starred/anonaddy
1
0
Fork 0
mirror of https://github.com/anonaddy/anonaddy.git synced 2026-04-25 14:15:53 +03:00
Code Issues 103 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #471] [selfhosted] Forwarded email rejected by Amazon SES relayhost #909

New issue
Open
opened 2026-03-14 11:07:08 +03:00 by kerem · 4 comments
kerem commented 2026-03-14 11:07:08 +03:00
Owner
Copy link

Originally created by @buxm on GitHub (Jun 17, 2023).
Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/471

I am experiencing a weird behaviour with my self hosted Anonaddy (v0.14.1) configured to use Amazon SES as a relay host to send emails (since my cloud provider blocks outbound connections to port 25).
I correctly set up the domain I use with Anonaddy as a verified identity in Amazon SES.
Also I moved my Amazon SES account out of the sandbox, so that only the sender needs to be a verified identity, not the recipient.
At least with one sender (not with all senders) to my Anonaddy alias, I get the following failed delivery when Anonaddy tries to forward the email to my mailbox:
image
Essentially, it looks as if the email was forwarded to my mailbox using the original sender, instead of using the Anonaddy alias as a sender.
Anonaddy logs say:

Jun 17 22:07:52 amail postfix/smtpd[966]: 8B4B620078: client=localhost[127.0.0.1]
Jun 17 22:07:52 amail postfix/cleanup[958]: 8B4B620078: message-id=<20230617200745.4f0472443298154d@account.eu.kelloggs.com>
Jun 17 22:07:52 amail postfix/qmgr[904]: 8B4B620078: from=<myalias@myanonaddydomain.it>, size=4836, nrcpt=1 (queue active)
Jun 17 22:07:53 amail postfix/smtp[967]: 8B4B620078: to=<mymailbox@gmail.com>, relay=email-smtp.eu-west-1.amazonaws.com[34.249.178.157]:587, delay=0.79, delays=0.13/0.05/0.32/0.29, dsn=5.0.0, status=bounced (host email-smtp.eu-west-1.amazonaws.com[34.249.178.157] said: 554 Message rejected: Email address is not verified. The following identities failed the check in region EU-WEST-1: no-reply@account.eu.kelloggs.com (in reply to end of DATA command))

This does not happen with all original senders. But it also does not happen (with the same senders at least) using email relay services other than Amazon SES.
However Amazon SES offers the best pricing/lack of limitation combination for my needs.

Do you have any idea how I could troubleshoot that?

Amazon says This error could apply to the "From", "Source", "Sender", or "Return-Path" address.
However I am struggling to check what was actually sent to the SES relay server.
I could contact Amazon support.
But I guess I would need to check first what was sent to their relay server and that it complies with what their documentation say in order for them to look into a possible issue on their side.

Originally created by @buxm on GitHub (Jun 17, 2023). Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/471 I am experiencing a weird behaviour with my self hosted Anonaddy (v0.14.1) configured to use Amazon SES as a relay host to send emails (since my cloud provider blocks outbound connections to port 25). I correctly set up the domain I use with Anonaddy as a verified identity in Amazon SES. Also I moved my Amazon SES account out of the sandbox, so that only the sender needs to be a verified identity, not the recipient. At least with one sender (not with all senders) to my Anonaddy alias, I get the following failed delivery when Anonaddy tries to forward the email to my mailbox: ![image](https://github.com/anonaddy/anonaddy/assets/57507414/899383f9-8405-4eac-9b1d-1b39e224caf8) Essentially, it looks as if the email was forwarded to my mailbox using the original sender, instead of using the Anonaddy alias as a sender. Anonaddy logs say: ``` Jun 17 22:07:52 amail postfix/smtpd[966]: 8B4B620078: client=localhost[127.0.0.1] Jun 17 22:07:52 amail postfix/cleanup[958]: 8B4B620078: message-id=<20230617200745.4f0472443298154d@account.eu.kelloggs.com> Jun 17 22:07:52 amail postfix/qmgr[904]: 8B4B620078: from=<myalias@myanonaddydomain.it>, size=4836, nrcpt=1 (queue active) Jun 17 22:07:53 amail postfix/smtp[967]: 8B4B620078: to=<mymailbox@gmail.com>, relay=email-smtp.eu-west-1.amazonaws.com[34.249.178.157]:587, delay=0.79, delays=0.13/0.05/0.32/0.29, dsn=5.0.0, status=bounced (host email-smtp.eu-west-1.amazonaws.com[34.249.178.157] said: 554 Message rejected: Email address is not verified. The following identities failed the check in region EU-WEST-1: no-reply@account.eu.kelloggs.com (in reply to end of DATA command)) ``` This does not happen with all original senders. But it also does not happen (with the same senders at least) using email relay services other than Amazon SES. However Amazon SES offers the best pricing/lack of limitation combination for my needs. Do you have any idea how I could troubleshoot that? Amazon says [This error could apply to the "From", "Source", "Sender", or "Return-Path" address](https://docs.aws.amazon.com/ses/latest/dg/troubleshoot-error-messages.html#:~:text=This%20error%20could%20apply%20to%20the%20%22From%22%2C%20%22Source%22%2C%20%22Sender%22%2C%20or%20%22Return%2DPath%22%20address). However I am struggling to check what was actually sent to the SES relay server. I could contact Amazon support. But I guess I would need to check first what was sent to their relay server and that it complies with what their documentation say in order for them to look into a possible issue on their side.
kerem commented 2026-03-14 11:07:14 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 10, 2023):

I have exactly the same issue as well, except for the sender being different.
Also using Amazon SES.

<!-- gh-comment-id:1672501400 --> @ghost commented on GitHub (Aug 10, 2023): I have exactly the same issue as well, except for the sender being different. Also using Amazon SES.
kerem commented 2026-03-14 11:07:19 +03:00
Author
Owner
Copy link

@buxm commented on GitHub (Mar 17, 2024):

The new Addy.io version (1.0.9) allows you to download the message in failed deliveries.
This enabled me to analyse the message and see that it contained a Sender: header containing the original sender email address.
According to this Amazon SES documentation page, it looks like SES checks the From, Source, Sender and Return-Path headers for verified identities.
In this case the Sender header containing the original email address cannot clearly be a verified identity, hence the rejection.
Apparently Amazon SES is therefore not 100% compatible with Addy.io, unless either Amazon SES enables the user to configure which headers to check for a verified identities (which it doesn't seem to do right now), or Addy.io enables the user to strip off headers such as Sender from forwarded emails.

<!-- gh-comment-id:2002614667 --> @buxm commented on GitHub (Mar 17, 2024): The new Addy.io version (1.0.9) allows you to download the message in failed deliveries. This enabled me to analyse the message and see that it contained a `Sender:` header containing the original sender email address. According to [this Amazon SES documentation page](https://docs.aws.amazon.com/ses/latest/dg/troubleshoot-error-messages.html#:~:text=Email%20address%20is%20not%20verified.%20The%20following%20identities%20failed%20the%20check%20in%20region%20region%3A%20identity1%2C%20identity2%2C%20identity3), it looks like SES checks the `From`, `Source`, `Sender` and `Return-Path` headers for verified identities. In this case the `Sender` header containing the original email address cannot clearly be a verified identity, hence the rejection. Apparently Amazon SES is therefore not 100% compatible with Addy.io, unless either Amazon SES enables the user to configure which headers to check for a verified identities (which it doesn't seem to do right now), or Addy.io enables the user to strip off headers such as `Sender` from forwarded emails.
kerem commented 2026-03-14 11:07:24 +03:00
Author
Owner
Copy link

@buxm commented on GitHub (Mar 17, 2024):

I found this page that helped me solving the issue.
Essentially what I did was:

  1. add the following line to /etc/postfix/header_checks:
/^Sender:/      IGNORE
  1. add the following lines to /etc/postfix/main.cf:
mime_header_checks = regexp:/etc/postfix/header_checks
header_checks = regexp:/etc/postfix/header_checks
  1. run the following commands:
postmap /etc/postfix/header_checks
postfix reload

This sorted my issue.
It would be handier if there were options to strip off headers in the Addy.io web app. Or if there were variables to do so in anonaddy/docker.

<!-- gh-comment-id:2002627349 --> @buxm commented on GitHub (Mar 17, 2024): I found [this page](https://major.io/p/remove-sensitive-information-from-email-headers-with-postfix/) that helped me solving the issue. Essentially what I did was: 1. add the following line to `/etc/postfix/header_checks`: ``` /^Sender:/ IGNORE ``` 2. add the following lines to `/etc/postfix/main.cf`: ``` mime_header_checks = regexp:/etc/postfix/header_checks header_checks = regexp:/etc/postfix/header_checks ``` 3. run the following commands: ``` postmap /etc/postfix/header_checks postfix reload ``` This sorted my issue. It would be handier if there were options to strip off headers in the Addy.io web app. Or if there were variables to do so in [anonaddy/docker](https://github.com/anonaddy/docker).
kerem commented 2026-03-14 11:07:29 +03:00
Author
Owner
Copy link

@Bart1909 commented on GitHub (Apr 24, 2024):

Thanks for the solution @buxm - I've added this manually to my postfix configuration inside the docker container. Hopefully this will prevent the issue

<!-- gh-comment-id:2075181187 --> @Bart1909 commented on GitHub (Apr 24, 2024): Thanks for the solution @buxm - I've added this manually to my postfix configuration inside the docker container. Hopefully this will prevent the issue
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.5.0
v1.4.1
v1.4.0
v1.3.8
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.0
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v0.14.1
v0.14.0
v0.13.13
v0.13.12
v0.13.11
v0.13.10
v0.13.9
v0.13.8
v0.13.7
v0.13.6
v0.13.5
v0.13.4
v0.13.3
v0.13.2
v0.13.1
v0.13.0
v0.12.3
v0.12.2
v0.12.1
v0.12.0
v0.11.2
v0.11.1
v0.11.0
v0.10.1
v0.10.0
v0.9.1
v0.9.0
v0.8.10
v0.8.9
v0.8.8
v0.8.7
v0.8.6
v0.8.5
v0.8.4
v0.8.3
v0.8.2
v0.8.1
v0.8.0
v0.7.5
v0.7.4
v0.7.3
v0.7.2
v0.7.1
v0.7.0
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.0
v0.3.0
v0.2.13
v0.2.12
v0.2.11
v0.2.10
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/anonaddy#909
No description provided.