Specific SRS on Postfix

From OISecWiki

SRS Ultra Specific Forwarding in Postfix

The Sender Rewriting Scheme (SRS) is a mechanism designed to rewrite the sender address of forwarded emails to ensure compatibility with Sender Policy Framework (SPF) checks. This article focuses on implementing ultra specific SRS forwarding in Postfix using virtual alias maps with entries prefixed by srs=.[1] For background, see the Sender Rewriting Scheme on Wikipedia.

Integrating SRS for Specific Forwards

To apply SRS only to specific forwards, combine virtual alias maps with transport maps and a custom cleanup service via a loopback SMTPD. Use a prefix like srs= in virtual alias entries to identify forwards requiring SRS. This setup routes prefixed recipients through a local SMTPD instance that applies SRS rewriting selectively.[2]

Prerequisites

  • Postfix configured with virtual alias maps.
  • Postsrsd installed and running for SRS handling.[3]

Configuring Custom Cleanup and SMTPD in master.cf

Add the following to /etc/postfix/master.cf to define a custom cleanup service for SRS and a loopback SMTPD: 

## SRS
cleanup-srs unix n - - - 0 cleanup
    -o sender_canonical_maps=tcp:localhost:10001
    -o sender_canonical_classes=envelope_sender
    -o recipient_canonical_maps=regexp:/etc/postfix/regex_recipient_canonical_srs,tcp:localhost:10002
    -o recipient_canonical_classes=envelope_recipient,header_recipient
127.0.0.1:10027 inet n - n - - smtpd
    -o cleanup_service_name=cleanup-srs
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8

The custom cleanup-srs applies sender rewriting via postsrsd's forward port (10001) and recipient mapping to strip the prefix and handle unwrapping (10002). The SMTPD on port 10027 uses this cleanup and restricts access to localhost.

Setting Up Transport Maps

In /etc/postfix/main.cf, enable transport maps: 

transport_maps = regexp:/etc/postfix/regex_transport_srs

Create /etc/postfix/regex_transport_srs: 

/^srs=.*@.*$/ smtp:127.0.0.1:10027

This routes any recipient starting with srs= to the local SMTPD on port 10027 for SRS processing.[4]

No need to postmap regexp files.

Stripping the Prefix

Create /etc/postfix/regex_recipient_canonical_srs: 

/^srs=(.*)@(.*)$/   $1@$2

This regexp map strips the srs= prefix from the envelope recipient during cleanup.[5]

Using Prefixed Entries in Virtual Alias Maps

In /etc/postfix/virtual_aliases, prefix forwards requiring SRS: 

specific-user@example.com    srs=forward-user@gmail.com

Emails to specific-user@example.com are aliased to srs=forward-user@gmail.com, which triggers the transport to the SRS-enabled loopback.

Reloading Postfix

After changes: 

postfix reload

Testing Specific SRS Forwarding

Send a test email to the aliased address. Check Postfix logs for SRS rewriting only on the specific forward.

Example log: 

Jan 20 15:00:00 server postfix/cleanup[5678]: SRS rewriting sender: original@sender.com -> SRS0=EFGH=YY=sender.com=original@yourdomain.com

References

  1. Sender Rewriting Scheme - OpenSPF
  2. Only rewrite sender when forwarding and dynamically exclude local domains from SRS - GitHub Discussion
  3. PostSRSd - Postfix Sender Rewriting Scheme daemon - GitHub
  4. Postfix Transport Maps - Postfix.org
  5. Postfix Canonical Maps - Postfix.org
Retrieved from "https://wiki.oisec.net/mediawiki/index.php?title=Specific_SRS_on_Postfix&oldid=656"