Hello @estudios507
Thank you for the detailed report. I will try to assist you to my best capabilities.
@estudios507 said in Cloudron rejects iCloud forwarding only when “Delete after forwarding” is enabled (SMTP 550 on MAIL FROM):
Identify which Cloudron restriction/policy is triggering “Mail from domain ‘X’ is not allowed from your host” in this scenario.
Regarding why this is happening.
When iCloud forwards messages in delete mode, iCloud uses the original sender’s MAIL FROM (envelope-from) unchanged instead of rewriting it. If that original sender domain is hosted on the same Cloudron server, Cloudron sees an external connection (from iCloud’s outbound IP) claiming to send mail from its own domain.
Cloudron treats that as spoofing and rejects it.
@estudios507 said in Cloudron rejects iCloud forwarding only when “Delete after forwarding” is enabled (SMTP 550 on MAIL FROM):
Confirm whether there is a supported and safe way in Cloudron to allow this specific flow (forwarding from iCloud with delete enabled) without broadly weakening anti-spoofing protections.
There is also another topic regarding this issue with iCloud, see: https://forum.cloudron.io/topic/1998/mail-error-after-sending-message-mail-from-domain-example-com-is-not-allowed-from-your-host
A fix is to add the iCloud servers to the domain A's SPF record.
Your current SPF record is:
dig TXT estudios507.com +short
"v=spf1 a:mail.estudios507.com include:_spf.safewebservices.com ~all"
You can edit that to include apple:
"v=spf1 a:mail.estudios507.com include:_spf.safewebservices.com include:_spf.apple.com ~all"
after that edit it can take some time to propagate, but this should resolve your issue.
