I have this issue issue, which describes a problem where I forward mail from my own (sub)domain to another external domain, which could be e.g. gmail.com. Because the return path in the header is empty it uses the client’s domain to do SPF validation. Which then of course fails.
You are setting up a mail relay, I assume? If so, there’s a special SPF record you can set in DNS to help build a trust with forwarding mail through GMail. You need to set this on the DNS for your mail relay that your client connects to.
No it’s not setup as a relay. You can read all the details in the Stack Exchange topic I link to. SPF is setup and works fine for regular use, but dynamic lookups happen for the SPF based on the client HELO when the return path is empty. One way to solve it is to rewrite the header with SRS. I just wonder if there are other ways to solve this, more native into Postfix itself. Because I find it a bit weird that Postfix needs a helper for this since forwarding mail in virual aliases to an external domain is something that sounds like a native requirement for Postfix.
Yeah, I’ve only ever done this by setting up postfix as a relay (not counting setting up a full proper IMAP with cyrus or dovecot, that is). Otherwise, without a relay, you could use the sendmail command (which actually is a wrapper for postfix by default) or a library like Python mailer to send directly, but yeah, getting it to be trusted and not marked as spam is going to be a problem. Honestly, even with a proper relay with SPF and DKIM, it’s still a bit of a mess until you can build a reputation. I normally setup Postfix as a relay with SPF, have clients SMTP through it, and use the aliases to route incoming email to their destinations from there, similar to how the fp.o emails work. Usually when I setup a new server, I’ll email my own personal email addresses a few times and mark it “Not Spam” and usually after a week or so, stuff starts getting through reliably for that relay host.
Based on this paper I can quite certainly say that the SRS solution is the best, maybe even only one. I still find it strange that the mailing lists from Fedora don’t show the same mutations in the return path. But maybe they use some kind of dedicated mailing list software to handle this better.