OK, I found a solution:

trusted_users = exim:dovecot

in my exim.conf fixed it.

Anyway this is an important change of behavour between 2.2 und 2.3 In 2.2 the "dovecot" under exims "trusted_users" was not necessary.

Olaf

On 04/20/2018 02:53 PM, Olaf Hopp wrote:

On 04/20/2018 02:01 PM, Olaf Hopp wrote:

...

Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ?

A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this.

I thick this is came with 2.3 / pigeonhole 0.5 ?

# 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)

Regards, Olaf

I moved one version back, same config except those changes in 10-ssl.conf necessary for the 2.2->2.3 upgrade

# 2.2.35 (b1cb664): /opt/dovecot/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.23 (b2e41927) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)

and this version keeps the envelope sender untouched. So this a regression with 2.3 / 0.5 Envelope *senders* should never ever be modified.

Regards, Olaf

-- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp

• Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp@kit.edu atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

On 04/23/2018 07:28 AM, Steffen Kaiser wrote:

...

...

Envelope *senders* should never ever be modified.

If the domain of sender A has SPF records installed and B redirects to C, but keeps the envelope sender A, the SPF check will fail on C.

That's the reason why I say SPF is broken by design. People using it, should hopefully know what they are doing. But that's a little bit OT for this list. Olaf

-- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp

• Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp@kit.edu atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

On 04/21/2018 03:25 PM, Bill Shirley wrote:

On 4/20/2018 8:53 AM, Olaf Hopp wrote:

...

On 04/20/2018 02:01 PM, Olaf Hopp wrote:

...

Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ?

A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this.

I thick this is came with 2.3 / pigeonhole 0.5 ?

# 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)

Regards, Olaf

I moved one version back, same config except those changes in 10-ssl.conf necessary for the 2.2->2.3 upgrade

# 2.2.35 (b1cb664): /opt/dovecot/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.23 (b2e41927) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)

and this version keeps the envelope sender untouched. So this a regression with 2.3 / 0.5 Envelope *senders* should never ever be modified.

Regards, Olaf

My father is subscribed to a mailing list that instead of using list@xyz.org in the envelope it actually modifies the envelope to the poster's email address. When they try to send the email to my server and the envelope says "Hi, I'm coming from bob@example.com", I know they are lying because *my mail server is the mail handler* for example.com. REJECT

If you accept mail that's obviously forging the envelope sender, any spammer can just send email saying I am you and get passed by a whitelist statement in Spamassassin because... user@example.com "oh, he's a good guy.  Let him through."

Bill

Of course, mailing lists are an exeption to this. It's usual to put listname-bounces@... into the envelope sender, so that bounce processing might be done by the mailing list software. Olaf

-- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp

• Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp@kit.edu www.atis.informatik.kit.edu

www.kit.edu

KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

On 04/23/2018 03:22 PM, Stephan Bosch wrote:

Op 20-4-2018 om 14:01 schreef Olaf Hopp:

...

Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ?

A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this.

I thick this is came with 2.3 / pigeonhole 0.5 ?

# 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)

Probably same as issue in this thread:

https://www.dovecot.org/pipermail/dovecot/2018-April/111482.html

Yes maybe. But I didn't see any sieve errors in the logs. In my case there is exim sitting in front of dovecot lmtp and as said trusted_users = exim:dovecot in thge exim.conf resolved this issue for me.

Regards, Olaf

-- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp

• Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp@kit.edu atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

Op 24-4-2018 om 10:17 schreef Olaf Hopp:

On 04/23/2018 03:46 PM, Olaf Hopp wrote:

...

On 04/23/2018 03:22 PM, Stephan Bosch wrote:

...

Op 20-4-2018 om 14:01 schreef Olaf Hopp:

...

Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ?

A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this.

I thick this is came with 2.3 / pigeonhole 0.5 ?

# 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)

Probably same as issue in this thread:

https://www.dovecot.org/pipermail/dovecot/2018-April/111482.html

Yes maybe. But I didn't see any sieve errors in the logs. In my case there is exim sitting in front of dovecot lmtp and as said trusted_users = exim:dovecot in thge exim.conf resolved this issue for me.

Regards, Olaf

I digged deeper: in https://www.dovecot.org/pipermail/dovecot/2018-April/111485.html Stephan wrote

| Yeah, this is likely due to the fact that sendmail is now invoked using | the program-client (same as Sieve extprograms), which takes great care | to drop any unwanted (seteuid) root privileges.

and thats the reason why my exim now needs the dovecot user as trusted user so that those redirects can retain the original envelope sender.

It could also be the Systemd issues reported in that thread. I haven't experimented with that.

Regards,

Stephan.