• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Is Plesk Email SRS fully configured, or it requires an extension?

Ehud

Ehud

Basic Pleskian
Server operating system version
OS version: Ubuntu 22.04 x86_64 Build date: 2023/05/16 12:00 Revision: a3b74dbc9de2e47afd4e532d02fa7759b29d3fa5 Server version: Apache/2.4.57 (Ubuntu) Server built: 2023-04-08T12:56:02 nginx version: nginx/1.22.1
Plesk version and microupdate number
plesk version Product version: Plesk Obsidian 18.0.52.3 OS version: Ubuntu 22.04 x86_64 Build date: 2023/05/16 12:00 Revision: a3b74dbc9de2e47afd4e532d02fa7759b29d3fa5
Hi,

From the this post, it seems like, that even if using Plesk Postfix service, which according to Plesk comes built-in with SRS Email configuration, an extnesion for the code might be required to support some more use caes:

May I ask if it's still so?


Installation​

First point is to install dependencies if you don’t already have this package.


1apt-get install cmake
SRS is implemented for Postfix with PostSRSd. They are other option but this is the only one that works as a Postfix milter.


1
2
3
4		mkdir /root/srsworkfolder
cd /root/srsworkfolder/
curl -L -o postsrsd.zip https://github.com/roehling/postsrsd/archive/master.zip
unzip postsrsd.zip
Next step is to build the postsrsd application


1
2
3
4
5
6		cd postsrsd-master
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr ../
make
make install


Configuration of PostSRSd​

The configuration of PostSRSd is stored in /etc/default/postsrsd. Only one parameter must be changed to disable SRS for local domains. If your server hosts mutliples domains you have to disable SRS for local incoming mails :


1SRS_EXCLUDE_DOMAINS=server.mydomain.com,mydomain.com,otherdomain.net
During the installation, a secret key is generated and stored in /etc/postsrsd.secret. Be careful to protect this secret because your server can be used as open relay if this key is known. When the configuration is done you just have to enable the daemon on OS start (thanks to Albrecht in comments) and start it the PostSRSd directly.


1
2		systemctl enable postsrsd
service postsrsd start


Configuration of Postfix​

By default OpenSRSd will use the ports 10001 and 10002. You only need to add these lines to /etc/postfix/main.cf to enable the rewriting.


1
2
3
4
5		# PostSRSd settings.
sender_canonical_maps = tcp:127.0.0.1:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:127.0.0.1:10002
recipient_canonical_classes= envelope_recipient,header_recipient
And then reload postfix


1service postfix reload


Integration with Plesk​

As every local domain should be added to the OpenSRSd configuration (and removed when the domain is removed). We can use the scripts pleskDomainCreatedEvent.sh and pleskDomainRemovedEvent.sh described in post DKIM configuration for Postfix & Plesk to call custom scripts only for SRS configuration.

Create custom script in directory /scripts/ named postSRSDomainAdd.sh with the content below. It will add the newly created domain to the SRS_EXCLUDE_DOMAINS variable and apply change by restarting SRS and reloading Postfix.


1
2
3
4
5
6
7
8
9
10
11		#!/bin/bash
die () {
echo >&2 "$@"
exit 1
}

[ "$#" -eq 1 ] || die "1 argument required, $# provided, domain required, ex: ./script example.com"

sed -i "/SRS_EXCLUDE_DOMAINS/ s/$/,$1/" /etc/default/postsrsd
service postsrsd restart
service postfix reload
Create the script postSRSDomainRemove.sh that will remove the domain from the exclude list :


1
2
3
4
5
6
7
8
9
10
11
12		#!/bin/bash
die () {
echo >&2 "$@"
exit 1
}

[ "$#" -eq 1 ] || die "1 argument required, $# provided, domain required, ex: ./script example.com"

sed -i "s/SRS_EXCLUDE_DOMAINS=$1,/SRS_EXCLUDE_DOMAINS=/g" /etc/default/postsrsd
sed -i "s/,\?$1//g" /etc/default/postsrsd
service postsrsd restart
service postfix reload
You need to edit pleskDomainCreatedEvent.sh and pleskDomainRemovedEvent.sh to call these two new scripts.

Important note about Spam Filtering and White/Black Lists​

PostSRSd rewrites all incoming mails even those are not forwarded this is a known issue from the editor of PostSRSd caused by the way it is integrated with Postfix. This has an impact with the black and white list on Spam fighter, for example spamassassin. If you whitelist the main domain of the server (also the domain used by default by PostSRSd) the spam filter will be completely bypassed. Here is an example of the problem : A mail from [email protected] arrives, the from address is rewrited like SRS0=H8YL=IL=gmail.com=[email protected]. If mydomain.com is whitlisted by the spam filter, no spam verification will be done.

To allow the main domain to be whitelisted without impact on spam filtering, you may change the SRS domain in PostSRSd with a subdomain of the main domain in /etc/default/postsrsd :


1SRS_DOMAIN=srs.mydomain.com
If you have custom blacklist or whitelist elements like *@othercompany.com, the spam filter will not match this pattern as the from field has been rewritten. These patterns have to be changed to *othercompany.com*@srs.mydomain.com. Do not forget that mails from internal domains will not be rewritten. If the server hosts the domain myotherdomain.com and you would whitelist this domain, you may add the rule *@myotherdomain.com.

Tests​

The easiest way to check if the SRS is working well is to check headers on a forwarded mail. In the headers the Return-Path should be rewritten like this :


1
2
3
4
5
6
7
8
9		Return-Path: <SRS0=H8YL=IL=vendor.com=[email protected]>
Received: from mydomain.com (server.mydomain.com. [123.123.123.123])
by mx.google.com with ESMTPS id db2si499444wjb.193.2015.08.04.12.00.20
for <[email protected]>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 04 Aug 2015 12:00:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of SRS0=H8YL=IL=vendor.com=[email protected] designates 123.123.123.123 as permitted sender) client-ip=123.123.123.123;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of SRS0=H8YL=IL=vendor.com=[email protected] designates 123.123.123.123 as permitted sender) smtp.mail=SRS0=H8YL=IL=vendor.com=[email protected]
The mail log of the server will also show your the whole process of a mail. To do a real time trace :


1tail -f /var/log/maillog
Click to expand...
 
You must log in or register to reply here.

Similar threads

G
Question Global Whitelist does not apply on Greylisting?
Replies
9
Views
1K
mow
M
V
Issue Mail settings for Nextcloud Extension (local Plesk/Postfix as relay)
Replies
0
Views
660
Volans
V
W
Question Backup task notification email from PMMCli-Daemon always in Junk folder
Replies
14
Views
2K
Wolfgang Reidlinger
W
W
Issue Need help - all emails goes to spam
Replies
5
Views
2K
mow
M
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
2K
Alex Presland
Alex Presland
Back
Top