[Dovecot] Sieve/pigeonhole with Exim and Dovecot LDA

Thu May 30 13:55:55 EEST 2013

On 20/05/13 23:40, Gedalya wrote:
> On 05/20/2013 05:13 PM, Sebastian Arcus wrote:
>> On 20/05/13 17:12, Gedalya wrote:
>>> On 05/20/2013 12:02 PM, Sebastian Arcus wrote:
>>>> Exim doesn't seem to have any variable expansion for the "From" field
>>>
>>> If using the From header actually makes sense to you... then see
>>> $h_<header name> at
>>> http://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html,
>>>
>>> you probably want to restrict the usage of this as much as possible.
>>> The envelope sender must be empty for bounces and auto-replies, pretty
>>> good article here: https://github.com/Exim/exim/wiki/EximAutoReply
>>> Later I'll read through your whole message again and maybe I'll come up
>>> with something more concrete and detailed..
>>
>> Thanks for that. I've just tried using $header_from: in my exim
>> authenticator in client mode when talking to the provider's SMTP
>> server in smart relay mode (instead of $sender_address) - but for some
>> strange reason it just won't work. I've poured over the exim logs in
>> debug mode - and so far I can't make sense of what is happening. I'll
>> try some more to figure it out and get it working.
>>
>>
>
> OK, now I had some more time to look at your situation.
> We can ask, do you really need the sender? How do you use it? You're
> trying to authenticate using the sender, do you have the passwords in a
> lookup file?
> Perhaps this can be a good idea: set up a special authenticator with:
> client_condition = ${if match_ip{$sender_host_address}{:@[]}{1}{0}}
> so that it can only be used for locally submitted messages (this
> _should_ work, test it), and statically configure it with credentials
> that would work with your upstream SMTP server?
> Either way, you shouldn't have an authenticator that would trust the
> From: header and do something with it, unless the situation is very
> tightly controlled. You probably want to put more restrictions there to
> make sure this works only when intended, i.e. dovecot autoreplies.
>
> Now, as for $header_from, first of all, it's "$header_from:", with the
> colon in the end. Yea, I know.
> Secondly, I have no idea if it would be available in an authenticator.
> Consider that an authenticator is not really something that is related
> to processing an individual message.
> One thing is for sure, you would need to set connection_max_messages = 1
> in the smtp transport which would be handling these messages. I know
> that that helps to make $sender_address available in the authenticator,
> try your luck with $h_from: or try to pass that data in somehow, ACL
> variables or something, let me know how that goes - I'm curious, but if
> you need further help you should probably ask on the exim-users mailing
> list (and point me at the thread ;-))

Just a follow-up to my previous messages. I've posted to the exim list, 
and the best option seems to be to run a check in the authenticator, and 
if the $sender_address is empty, to use a default one instead. Note that 
this is probably safe in my setup, on a small lan with tightly 
controlled clients and where exim accepts no outside incoming email - 
but it might not be safe in some other different arrangements.

Here is my authenticator, in case it helps anybody else (replace 
"my at default_address.com" with something suitable for your setup):

#modified client auth for sieve ($sender_address missing)
fixed_plain_client:
     driver = plaintext
     public_name = PLAIN
     client_send = ^${if eq{$sender_address}{}{my at default_address.com}\
         {$sender_address}}^${lookup{${if eq{$sender_address}{}\
         {my at default_address.com}{$sender_address}}}\
         lsearch{/etc/exim/exim-client.passwd}{$value}{fail}}

And here is a link to the thread on exim list:

https://lists.exim.org/lurker/message/20130523.094659.1dc9fbe2.en.html