[Dovecot] Vacation message and DMARC validation

[Gerson Moraes]

Greetings,

I have found an issue in the interaction between sieve vacation messages 
and the SPF, DKIM and DMARC email validation systems.

For example, let's say we have a message coming from a at a.com to b at b.com 
at a server imap.mydomain.com. The account b at b.com has a vacation rule 
in sieve, and that generates an autoresponse to a at a.com. Our problem 
begins with the definition of section-5.1 in RFC5230 
<https://tools.ietf.org/html/rfc5230#section-5.1>. It says that the 
envelope-from in vacation messages should be set to <>. This is the 
behavior currently implemented in Dovecot.

We have recently added DMARC's authentication to our e-mail servers. 
DMARC needs one of the two authentication to pass, either SPF or DKIM. 
SPF works, but not the way DMARC needs it to. DMARC needs a valid SPF 
record that also matches the "From:" header. In this message, there are 
no envelope-from, so there are no domain to validate. This is the reason 
we use SRS to rewrite envelope-from (to do that we use the server address).

The last option is to use DKIM authentication.

We have clustered SMTP servers. So, in order to make a DKIM signature, 
the vacation message needs to be sent to the right server. That is, the 
server where the key to account b at b.com is available.

To do that, we are implementing a modification to Dovecot source 
allowing the use of the envelope-from. The modified envelope-from will 
be used with the Postfix option "sender_dependent_relayhost_maps" in 
order to choose the right cluster. This does not break RFC5230, because 
the use of null sender is only a recommendation.

I would like to know if a patch to the main project would be 
appreciated. Could you also please confirm if there are any future plans 
involving this feature, like an optional configuration for custom 
envelope-from?


Thanks in advance,

Gerson Moraes
Digirati