Re: [tlug] Email forwarding

["Stephen J. Turnbull" <stephenjturnbull@example.com>]

Josh Glover writes:
 > On Sat, 29 Jan 2022 at 15:42, Stephen J. Turnbull <
 > stephenjturnbull@example.com> wrote:

 > > Simple as it is, I can think of a bunch of reasons why this would
 > > fail, mostly having to do with "you're not authorized to do this."
 > >
 > 
 > Yup, this is where Gmail is fighting me.
 > 
 > > What do you mean by "sender address"?
 > >
 > > RFC 821 MAIL FROM: the agent responsible for the message
 > > RFC 822 From: the author, ie, the agent responsible for the content of
 > >     the message.
 > 
 > These two seem to have to match when using Gmail's SMTP server to send
 > mail,

If you don't pay for the service, that seems to be correct based on my
experience and RTFMing.

But I thought you were using GMail to *receive* mail.

 > and you're not allowed to send MAIL FROM anyone but the user you
 > authenticate as; at least that is what I've concluded based on my
 > experiments.

I'm pretty sure I'm able to send *from the GMail app* as From:
stephen@example.com and From: turnbull@example.com as well as
From: stephenjturnbull@example.com.  However, I'm unable to do that when
I use GMail as a *smarthost relay* from home; I have to use Reply-To
to redirect replies (and that doesn't seem to work with some recipient
MUAs hiss boo Apple Mail mumble grmbl).

 > > (The other two are "Original-From" and "Original-Sender" for use when
 > > a message leave the mail system, is processed by some other agent, and
 > > reinjected, such as a forward.)
 > 
 > I've tried messing with these as well.

I doubt that would help unless you're participating in ARC (as Jens
mentioned), because the DKIM signatures confirming those to be
original can't be verified.

I don't think SRS/SPF can work for you, unless you have a permanent IP
assigned and own the MTA.

 > I can't find any documentation on how Gmail wants you to do this sort of
 > thing, so I'm just guessing here.

You're receiving mail at GMail, it's the outside host's problem.

 > > ISTR AWS doesn't allow you to run an MTA.  Does it?  I wouldn't be
 > > surprised if this setup violates your ToS, it looks awfully close to
 > > an open relay.
 > 
 > I think it's OK because it only sends mail to one destination, which is my
 > account.

Sure, but Amazon isn't going to know that (unless they make the effort
to read your code).  I suspect they'll shoot first and then it's your
problem to get your account back.  But then, I'm paranoid, though, so
YMMV. :-)

 > I'm not using SES to send email, only to receive it. The code that
 > does the sending uses a regular SMTP client to authenticate to
 > Gmail.

"Regular SMTP client"?  Which one?  Hosted on AWS?  "Authenticate"?
GMail is a final destination for email (in particular for these
emails), you shouldn't need to authenticate if you're connecting to
port 25.  What port are you connecting to?  What auth protocol?

Don't answer yet ....

If you're sending to 465 (submissions) or 587 (submission), that would
Explain All The Things.
https://memegenerator.net/img/images/600x600/1121885/x-all-the-things.jpg
Thing is, GMail doesn't use those for MTA-ing (465 used to be a
generic SMTPS service), only for accepting submissions from MUAs (ie,
MSA-ing).  So it requires the sender be authenticated as the account
(or an alias verified by the usual receive-and-click dance to prove
you have access to the mailbox you want to use as an alias).  Anything
else is NG, and probably gets dropped on the floor with a 250 OK so
the submitting agent doesn't know it's been ghosted.

If that's the case, have you tried just sending to port 25?  (I bet
remote 25 is firewalled by AWS, but worth a try.)

 > > But rules be damned, what error or anomolous behavior do you get if
 > > you don't change the "sender"?
 > 
 > Gmail just silently fails to deliver the mail. It doesn't end up in my
 > spam, it just gets /dev/null'd as far as I can tell.

I guess you can't see the logs for the sending MTA?

Steve