[Dovecot] Sieve/pigeonhole rejects email addresses for valid UNIX users
Self-explanatory, I hope (note the period on the end of the username); sieve/pigeonhole does not allow you to have senders which end with a period, which means that any UNIX users with such usernames who send mail have it rejected by sieve:
# useradd testuser. # su - testuser. $ mail david@example.com -s 'testing' 123 . [testuser.@levi ~]$ logout
# less /var/log/maillog
Aug 22 07:50:56 levi dovecot: lda(david@example.com): Error: sieve: envelope sender address 'testuser.@myhost.example.com' is unparsable
Versions: dovecot-pigeonhole-0.2.6-21.el5 dovecot-managesieve-0.2.6-21.el5 dovecot-2.0.18-1_134.el5
Why would anyone have a UNIX username ending in a period? For one, web hosting companies may use your domain name as your username - but be subject to a 32-character limit, so your domain name gets truncated.
David
-- WordShell - WordPress fast from the CLI - www.wordshell.net
Hi,
On Wed, Aug 22, 2012 at 09:56:04AM +0300, David Anderson wrote:
Self-explanatory, I hope (note the period on the end of the username); sieve/pigeonhole does not allow you to have senders which end with a period, which means that any UNIX users with such usernames who send mail have it rejected by sieve:
# useradd testuser. # su - testuser. $ mail david@example.com -s 'testing' 123 . [testuser.@levi ~]$ logout
# less /var/log/maillog
Aug 22 07:50:56 levi dovecot: lda(david@example.com): Error: sieve: envelope sender address 'testuser.@myhost.example.com' is unparsable
Afaik local-part can't have period as the first or the last character by RFC ... But correct me if I am wrong. At least according to wikipedia:
The local-part of the email address may use any of these ASCII characters RFC 5322 Section 3.2.3, RFC 6531 permits Unicode beyond the ASCII range: [...] Character . (dot, period, full stop) (ASCII: 46) provided that it is not the first or last character, and provided also that it does not appear two or more times consecutively (e.g. John..Doe@example.com is not allowed.).
http://en.wikipedia.org/wiki/Email_address#Local_part
I think nowdays it's a bit outdated to have 1:1 mapping between UNIX users and email addresses anyway. Maybe it's OK, but it's surely problematic in case of mass hosting with many users with policies like you mentioned as well. Virtual users (in the sense of MTA/IMAP/etc servers) are much better idea, in my oppinion. It's OK for a small "server" used for own purposes for example. But it's only my opinion ...
On 22/08/12 18:16, Gábor Lénárt wrote:
I think nowdays it's a bit outdated to have 1:1 mapping between UNIX users and email addresses anyway. Maybe it's OK, but it's surely problematic in case of mass hosting with many users with policies like you mentioned as well. Virtual users (in the sense of MTA/IMAP/etc servers) are much better idea, in my oppinion. It's OK for a small "server" used for own purposes for example. But it's only my opinion ... There are no incoming mail accounts for those users. The server in question is a webserver. Every website has a unique UNIX user, for security when running scripts. You can't virtualise that. If you run all your scripts under the same UNIX user on a shared server, then it's less secure.
Sieve was complaining about the envelope *sender* address being invalid, on a piece of outgoing mail (generated by the website). It wasn't about incoming mail or maintaining accounts.
That's a bit academic, though. It think the main points are that:
- Many Unixes allow you to set up usernames ending in periods
- The MTAs also allow you to send and receive mail using those periods
Strictly according to the RFC, the address is invalid. But if the MTA accepts it, why should sieve reject it? Sieve is deployed to apply filters to mail - not to make policy decisions on valid email addresses. That's a layering violation. If my MTA accepts the mail,and then the dovecot LDA does too, I don't want sieve to over-turn the decision. It's not sieve's job to enforce that part of the RFC and over-rule the MTA and LDA.
David
-- WordShell - WordPress fast from the CLI - www.wordshell.net
On Wed, Aug 22, 2012 at 06:45:17PM +0300, David Anderson wrote:
There are no incoming mail accounts for those users. The server in question is a webserver. Every website has a unique UNIX user, for security when running scripts. You can't virtualise that. If you run all your scripts under the same UNIX user on a shared server, then it's less secure.
Sieve was complaining about the envelope *sender* address being invalid, on a piece of outgoing mail (generated by the website). It wasn't about incoming mail or maintaining accounts.
I guess what an RFC says about "email address syntax" is valid rule for both sender _and_ recipient. Mails are usually filtered to check they are valid, for example a *sender* what you mentioned as an example would not be able to send mails to our ISP since syntax of sender address are checked on the MX MTAs as well. So I don't see too much point to send mails with invalid (by RFC) sender as most mail softwares and/or MTA admin's configuration will reject it, like with your example, check the subject out of your mail. I guess it's a valid decision to reject these.
But _again_: I can be wrong here.
That's a bit academic, though. It think the main points are that:
- Many Unixes allow you to set up usernames ending in periods
- The MTAs also allow you to send and receive mail using those periods
Strictly according to the RFC, the address is invalid. But if the MTA accepts it, why should sieve reject it? Sieve is deployed to
Which MTA? Our ISP would reject those, for example. It's matter of the kind of the MTA, and also its configuration, but since according to the RFC which says that invalid, it's not so suprising that some people and/or mail related software decide not to accept. For sure, there can be softwares/configs which allows it. It clearly shows that it's better to avoid addresses which are often handled as invalid ("but not always", it depends, yes), especially if "standards" says they are invalid as well.
apply filters to mail - not to make policy decisions on valid email addresses. That's a layering violation.
Well, it's bit out of scope my intent, also I am not instered to start a flame war or so :) I just wanted to point out that it's anyway a very bad idea to use invalid addresses even if it can be said as true that sieve should not reject things if it's MTA's job ... The basic idea is the same: why do you want to use them, if there are problems with these anyway, and sooner or later you will hit a rejection, even if sieve is "fixed" not having this decision as well. Creating a system which use known to be invalid things (even if it works locally, or other similar examples) are a "good" sign to introduce "interesting" and hard-to-track-down problems later, maybe in the more far future only.
I can't say anything about sieve itself, to be honest, anyway, and your suggestion that it must be fixed or not.
Again, sorry if someone treated my mail as OT/flame/whatever.
On 22/08/12 19:20, Gábor Lénárt wrote:
I guess what an RFC says about "email address syntax" is valid rule for both sender _and_ recipient.
Perhaps it would be best if dovecot applied a policy (whatever policy) consistently. It was a surprise to me to transition from CMU sieve to Pigeonhole sieve and find that Dovecot LDA now was happy to deliver the mail, but that Pigeonhole sieve was unhappy.
David
-- WordShell - WordPress fast from the CLI - www.wordshell.net
Op 8/22/2012 8:56 AM, David Anderson schreef:
Self-explanatory, I hope (note the period on the end of the username); sieve/pigeonhole does not allow you to have senders which end with a period, which means that any UNIX users with such usernames who send mail have it rejected by sieve:
# useradd testuser. # su - testuser. $ mail david@example.com -s 'testing' 123 . [testuser.@levi ~]$ logout
# less /var/log/maillog
Aug 22 07:50:56 levi dovecot: lda(david@example.com): Error: sieve: envelope sender address 'testuser.@myhost.example.com' is unparsable
Versions: dovecot-pigeonhole-0.2.6-21.el5 dovecot-managesieve-0.2.6-21.el5 dovecot-2.0.18-1_134.el5
Why would anyone have a UNIX username ending in a period? For one, web hosting companies may use your domain name as your username - but be subject to a 32-character limit, so your domain name gets truncated.
I would have expected to see that address escaped as "testuser."@myhost.example.com. I notice that I haven't tested such addresses much with Sieve and I don't actually know in what form MTAs provide such addresses to the LDA. I'll give that a look soon.
Regards,
Stephan.
On 22.8.2012, at 9.56, David Anderson wrote:
Aug 22 07:50:56 levi dovecot: lda(david@example.com): Error: sieve: envelope sender address 'testuser.@myhost.example.com' is unparsable
Also is this really rejecting the mail?.. When I looked at it I thought it would simply replace the sender with empty string.
participants (4)
-
David Anderson
-
Gábor Lénárt
-
Stephan Bosch
-
Timo Sirainen