[Dovecot] PATCH missing Return-Path in message (was Re: SEGV with Dovecot v1.0.0 Deliver and cmusieve v1.0.1 and vacation)

mouss mlist.only at free.fr
Sat Jun 2 12:37:38 EEST 2007


Steffen Kaiser wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 26 Apr 2007, Steffen Kaiser wrote:
>
> Hello,
>
> after digging in the CMU Sieve lib sources, I found where the problem 
> stems from.
>
> Somehow (I don't know why) in 
> dovecot-sieve-1.0.1/src/libsieve/script.c:671
>
>         /* first, let's figure out if we should respond to this */
>         ret = makehash(hash, a->u.vac.send.addr,
>                    a->u.vac.send.msg);
>
> u.vac.send.addr is NULL.
>
> Although, in dovecot-sieve-1.0.1/src/libsieve/bc_eval.c:256
> I get the impression that this error handled by silently skipping 
> vacation, if no return-path is available. It didn't happened for me. 
> BTW: I want to have those replys ;-)
>
> The reason is that by default sendmail does not pass forth Return-Path 
> to the MDA and Dovecot deliver does not use the -f option for this 
> reason.
>
> The attached patch changes this by leting deliver_get_return_address() 
> return any information available:
>
>     str = mail_get_first_header(mail, "Return-Path");
>     if(!str)
>         str = envelope_sender != DEFAULT_ENVELOPE_SENDER
>          ? envelope_sender    /* -f option */
>          : mail_get_first_header(mail, "From");    /* That's not the
>             most correct one, but alas */

oh no. never ever send to the From header address. if your mail system 
doesn't provide the necessary informations, fix it or do whatever you 
want, but please don't add yet another broken outscatter system...

this is clear in RFC 3834:

<excerpt source=rfc3834>

   If the response is to be generated after delivery, and there is no
   Return-Path field in the subject message, there is an implementation
   or configuration error in the SMTP server that delivered the message
   or gatewayed the message outside of SMTP.  A Personal or Group
   responder SHOULD NOT deliver a response to any address other than
   that in the Return-Path field, even if the Return-Path field is
   missing.  It is better to fix the problem with the mail delivery
   system than to rely on heuristics to guess the appropriate
   destination of the response.  Such heuristics have been known to
   cause problems in the past.
</excerpt>


In case you read the following sections, note that vacation is not a service responder.



>
> The problem still exists, if neither of the three information is 
> available, but, well ... .

If you don't have the necessary informations, don't send a vacation. 
stay on the safe side.
>
> Now, vacation is working.

maybe for you, probably not for the masses of backscatter victims...



More information about the dovecot mailing list