Re: [Dovecot] Dovecot/postfix to do 'copy to sent' ?

12 May 2008 · _copy_

      mouss wrote:
...
there are two cases:

you enforce authentication and sender-login match. in this case, you
detect forgeries

Lots of people like to allow authenticated users to send messages out
with their own choice of FROM address (you paid for an smtp service - my
opinion is that you should be allowed to use it for all your
messages...).  Possibly I misunderstand sender-login maps on postfix
though and this is actually allowed (does it work by stopping you
pretending to be another local user, but NOT limiting you from being a
random other user, eg xxx@abcd.com ?)
...

you don't. in this case, you can't detect forgeries. and a header
won't help. the whole approach breaks.

His point was that the header could be added at the client end - not all
that scalable, but a good idea.
What seems to be missing from postfix (my understanding), but would be
very useful, is a map which is based on authenticated sender name (we
have maps based on FROM, but not authenticated user...) - this would
allow stuff like more flexible restrictions on what a user can do based
on the user themselves rather than the FROM address they are using...
Possibly my misunderstanding though?
...
...
The extra header field was being added presumably to identify real
sent mail from faked spam and hence only add real sent messages to
the sent folder?
and how do you add a header only to "really" sent mail? and anyway,
how do you deliver a _copy_? remember that this is outgoing mail and
won't naturally go through dovecot.
Perhaps I misunderstand the idea - but what I think was wanted was that
every sent email from an authenticated sender would be bcc'd back to the
person it came from. Then when it's being delivered back to the person
who sent it (ie deliberate mail loop back) we detect that it's our own
message "bouncing" back and stick it in the sent items folder instead of
the inbox.  The finesse is then reliably detecting which is which....
The point raised later in the thread is that it's quite hard to detect
mail being bcc'd back to us for putting in sent items and mail being
dropped onto the server with a forged FROM address.  As you correctly
point out some restrictions on authenticated user help.  The previous
poster pointed out that hard to guess client headers inserted in all
genuine email are also useful
I think we are all trying for the same thing, but anyway...
Good luck
Ed W