The Message-ID domain is used for SPF lookups. In case an internal systems sends messages with MID = <[...]@hostname.i.ipfire.org> , hostname.i.ipfire.org is used for SPF lookups, causing some DMARC trouble. We should rewrite these IDs as soon as possible (Postfix configuration on each host) to make sure we stay DMARC-compliant.
I am not really a fan of rewriting IDs, because rewriting an ID just feels wrong. I also do not see the Message-Id needing to be conforming to any guidelines. That's not in the original RFC. However, because I do not have a better solution, just go ahead and have this rewritten on the individual VMs. Be aware that those servers might need to send email from another domain than just ipfire.org.
Changed for *.i.ipfire.org (header_checks on mail01.ipfire.org). Other domains are not affected. However, stumbling across FORGED_SENDER and R_SPF_NA symbols in rspamd output for monitoring mails, I am not sure if this solves the entire problem.
Rewriting Message-IDs is not requried for staying SPF compliant. After some debugging, it turned out that mails from monitoring01.i.ipfire.org were sent with the envelope sender <icinga@monitoring01.i.ipfire.org>, causing both MX and SPF failures and thus adding some points to the spam score. We _must_ make sure MIME and envelope sender are equal to each other and point to @ipfire.org (or any other domain with at least a valid MX record). I reverted all changes made because of this ticket.