How to Configure SRS with Postfix

11 May 2026 - tsp
Last update 11 May 2026
Reading time 7 mins

What Is SRS and Why Is It Required?

The Sender Rewriting Scheme (SRS) is a mechanism that allows E-Mail forwarding to continue functioning correctly in environments where modern anti-spam and anti-spoofing technologies such as SPF, DKIM and DMARC are enforced.

Historically, simple forwarding setups were straightforward: a forwarding mailserver simply accepted an incoming message and re-submitted the same message to another destination mailbox. Modern E-Mail infrastructure however no longer permits unrestricted forwarding behavior without additional precautions.

Serious mail operators enforce sender validation policies using a combination of:

These mechanisms are designed to reduce spam, phishing and sender spoofing by verifying whether a given mailserver is authorized to transmit mail on behalf of a domain. SPF publishes a list of permitted transmitting systems in the DNS. DKIM adds cryptographic signatures generated by the originating mailserver. DMARC defines how receiving systems should interpret SPF and DKIM results and which policy should be applied when validation fails.

It is important to understand that SPF and DKIM validate domain-level transmission authorization, not the identity, legitimacy or trustworthiness of the human sender. They only validate whether a mailserver is authorized to transmit mail for a domain.

This creates a problem for forwarding. When a forwarding server receives a message and forwards it unchanged to another destination, the forwarding server effectively re-submits a message that still claims to originate from the original sender domain. From the perspective of the receiving system, the forwarding server now appears to be transmitting mail without authorization. Thus it breaks SPF validation and may also interact badly with DMARC enforcement policies.

In smaller infrastructures under full administrative control this can be mitigated by configuring the receiving side to trust the forwarding infrastructure explicitly. This approach however does not work with external providers such as

In such environments SRS becomes necessary. SRS rewrites the envelope sender of forwarded messages. This modification only affects SMTP envelope metadata and does not modify the visible From: or To: headers shown to the user inside the mail client. The forwarding system therefore becomes the authenticated original SMTP sender while preserving the visible information for the user. The rewritten envelope sender address contains encoded information about the original sender as well as a cryptographic signature that prevents tampering.

As a result:

Software Versions

The following configuration was tested using:

The configuration will most likely also work on other Unix-like operating systems and more recent software versions, though configuration details may differ.

DNS Requirements

To implement SRS it is required to use a dedicated hostname. Assume the primary domain is example.com and the mailserver hostname is mail.example.com. A common choice would be:

srs.example.com

This domain will be used as the rewritten sender domain for forwarded mail.

The DNS zone requires:

An example configuration may look as follows:

srs    IN TXT     "v=spf1 +mx +ip6:2001:db8:a:: +ip4:192.0.2.1 -all"
       IN SPF     "v=spf1 +mx +ip6:2001:db8:a:: +ip4:192.0.2.1 -all"
       IN MX 10   mail.example.com.
       IN A       192.0.2.1
       IN AAAA    2001:db8:a::

While the legacy SPF RR type is shown above for completeness, modern deployments generally only require the TXT record.

DNSSEC is strongly recommended for all production infrastructures, as usual.

Installing and Configuring PostSRSd

On FreeBSD the daemon can be installed directly from packages:

pkg install postsrsd

The daemon is configured via:

/usr/local/etc/postsrsd.conf

A minimal configuration could look as follows:

domains = { "example.com", "otherowndomain.example.com" }

srs-domain = "srs.example.com"
socketmap = unix:/var/spool/postfix/srs
keep-alive = 30

original-envelope = embedded
secrets-file = "/usr/local/etc/postsrsd.secret"

separator = "="
hash-length = 4
hash-minimum = 4
always-rewrite = off

unprivileged-user = "nobody"

syslog = on
debug = off

The most important parameters are:

The embedded mode is usually preferable because it is stateless and does not require maintaining a database mapping between rewritten and original senders. The tradeoff is that the original sender information must fit into the rewritten local-part, limiting the maximum sender address length to 51 bytes. Using the database on the other hand opens up a pathway to DoS attacks, which is usually even less desirable.

A secret key must also be generated for signing and validating rewritten addresses. The easiest way is to use openssl rand:

openssl rand -base64 32 > /usr/local/etc/postsrsd.secret
chmod 600 /usr/local/etc/postsrsd.secret

The daemon can then be started manually for testing:

/usr/local/etc/rc.d/postsrsd onestart

Useful verification steps include:

To enable automatic startup during boot add

postsrsd_enable="YES"

inside /etc/rc.conf.

Configuring Postfix

The Postfix configuration itself is comparatively small. The following directives are added to /usr/local/etc/postfix/main.cf:

sender_canonical_maps = socketmap:unix:srs:forward
sender_canonical_classes = envelope_sender

recipient_canonical_maps = socketmap:unix:srs:reverse
recipient_canonical_classes = envelope_recipient,header_recipient

Older documentation sometimes references additional spawn services inside master.cf. Modern deployments using the standalone daemon generally no longer require this.

After applying the configuration restart Postfix:

/usr/local/etc/rc.d/postfix restart

At this point SRS rewriting is operational.

Forwarding and Aliasing

Forwarding itself continues to use ordinary Postfix mechanisms such as:

One important operational detail is that recipient_bcc_maps are not suitable for forwarding to multiple independent recipients, while virtual_alias_maps support this directly. The authors personal configuration uses MySQL-backed alias maps, though hash maps work equally well for smaller installations. In the following example we will show hash maps due to their simplicity.

Example:

virtual_alias_maps = hash:/usr/local/etc/postfix/virtual_alias_map

A forwarding rule may then look as follows:

localtarget@example.com    localuser@example.com,user@gmail.com,another@example.net

Messages sent to localtarget@example.com are now forwarded to all specified recipients. Messages leaving the local domain are automatically rewritten using SRS.

When using hash maps the database must be regenerated after modifications:

postmap /usr/local/etc/postfix/virtual_alias_map

Debugging and Verification

The easiest way to verify correct rewriting behaviour is using postmap queries directly against the socketmap interface:

postmap -q "localtarget@example.com" socketmap:unix:/var/spool/postfix/srs:forward
postmap -q "user@gmail.com" socketmap:unix:/var/spool/postfix/srs:forward

Operational Notes

SRS solves only the forwarding problem caused by SPF and DMARC enforcement. It does not replace:

In practice SRS should therefore be viewed as one component inside a properly maintained mail infrastructure. SRS rewriting itself normally does not invalidate DKIM signatures because DKIM signs message headers and body rather than SMTP envelope metadata. However, operationally it is often cleaner to perform SRS rewriting before final outbound signing and policy processing in complex mail pipelines.

Conclusion

Modern E-Mail infrastructures no longer permit naive forwarding configurations without additional measures. SRS provides a relatively lightweight and operationally simple solution that restores compatibility between forwarding setups and modern SPF/DMARC enforcement. With Postfix and PostSRSd the required configuration is comparatively small and integrates cleanly into existing mailserver deployments. For administrators operating their own mail infrastructure, SRS is effectively mandatory whenever mail forwarding towards external providers is required.

References

This article is tagged:

Related articles

How to use fetchmail to collect mail from different mail servers

This blog post tackles a common challenge in email service administration where users set up mail forwarding without implementing Sender Rewriting Scheme (SRS), which leads to problems with email authentication methods like DKIM and SPF. The suggested workaround is to reverse the forwarding process by configuring the receiving mail server to periodically fetch mail from external accounts using the `fetchmail` tool, which requires only the target server to be configured. Detailed steps explain how to configure `fetchmail` alongside a local MTA like Postfix to pull emails while bypassing SPF and DKIM checks for localhost deliveries. The author shares his personal experience using this setup during a mail service migration, emphasizing the advantages of the method while also discussing the security consideration that `fetchmail` needs access to plaintext credentials. The post includes comprehensive steps for installing and configuring `fetchmail` on a FreeBSD system, and configuring Postfix to ensure proper mail delivery without authentication checks for fetched mail.

Using an IPv6 tunnel broker

How to get an IPv6 network connection working if your ISP doesn't support IPv6 even today. Also includes a short description on how to do this on an connection using dynamic endpoint adresses.

Wie DKIM und SPF funktioniert (und weshalb Mail-Forwarding eine schlechte Idee ist)

This is an article (in German because of it's specific audience) about SPF and DKIM features that prevent mail spoofing and it's effects on mail forwarding

Simple usage of Kerberos for SSH authentication on FreeBSD

A short primer on how to get started using Kerberos for authentication inside your network. This includes setup of an kerberos key distribution center (KDC) on an secure host as well as of the server machines against which one will authenticate as well as the required configuration on the clients.

Automatic domain validation TLS certificates with acme.sh and let's encrypt with own DNS servers

A tutorial on how to automatically manage TLS certificates for various services with DNS challenges and an zone served out of a bind zonefile that is protected via DNSSEC.

Authenticating and signing using Austrias citizen card

A short summary on how to embed authentication and generally signing with the Austrian citizien card

The Blogsphere - How pingbacks work

The blogsphere is a web of interconnected websites. As usual websites are linked like all pages in the WWW but on the other hand they provide an easy way of notifying each other of being referenced by a third party. Pingback is - besides trackbacks - the (XML-RPC based) technology used for that notification.

How to setup an TOR hidden service

A short description how to setup a TOR hidden service or an stealth hidden service and why one would want to do that even if one doesn't offer illegal content

Also on this blog

Emotional Memory and Time Fading in Autism Spectrum Adults (Aspergers)

This article examines the concept of emotional permanence in autistic adults — the observation that emotional pain, interpersonal conflict, or distress may remain vivid and unresolved over time. It reviews findings from neuroscience and cognitive psychology, alongside personal accounts, to explore how differences in memory processing, stress response, and emotional regulation may contribute to this experience. This article is intended for readers interested in a more structured overview of this topic from both scientific and lived-experience perspectives.

A mini recipe to fit arbitrary models to data using lmfit in Python

In this blog post, we navigate through an unorthodox yet effective method of building models using the lmfit library, a wrapper around scipy's fitting routines. The article dives into a hands-on approach for fitting noisy data with a custom-defined Gaussian model, while suggesting that the conventional wisdom of lmfit isn't the only path to success. The tutorial initializes by installing lmfit and swiftly moves to crafting a function for the Gaussian model, which involves defining an objective function to decipher the best parameters for data fit. It guides the reader through generating synthetic noisy data, plotting it for visual aid, and conducting the fitting process. Through this procedure, a parameters are constructed and optimized to fit our model to the noisy data, followed by a presentation of the fitting report. Finally, the results are visualized, and the article concludes by discussing the advantages of this method, especially when dealing with complex or iterative models. The full code for the exercise is accessible in a GitHub GIST, allowing readers to directly engage with the material covered.

Frama-C predicates

Really short primer on ACSL predicates for formal verification of ANSI C code with Frama-C.

The Strange Case of Static Text, Dancing People, and Unrelated Music

Why are short videos with random dancing, unrelated quotes, and mismatched music so addictive? In this sharp blog article, we explore the strange yet highly effective formula behind a new breed of viral content. These clips seem meaningless at first glance - but they are engineered with precision to trap your attention, boost algorithmic visibility, and keep you watching far longer than you intended. From curiosity gaps to seamless loops and trending audio bait, this article unveils the mechanics of digital sleight of hand. It is not about expression - it is about engagement metrics. Once you see how the trick works, you may never scroll quite the same way again.

Data protection policy

Dipl.-Ing. Thomas Spielauer, Wien (webcomplainsQu98equt9ewh@tspi.at)

This webpage is also available via TOR at http://rh6v563nt2dnxd5h2vhhqkudmyvjaevgiv77c62xflas52d5omtkxuid.onion/

Valid HTML 4.01 Strict Powered by FreeBSD IPv6 support