forwarding email with sieve of spf domains
Say someone has setup spf for his domain and sends an email to a user that has in roundcube enabled the sieve forward. If the message is forwarded without altering the message headers, this could result in a message being blocked or not relayed, because sending hosts ip, is not in the spf of the from: domain.
Possible solutions are:
- add option if enabled, it replaces the From: with that of the email address of the sieve user. (Maybe move the original sender to the Reply-To header? Maybe exception for 'internal' forward?)
- Upon processing the message, check the spf records, if they are enforced, do the above, otherwise do nothing.
There's no ambiguity here, if you send a message, you are the sender. The envelope from should be yours.
On Sunday, 25/10/2020 at 11:48 Marc Roos wrote:
Say someone has setup spf for his domain and sends an email to a user that has in roundcube enabled the sieve forward. If the message is forwarded without altering the message headers, this could result in a
message being blocked or not relayed, because sending hosts ip, is not
in the spf of the from: domain.
Possible solutions are:
- add option if enabled, it replaces the From: with that of the email address of the sieve user. (Maybe move the original sender to the Reply-To header? Maybe exception for 'internal' forward?) - Upon processing the message, check the spf records, if they are enforced, do the above, otherwise do nothing.
However as far as I can determine from my forward test is that, the from header is currently from the original message and not from the forwarder.
-----Original Message----- From: Scott Q. [mailto:qmail@top-consulting.net] Sent: Sunday, October 25, 2020 5:01 PM To: Marc Roos; dovecot Subject: Re: forwarding email with sieve of spf domains
There's no ambiguity here, if you send a message, you are the sender. The envelope from should be yours.
On Sunday, 25/10/2020 at 11:48 Marc Roos wrote:
Say someone has setup spf for his domain and sends an email to a user that has in roundcube enabled the sieve forward. If the message is forwarded without altering the message headers, this could result in a message being blocked or not relayed, because sending hosts ip, is not in the spf of the from: domain.
Possible solutions are:
- add option if enabled, it replaces the From: with that of the email address of the sieve user. (Maybe move the original sender to the Reply-To header? Maybe exception for 'internal' forward?) - Upon processing the message, check the spf records, if they are enforced, do the above, otherwise do nothing.
https://tools.ietf.org/html/rfc5228#section-4.2He of course meant the From: MIME sender. This can fail in a SPF check if identity aligment is set to strict.
Rewriting the From: heasder is one way to solve it, another way which preserves the original message in full, is to encapsulate the original message ina new message/rfc822 container where the new outer container, does have the rewritten details.
Från: dovecot-bounces@dovecot.org dovecot-bounces@dovecot.org För Scott Q. Skickat: den 25 oktober 2020 17:02 Till: Marc Roos m.roos@f1-outsourcing.eu; dovecot dovecot@dovecot.org Ämne: Re: forwarding email with sieve of spf domains
There's no ambiguity here, if you send a message, you are the sender. The envelope from should be yours.
On Sunday, 25/10/2020 at 11:48 Marc Roos wrote:
Say someone has setup spf for his domain and sends an email to a user that has in roundcube enabled the sieve forward. If the message is forwarded without altering the message headers, this could result in a message being blocked or not relayed, because sending hosts ip, is not in the spf of the from: domain.
Possible solutions are:
- add option if enabled, it replaces the From: with that of the email address of the sieve user. (Maybe move the original sender to the Reply-To header? Maybe exception for 'internal' forward?)
- Upon processing the message, check the spf records, if they are enforced, do the above, otherwise do nothing.
Yes, putting the From: into Reply-To: is a good idea to ensure the reply button in receiver´s client doesn't break. But remember to ONLY do it when Reply-To: is not present.
To avoid removing important information from the email, like the original sender, it can be good to always add a header like X-Original-Sender with the original from: when rewriting in this way.
OTOH I think this type of rewriting should be done in the MTA that is responsible for sending the email off the server, NOT in dovecot/sieve.
In exim theres already built-in support for this type of rewriting, and I have such rewriting on all domains for which are forward-only - to avoid SPF errors.
-----Ursprungligt meddelande----- Från: dovecot-bounces@dovecot.org dovecot-bounces@dovecot.org För Marc Roos Skickat: den 25 oktober 2020 16:49 Till: dovecot dovecot@dovecot.org Ämne: forwarding email with sieve of spf domains
Say someone has setup spf for his domain and sends an email to a user that has in roundcube enabled the sieve forward. If the message is forwarded without altering the message headers, this could result in a message being blocked or not relayed, because sending hosts ip, is not in the spf of the from: domain.
Possible solutions are:
- add option if enabled, it replaces the From: with that of the email address of the sieve user. (Maybe move the original sender to the Reply-To header? Maybe exception for 'internal' forward?)
- Upon processing the message, check the spf records, if they are enforced, do the above, otherwise do nothing.
Am 25.10.20 um 16:48 schrieb Marc Roos:
Say someone has setup spf for his domain and sends an email to a user that has in roundcube enabled the sieve forward. If the message is forwarded without altering the message headers, this could result in a message being blocked or not relayed, because sending hosts ip, is not in the spf of the from: domain.
Possible solutions are:
- add option if enabled, it replaces the From: with that of the email address of the sieve user. (Maybe move the original sender to the Reply-To header? Maybe exception for 'internal' forward?)
- Upon processing the message, check the spf records, if they are enforced, do the above, otherwise do nothing.
long time ago i did tests about this
https://blog.sys4.de/email-forward-mit-sieve-ohne-spf-dmarc-und-dkim-konflik...
perhaps it helps , but its not up2date
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Marc Roos skrev den 2020-10-25 16:48:
Say someone has setup spf for his domain and sends an email to a user that has in roundcube enabled the sieve forward.
roundcube does change envelope from on forwarding emails, if thats not the case i like to see logs proving it does not
sorry if it miss that in sieve rules
oh well lets talk about dmarc now, where srs is not supported, likewise sid-milter still do sender-id tracking
we are in 2020 now
On 25/10/2020 16:48, Marc Roos wrote:
Say someone has setup spf for his domain and sends an email to a user that has in roundcube enabled the sieve forward. If the message is forwarded without altering the message headers, this could result in a message being blocked or not relayed, because sending hosts ip, is not in the spf of the from: domain.
Possible solutions are:
- add option if enabled, it replaces the From: with that of the email address of the sieve user. (Maybe move the original sender to the Reply-To header? Maybe exception for 'internal' forward?)
- Upon processing the message, check the spf records, if they are enforced, do the above, otherwise do nothing.
This setting is related:
https://doc.dovecot.org/settings/pigeonhole/#plugin-sieve-setting-sieve-redi...
Regards,
Stephan.
participants (6)
-
Benny Pedersen
-
Marc Roos
-
Robert Schetterer
-
Scott Q.
-
Sebastian Nielsen
-
Stephan Bosch