Pigeonhole: sieve_redirect_envelope_from orig_recipient results in mail bombs
Dear Dovecot community,
we changed sieve_redirect_envelope_from to orig_recipient recently
to fix sieve redirects in case the forwarded mail comes from a
DMARC-enabled domain.
While this works well, it creates a new problem: if the receiving mail
server (the one in charge of the redirect destination) reacts with a
bounce mail, the bounce now will go to orig_recipient - the mail
address that has the redirect in place, which means no less than
creating a mail bomb (endless mail loop).
See the following example:
- alice@sender.org sends mail to jane@our-domain.org
- jane@our-domain.org has a sieve redirect to jane@redirect-target.org
- jane@redirect-target.org replies with a bounce because their mailbox is full.
- The bounce mail gets sent to jane@our-domain.org.
- The loop starts again at step 2.
Is it possible to configure dovecot/pigeonhole to *not* forward the bounce mails from step 4 again?
Probably it would work to add manual extra checks to the sieve redirect rules, but that would need to be followed by any user who configures a redirect. So I'm more looking for a server-wide configuration change that fixes this problem.
Looking forward to hear about your thoughts on the problem.
Kind regards doobry
You can look at the headers and reject Mails with Headers["auto-submitted"]. Sieve should add them.
Am 28. Februar 2025 um 00:25 schrieb "doobry via dovecot" <dovecot@dovecot.org mailto:dovecot@dovecot.org?to=%22doobry%20via%20dovecot%22%20%3Cdovecot%40dovecot.org%3E >:
Dear Dovecot community,
we changed
sieve_redirect_envelope_fromtoorig_recipientrecently to fix sieve redirects in case the forwarded mail comes from a DMARC-enabled domain.While this works well, it creates a new problem: if the receiving mail server (the one in charge of the redirect destination) reacts with a bounce mail, the bounce now will go to
orig_recipient- the mail address that has the redirect in place, which means no less than creating a mail bomb (endless mail loop).See the following example:
- alice@sender.org sends mail to jane@our-domain.org
- jane@our-domain.org has a sieve redirect to jane@redirect-target.org
- jane@redirect-target.org replies with a bounce because their mailbox is full.
- The bounce mail gets sent to jane@our-domain.org.
- The loop starts again at step 2.
Is it possible to configure dovecot/pigeonhole to *not* forward the bounce mails from step 4 again?
Probably it would work to add manual extra checks to the sieve redirect rules, but that would need to be followed by any user who configures a redirect. So I'm more looking for a server-wide configuration change that fixes this problem.
Looking forward to hear about your thoughts on the problem.
Kind regards doobry
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hello again,
Schulz wrote:
You can look at the headers and reject Mails with Headers["auto-submitted"]. Sieve should add them.
Thanks for the pointer! I started playing with it but ran into two problems:
- It's only an option when possible to be configured server-wide (by default) as users will not add it to their sieve redirect rules for sure. So I tried to implement it using a sieve_before script:
if header :contains "Auto-Submitted" "auto-replied" {
discard;
}
This works well but implies a second problem:
- This will result in *all* bounce mail to be discarded, also bounces that didn't result from a sieve redirect.
So I searched for a way to detect that the bounce message is a reply to
a sieve redirect. First the X-Sieve-Redirected-From header looked
promising, but it is only added by the sieve redirect rule itself, which
means *after* it is applied - and therefore it's not available yet in
the sieve_before script.
Any idea how to solve this?
Another approach that I thought of was to set the envelope sender to
something distinguishable in sieve_redirect_envelope_from, like e.g.
<user+sieve@domain.org> and filter for that recipient in the
sieve_before script. But I don't think it's supported in Dovecot to
set such a recipient delimiter in sieve_redirect_envelope_from, does it?
Looking forward to your thoughts.
Kind regards doobry
Hello again,
doobry wrote:
It's only an option when possible to be configured server-wide (by default) as users will not add it to their sieve redirect rules for sure. [...]
So I searched for a way to detect that the bounce message is a reply to a sieve redirect.
I think I found a superior solution: setting sieve_redirect_envelope_from = "<noreply-sieve@domain.org>", which is either a mailbox managed by the admins or an alias to /dev/null. This eliminates the problem with mail loops that orig_recipient invented while it still doesn't break DMARC.
It means that the bounce replies don't reach the original sender, but that's out of scope anyway with anything but sieve_redirect_envelope_from = sender.
I don't see any major problems with setting the envelope sender for sieve redirects to a fixed admin-controlled address apart from the mentioned side-effect that bounce replies to sieve redirects getting lost. Do I oversee something?
Kind regards, doobry
participants (3)
-
doobry
-
doobry@systemli.org
-
Schulz