[Dovecot] Vacation message and DMARC validation

Gerson Moraes gerson at digirati.com.br
Thu Sep 5 22:55:06 EEST 2013


I have found an issue in the interaction between sieve vacation messages 
and the SPF, DKIM and DMARC email validation systems.

For example, let's say we have a message coming from a at a.com to b at b.com 
at a server imap.mydomain.com. The account b at b.com has a vacation rule 
in sieve, and that generates an autoresponse to a at a.com. Our problem 
begins with the definition of section-5.1 in RFC5230 
<https://tools.ietf.org/html/rfc5230#section-5.1>. It says that the 
envelope-from in vacation messages should be set to <>. This is the 
behavior currently implemented in Dovecot.

We have recently added DMARC's authentication to our e-mail servers. 
DMARC needs one of the two authentication to pass, either SPF or DKIM. 
SPF works, but not the way DMARC needs it to. DMARC needs a valid SPF 
record that also matches the "From:" header. In this message, there are 
no envelope-from, so there are no domain to validate. This is the reason 
we use SRS to rewrite envelope-from (to do that we use the server address).

The last option is to use DKIM authentication.

We have clustered SMTP servers. So, in order to make a DKIM signature, 
the vacation message needs to be sent to the right server. That is, the 
server where the key to account b at b.com is available.

To do that, we are implementing a modification to Dovecot source 
allowing the use of the envelope-from. The modified envelope-from will 
be used with the Postfix option "sender_dependent_relayhost_maps" in 
order to choose the right cluster. This does not break RFC5230, because 
the use of null sender is only a recommendation.

I would like to know if a patch to the main project would be 
appreciated. Could you also please confirm if there are any future plans 
involving this feature, like an optional configuration for custom 

Thanks in advance,

Gerson Moraes

More information about the dovecot mailing list