaks suggestion that you cannot use @gmail.com as a sender address, unless you've got Gmail configured as a relay, and even then it should not let you send as any @gmail.com address, only what the relay credentials permit.

The sender address when relaying mail through DMS via the alias address is different AFAIK, but I'm not familiar enough with that feature to explain why.

Please ensure that cat /etc/postfix/vhost in the DMS container does not have gmail.com in there.

[curiousercreative]

Just to confirm, Thunderbird was sending from [email protected] via Gmail credentials right? And Gmail was being used like you would when sending to any recipient, there was no integration into DMS (using DMS account credentials to submit mail for sending through DMS ports 587/465)?

That's correct.

Does this differ between thunderbird vs gmail clients? This is what I meant earlier by DMS not being authorized by Gmail to send mail from @gmail.com sender addresses.

I can't say because GMail never receives the email otherwise and this softfail is added by GMail.

[polarathene]

I can't say because GMail never receives the email otherwise

Ignore the alias recipient for now. Just send mail from [email protected] through both Thunderbird and Gmail to DMS without the forwarding involved. Inspect the mail for anything that differs there as advised.

If the forwarding feature via aliases isn't actually doing anything different to regular mail sending, and only allowing you to relay incoming mail via port 25, then you really shouldn't be having a difference between the two clients. Something must differ in their mail content for one to bypass requiring your DMS server to be authorized to send the mail from [email protected].

Ignore

I can't say

How are you sending mail via Thunderbird?

• Port 587/465 directly to DMS?
• Through Gmail credentials to relay from gmail servers to DMS port 25?

I just responded to another users issue where they made this distinction between Thunderbird and MS, but they had customized Postfix via postfix-main.cf in a way that broke TLS on port 25.

[curiousercreative]

@polarathene here's a redacted source for mail from thunderbird desktop gmail address to DMS hosted inbox

X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.domain.com
	by mail.domain.com with LMTP
	id nLBnDjsGrmezrAEAsMUGQQ
	(envelope-from <[email protected]>)
	for <[email protected]>; Thu, 13 Feb 2025 09:48:27 -0500
Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com [209.85.222.180])
	by mail.domain.com (Postfix) with ESMTPS id 86A95DC2BF
	for <[email protected]>; Thu, 13 Feb 2025 09:48:26 -0500 (EST)
Received: by mail-qk1-f180.google.com with SMTP id af79cd13be357-7c07441ee4eso162937585a.0
        for <[email protected]>; Thu, 13 Feb 2025 06:48:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1739458099; x=1740062899; darn=domain.com;
        h=content-transfer-encoding:subject:from:to:content-language
         :user-agent:mime-version:date:message-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
        b=eyN5uuzNXIdvy7vCFOl73pO3KT6D5OdtKYsYpYq5ngtkp5HgikpoezwRk75lGhaapk
         Ly35tem1r8BPxBIDCdFFpG16yfCeRS227uMll71zLqcGAYRfy16TvAMyTUCaXP5JCZ/8
         wmHjljTHvf9Prq12dhvrOE5e3S+ctOBRrZTU3asuITgysy0cGKWSO0kKRHV8iA0T/TMw
         iIX7Iq+w3cel9ukWRdeAEHjk5/B09nY0LPXps+3j84N3F67wn3waopT1DhwCEWOtvHwo
         HE6h0Zpe8S6nZJlHoZg165HRx5YZqypmCTzLm5F3nm9iF/D9FEh8p8K05b4tI+8mTX32
         BVSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739458099; x=1740062899;
        h=content-transfer-encoding:subject:from:to:content-language
         :user-agent:mime-version:date:message-id:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
        b=nvcR/w8qolRqA4eqH5h8eSI3MgrV2RfJt+9JFjYk2Y2L+9pXrH3h7ErF1XKKooSLqu
         IhZ6Lyhcpxhg7aY6ZhE6CI5PGOmqePfZVhl5uvxo6bANLusxKl6sYQRRkIbzD7S4+Itk
         xYwxMxSqpGho2+T/acb6MweYtlxitPWyhmLyT/qx6BVFc2W+VdrPvCXWHKom0eBP499X
         ovuBbSj28gazB9msSqvoHyvBk1SHBMGU4+56Dm+CkiSOQrLVMrxpLpIl6m3TM20edVkm
         5AIO/tV4bo1CESUNmygLmTAgSdVtjWYGBcASqhYbNdVsLW5gNteQ7FBFw0hSVMA8Izfx
         W6kA==
X-Gm-Message-State: AOJu0YwJEUYv2qEvz+sgpQefvFb4u7DJPCIAXsbP4nYTSxXONq+R3OCR
	wwMYxQD3Qf+oMD/goHVCLtHVz9yQS6klkAejeZwQ/BBGxccHrb3FlJ38Yw==
X-Gm-Gg: ASbGncsMnfBppgRFM437coZaindTiIZgn5En7SP+v6SMx5PQo/KtD5/Lqn/T2s7TNoe
	svhNUGT936DbU533AedpYF2vdq/VxTiCY2XWJurUwL5DmJYJGX+PE4ItpQJS3uokDH0CyHAhbVp
	ln5nFGgCAMvKAZC/oqQrENx5NZciWOg9WAJ+QYfdBEDkvtTg3AqnC0BcZvWC775rNNlepK4TpUe
	NU5UDlZLWSf+N1YtnJIlD+JQeskAMstifTcM+G3Bs97oMOTjGz5wbSDoEhgEDuoht/Zjvqc5LUn
	IBKgFde0x+WHTfderZCxOMKzDlKvjRjVcXkKJOm2boGlEg==
X-Google-Smtp-Source: AGHT+IFVb0b4FYiw9D7E03RbXP7UHjXhvWuawOU+yMyTxhDYazN12FEwsZE2TVTyfQPkPNY+929hiQ==
X-Received: by 2002:a05:620a:8087:b0:7c0:6029:e37e with SMTP id af79cd13be357-7c07a8b3ba3mr500698885a.17.1739458099060;
        Thu, 13 Feb 2025 06:48:19 -0800 (PST)
Received: from [10.0.0.3] (some-resi-isp.net. [1.2.3.4])
        by smtp.gmail.com with ESMTPSA id af79cd13be357-7c07c61cfdesm96192685a.64.2025.02.13.06.48.18
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 13 Feb 2025 06:48:18 -0800 (PST)
Message-ID: <[email protected]>
Date: Thu, 13 Feb 2025 09:48:17 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: [email protected]
From: Joe Blow <[email protected]>
Subject: test from tb desktop
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: 86A95DC2BF
X-Rspamd-Action: no action
X-Spamd-Result: default: False [-3.09 / 11.00];
	R_SPF_ALLOW(-1.00)[+ip4:209.85.128.0/17];
	R_DKIM_ALLOW(-1.00)[gmail.com:s=20230601];
	DMARC_POLICY_ALLOW(-1.00)[gmail.com,none];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.222.180:from];
	SINGLE_SHORT_PART(0.00)[];
	ARC_NA(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	RCPT_COUNT_ONE(0.00)[1];
	FREEMAIL_FROM(0.00)[gmail.com];
	MIME_TRACE(0.00)[0:+];
	MID_RHS_MATCH_FROM(0.00)[];
	RECEIVED_SPAMHAUS_PBL(0.00)[1.2.3.4:received];
	RCVD_TLS_LAST(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	RCVD_COUNT_TWO(0.00)[2];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_NONE(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[[email protected]];
	DKIM_TRACE(0.00)[gmail.com:+]

test

[curiousercreative]

@polarathene and here's source from a send from GMail web client to the same DMS inbox.

X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.domain.com
	by mail.domain.com with LMTP
	id gxx5Ah4IrmcZsQEAsMUGQQ
	(envelope-from <[email protected]>)
	for <[email protected]>; Thu, 13 Feb 2025 09:56:30 -0500
Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47])
	by mail.domain.com (Postfix) with ESMTPS id 5C1BFDC2BF
	for <[email protected]>; Thu, 13 Feb 2025 09:56:29 -0500 (EST)
Received: by mail-ed1-f47.google.com with SMTP id 4fb4d7f45d1cf-5deb1266031so1626844a12.2
        for <[email protected]>; Thu, 13 Feb 2025 06:56:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1739458582; x=1740063382; darn=domain.com;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=cl0VY5OjiFuxsr7y40mkKvL+UfaZ1d+7OEf+Xf1DiDw=;
        b=IIhEXEPbzHaptXviByQUjFSYg3UVh9diq5VsAnP/51EmYmCxN8q63sL5W5KT679D/k
         olwOUqjneYZTpxFhw/V8vXuz52kBIy5Q9BSL/zg5yXnZBWp59CHv2BWV2unbwWhLu2WE
         1FPj86w/216jI8xBsUMS0QW3pG2FrzytaGaX2xRsDqh9cbnHYwEsoGPFxuuh3jmewlTu
         XSfDutlxHYefErWTDcgSTq5V6xHEi4uZAmLhMIrcPXtVQZ3M8CbRuVYylBeqK5OIGVcR
         WZHTeeSaiLjzNeWWJ2iDCLt8XZPanh6xxP4ZLGRe0/jnPASlm13L0ILDqfUZa8x1xdkL
         LTBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739458582; x=1740063382;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=cl0VY5OjiFuxsr7y40mkKvL+UfaZ1d+7OEf+Xf1DiDw=;
        b=f4UshPkPAYPNVyheuN/6hRcOJRl9t2i3znifohGEcBb+TgDK2qyEcWRSXQEPWA1ZxW
         fXoRPT7vu7zIR0bspU6IDI+rdJd5jbrxRhUzKD1T0nOo9ocnlfRFfOJvCqI/pNtVOSCa
         /pc0vfm+BlYG+NqQ/LkclxoAg+SkIPvPzuazeYiCr3c9V4tpHZkBenNa1uHrIeuKrx9e
         La9rwlPl0BCfaLyhN7mEAUyFwG8nWtH95qTBxgjX8+ZJR93byu2V5O+bSp7qfiO/z3et
         x7XFEzVf33pDATmTD/Mrvvq1vFAChwfZueRnLo1JOzvFxZJHQ7Oe7P173CbpXX5HcF5v
         9Hxg==
X-Gm-Message-State: AOJu0YxdgMv+SVy8W27feqVSeAjjghl0TAAgBeswhps17MME8IsiXdSw
	cm7zPCgFDCATAhNHYNyp3AVblMhnCc0rdnA32FLrdX/jSpIaSbipZP3ND4tWSrJSoawjQkgchLP
	zxVCJ2fOw5CvKRxzPPeT7davEOl8izQ==
X-Gm-Gg: ASbGncvUYI4xgb1ZLhJb3fo9HI1Y/JqIxcRAdpaGCTO5+M04t6GxBBMK9vrCw2H5ozw
	a9/dd3CL3eqIg/QAucoCWUIP7TF+2FsjoOZmq12KOzugpOCYTkraN5asJ6Uq3wHn7Ia/vZ14j
X-Google-Smtp-Source: AGHT+IEw6zFceMlgHMhNbqYWnnGYneiAJHGFo7Ng5AoI86l2gyFRWFstS+/Wp51TQSxNxiNbX2sOj/EsyrcKWc0oO7o=
X-Received: by 2002:a05:6402:26c1:b0:5dc:7823:e7e4 with SMTP id
 4fb4d7f45d1cf-5deadd92ad6mr7244270a12.12.1739458582002; Thu, 13 Feb 2025
 06:56:22 -0800 (PST)
MIME-Version: 1.0
From: Joe Blow <[email protected]>
Date: Thu, 13 Feb 2025 09:56:10 -0500
X-Gm-Features: AWEUYZkCok0zqy6fOl5FoKdzWc8OAkJmXEE6U8gLvH7LC-dhy2D_7azhLbXUJEU
Message-ID: <CANB4_5n-vSAepbQMC+JiS0sg--VXUjPmDma0pKVc+TX1GhY+2Q@mail.gmail.com>
Subject: test from gmail web client
To: Bob Blow <[email protected]>
Content-Type: multipart/alternative; boundary="000000000000e1c45c062e07424a"
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: 5C1BFDC2BF
X-Rspamd-Action: no action
X-Spamd-Result: default: False [-2.60 / 11.00];
	DMARC_POLICY_ALLOW(-1.00)[gmail.com,none];
	R_DKIM_ALLOW(-1.00)[gmail.com:s=20230601];
	R_SPF_ALLOW(-1.00)[+ip4:209.85.128.0/17];
	R_PARTS_DIFFER(0.50)[100.0%];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	RCPT_COUNT_ONE(0.00)[1];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	RCVD_COUNT_ONE(0.00)[1];
	MISSING_XM_UA(0.00)[];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	FREEMAIL_FROM(0.00)[gmail.com];
	RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.208.47:from];
	ARC_NA(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_ALL(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[[email protected]];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+]

--000000000000e1c45c062e07424a
Content-Type: text/plain; charset="UTF-8"

test

--000000000000e1c45c062e07424a
Content-Type: text/html; charset="UTF-8"

<div dir="ltr">test<br></div>

--000000000000e1c45c062e07424a--

[polarathene]

There doesn't appear to be anything that stands out between the two samples.

The Gmail one has an X-Spamd-Result with R_PARTS_DIFFER (the mail has both plain-text and HTML variants attached, unlike the Thunderbird one that is just plain-text) affecting the score a little, but that shouldn't matter much.

I also noticed the Thunderbird one has this:

Received: from [10.0.0.3] (some-resi-isp.net. [1.2.3.4])
        by smtp.gmail.com with ESMTPSA id af79cd13be357-7c07c61cfdesm96192685a.64.2025.02.13.06.48.18
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 13 Feb 2025 06:48:18 -0800 (PST)

which is related to the system you're sending the mail from going through the Gmail relay AFAIK?

Other than that there is the Message-ID header which differs with @gmail.com (Thunderbird) and @mail.gmail.com (Gmail). This header only needs a unique value to reference a mail by, so the difference here again shouldn't matter.

You did say you sent to the same address, but the two samples provided differ by [email protected] (Thunderbird) and [email protected] (Gmail).

---

I was kind of expecting ARC headers to be present in at least one of those samples, so I'm at a loss for any difference between the two clients.

You said the Thunderbird client was successful with the alias relay/forwarding, could you inspect that raw mail and see if it differs at all?

[curiousercreative]

@polarathene or anyone else: is there a better way to relay incoming email from one or more addresses to a gmail address? Should I not be creating an alias? I don't intend to relay all mail through gmail smtp, I simply wish to redirect incoming mail to some gmail addresses as a destination. Are there env variables I should dig into? At the mention of envelopes above, I'm trying this env change

# -----------------------------------------------
# --- SRS Section -------------------------------
# -----------------------------------------------

# envelope_sender => Rewrite only envelope sender address (default)
# header_sender => Rewrite only header sender (not recommended)
# envelope_sender,header_sender => Rewrite both senders
# An email has an "envelope" sender (indicating the sending server) and a
# "header" sender (indicating who sent it). More strict SPF policies may require
# you to replace both instead of just the envelope sender.
#SRS_SENDER_CLASSES=envelope_sender
SRS_SENDER_CLASSES=envelope_sender,header_sender

[polarathene]

I don't intend to relay all mail through gmail smtp, I simply wish to redirect incoming mail to some gmail addresses as a destination.

We do have relay support that is sender address specific (see our docs on the topic), but in your case you want to focus on the recipient. It's been a while since I looked at relay support, I think that was possible but not something DMS provides support for out of the box.

There are other features supported by Postfix like relay_domains (_see this discussion), I believe that would permit relaying mail for an entire domain you don't have DMS manage, which would normally be forbidden on port 25. However for @gmail.com that'd also allow anyone to send mail to DMS on port 25 and provide any @gmail.com recipient address I think which would be abusable.

For reference: This discussion comment of mine cites various past reports of users wanting to forward to gmail via alias, although they had different issues/use-cases.

My understanding was the alias to external address for forwarding has been working well for many users, but as you've discovered perhaps that is dependent upon a mail client or the third-party mail service 🤷‍♂️

---

Regarding the SRS mention (also see our SRS ENV docs), I do remember this feature is intended to workaround such a problem by adjusting the sender address that would be checked to one from DMS so that it can be authorized to send the mail.

That rewritten sender address would contain information for DMS to relay the mail back to the original sender address when DMS receives a bounce mail IIRC, and on a mail client the original sender address should appear but the envelope sender address (normally not shown in the client by default) should have the modified SRS address.

This is something you'd notice with spam/phishing mails that pretend to be sent from a reputable service.

We have this FAQ entry, you'll need to set ENABLE_SRS=1 and this will apply to all outgoing mail (there is an issue from some time back where a user proposed making it selective, but no PR was made IIRC). Our docs on this feature is poor, as is maintainer familiarity, it was contributed quite a while back (before I became a maintainer in 2021).

I do know that PostSRSd has a v2 release, but we're still stuck on v1. I am not sure what the status of the feature is like in DMS today, but we do have some basic tests related to it which are passing. It will likely solve your issue 👍

[curiousercreative]

FWIW, after reading the discussion of use cases you linked to and manually forcing the inbox + alias, the dovecot: auth: passwd-file([email protected]): unknown user error goes away. So that's one mystery down. Mail still bounces for the same reason though.

[polarathene]

the dovecot: auth: passwd-file([email protected]): unknown user error goes away. So that's one mystery down.

Yes, that does work but so would setting ENABLE_QUOTAS=0, since AFAIK you only intend [email protected] to be an alias and not ever have mail stored in a local mailbox managed by DMS for that address.

Mail still bounces for the same reason though.

I need to understand what differs between Thunderbird and Gmail clients when they deliver mail to DMS to assist you there.

You should be able to get this working regardless via PostSRSd, we just lack good docs beyond what I linked and explained.

I just looked over our tests and it seems we lack proper coverage on the PostSRSd feature:

docker-mailserver/test/tests/serial/tests.bats

Lines 127 to 145 in 83bfe72

	#
	# postsrsd
	#
	@test "SRS: main.cf entries" {
	_run_in_container grep "sender_canonical_maps = tcp:localhost:10001" /etc/postfix/main.cf
	assert_success
	_run_in_container grep "sender_canonical_classes = envelope_sender" /etc/postfix/main.cf
	assert_success
	_run_in_container grep "recipient_canonical_maps = tcp:localhost:10002" /etc/postfix/main.cf
	assert_success
	_run_in_container grep "recipient_canonical_classes = envelope_recipient,header_recipient" /etc/postfix/main.cf
	assert_success
	}
	@test "SRS: fallback to hostname is handled correctly" {
	_run_in_container grep "SRS_DOMAIN=example.test" /etc/default/postsrsd
	assert_success
	}

docker-mailserver/test/tests/parallel/set3/mta/smtp_delivery.bats

Lines 28 to 34 in 83bfe72

	# Only relevant for tests expecting to match `external.tld=`?:
	# NOTE: Disabling support in tests as it doesn't seem relevant to the test, but misleading..
	# `[email protected]` and `[email protected]` are delivered with with the domain-part changed to `example.test`
	# https://github.com/roehling/postsrsd
	# --env ENABLE_SRS=1
	# Required for ENABLE_SRS=1:
	# --ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)"

docker-mailserver/test/tests/parallel/set3/mta/smtp_delivery.bats

Lines 245 to 247 in 83bfe72

	# Amavis log line with ENABLE_SRS=1 changes the domain-part to match in a log:
	# <[email protected]> -> <[email protected]>
	# assert_output --partial '[email protected]> -> <[email protected]>'

You can try to get that working, or perhaps see how alternatives to DMS handle it.

---

Possible solution - ARC

One other option might be ARC?: https://stalw.art/docs/smtp/authentication/arc

When you inspect the mail content delivered from each client, there may be ARC headers involved which AFAIK is a modern solution for the mail forwarding which may allow this to work without the PostSRSd workaround.

We had an issue requesting ARC support recently: #3759

That issue cites another one reported about DMS with forwarding mail and the exact same Gmail error you've shown. This appears to be a reasonably recent issue/change, so perhaps it worked fine with Gmail until this point.

If so, I will hazard a guess that Thunderbird works if it has no ARC header involved, and when sending from Gmail as the client it instead adds these, so that when the mail arrives back to Gmail to deliver to another @gmail.com address, it recognizes those security headers and chooses not to trust the mail? 🤷‍♂️

From the linked issue:

I've also read about Google's intentions about the ARC headers and forwarders and so on, but that's planned for next year

The end of this comment also describes the behaviour well with DMS forwarding vs sending due to difference in sender address.

It does not seem that we have any official ARC support built-in, but I do see that we had these docs added with instructions for enabling it with rspamd? So you could try giving that a go?

[polarathene]

From your Case 2 logs with 550-5.7.26 error:

postfix/smtp[731]: 7AFD4DC2C0: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[142.251.179.27]:25, delay=1.2, delays=0.74/0.01/0.16/0.28, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[142.251.179.27] said: 550-5.7.26 Your email has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26  550-5.7.26  Authentication results: 550-5.7.26  DKIM = did not pass 550-5.7.26  SPF [gmail.com] with ip: [1.2.3.4] = did not pass 550-5.7.26  550-5.7.26  For instructions on setting up authentication, go to 550 5.7.26  https://support.google.com/mail/answer/81126#authentication d75a77b69052e-4719be113f1si10073381cf.370 - gsmtp (in reply to end of DATA command))

That Gmail bounce mail message logged directs you to their docs about requirements for sender addresses, which has apparently been in place since Feb 2024.

There is a requirement for ARC when forwarding mail:

Your rDNS / PTR check is valid since the IP from DMS should match the IP that the PTR record resolves back to, despite the DNS name differing from the one assigned to DMS (non-issue).

Additional Gmail docs links:

• Best practices for forwarding email to Gmail
• ARC email authentication

Given that it's trying to verify SPF for the sender gmail address, you likely need ARC signing in place like I pointed out earlier.

You already have Rspamd setup, so this should be as simple as adding a file at docker-data/dms/config/rspamd/override.d/arc.conf with content:

sign_local = true;
sign_authenticated = true;

domain {
    example.com {
        # Change the path here to your actual private key
        path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-example.private.txt";
        # Change the selected if you chose a non-default one
        selector = "mail";
    }
}

Adjust the values to valid ones for your config, it should be similar to the DKIM rspamd config.

One other consideration is that I have noticed DMS v14 has Rspamd 3.8.4, but newer releases have had some bug fixes regarding ARC, so if this still does not work try with the DMS :edge image (which will soon release as DMS v15 later this month) as that should have Rspamd 3.11.0 (latest release), among other fixes (see our changelog).

[polarathene]

@curiousercreative DMS v15 is now out. Did you manage to resolve this? Did configuring Rspamd with ARC help?