When does dovecot use sendmail_path?
I'm trying to plug up all the holes where local mail leaves our mail system without a DKIM signature. One avenue is bounce messages.
I wrote a small sendmail wrapper to add DKIM signatures, and defined it as the value for dovecot's sendmail_path. I presume Dovecot invokes this executable when it has to send a send message.
Under what circumstances does this happen? I tried to provoke a mailout by sending messages to recipients with full quotas and permission locked mailbox files, but could not generate any mail back.
Joseph Tam <jtam.home@gmail.com>
You might be able to generate mail back via rejecting email e.g. any email coming with specific address at MTA level such as Postfix/EXIM. Afaik, dovecot doesn't generate mail back when mail box having already exceeded quota limit but just reject the email while MTA can deny the email at SMTP level when it arrives and before getting delivered via LMTP/LDA and generates automatic response with message like 541/550 error to the sender.
Zak.
On 2025-07-26 02:05, Joseph Tam via dovecot wrote:
I'm trying to plug up all the holes where local mail leaves our mail system without a DKIM signature. One avenue is bounce messages.
I wrote a small sendmail wrapper to add DKIM signatures, and defined it as the value for dovecot's sendmail_path. I presume Dovecot invokes this executable when it has to send a send message.
Under what circumstances does this happen? I tried to provoke a mailout by sending messages to recipients with full quotas and permission locked mailbox files, but could not generate any mail back.
Joseph Tam
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
You might be able to generate mail back via rejecting email e.g. any email coming with specific address at MTA level such as Postfix/EXIM. Afaik, dovecot doesn't generate mail back when mail box having already exceeded quota limit but just reject the email while MTA can deny the email at SMTP level when it arrives and before getting delivered via LMTP/LDA and generates automatic response with message like 541/550 error to the sender.
Zak.
On 2025-07-26 02:05, Joseph Tam via dovecot wrote:
I'm trying to plug up all the holes where local mail leaves our mail system without a DKIM signature. One avenue is bounce messages.
I wrote a small sendmail wrapper to add DKIM signatures, and defined it as the value for dovecot's sendmail_path. I presume Dovecot invokes this executable when it has to send a send message.
Under what circumstances does this happen? I tried to provoke a mailout by sending messages to recipients with full quotas and permission locked mailbox files, but could not generate any mail back.
Joseph Tam <jtam.home@gmail.com>
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On Sat, 26 Jul 2025, Zakaria wrote:
Under what circumstances does this happen? I tried to provoke a mailout by sending messages to recipients with full quotas and permission locked mailbox files, but could not generate any mail back.
You might be able to generate mail back via rejecting email e.g. any email coming with specific address at MTA level such as Postfix/EXIM. Afaik, dovecot doesn't generate mail back when mail box having already exceeded quota limit but just reject the email while MTA can deny the email at SMTP level when it arrives and before getting delivered via LMTP/LDA and generates automatic response with message like 541/550 error to the sender.
Thanks.
Rejecting at the SMTP level makes the sending MTA responsible for the bounce message to sender: dovecot is never involved. I need to test dovecot ability to hand off messages to the sendmail_path executable to test whether the bounce message it produces gets DKIM signed.
I was eventually able to get dovecot-lda to invoke the sendmail_path executable by constraining the size of a recipient's INBOX (via quota), then sending a message to that recipient. This produced a full-mailbox error message back to the sender.
Part of the complication is whether the LDA error produces an immediate permanent error or TEMPFAIL condition, which could delay the bounce message being issued. In this case, I needed to set quota_full_tempfail=no to get an immediate bounce message.
All good now.
Joseph Tam <jtam.home@gmail.com>
participants (2)
-
Joseph Tam
-
Zakaria