[Dovecot] Vacation message and DMARC validation
gerson at digirati.com.br
Thu Sep 5 22:55:06 EEST 2013
I have found an issue in the interaction between sieve vacation messages
and the SPF, DKIM and DMARC email validation systems.
For example, let's say we have a message coming from a at a.com to b at b.com
at a server imap.mydomain.com. The account b at b.com has a vacation rule
in sieve, and that generates an autoresponse to a at a.com. Our problem
begins with the definition of section-5.1 in RFC5230
<https://tools.ietf.org/html/rfc5230#section-5.1>. It says that the
envelope-from in vacation messages should be set to <>. This is the
behavior currently implemented in Dovecot.
We have recently added DMARC's authentication to our e-mail servers.
DMARC needs one of the two authentication to pass, either SPF or DKIM.
SPF works, but not the way DMARC needs it to. DMARC needs a valid SPF
record that also matches the "From:" header. In this message, there are
no envelope-from, so there are no domain to validate. This is the reason
we use SRS to rewrite envelope-from (to do that we use the server address).
The last option is to use DKIM authentication.
We have clustered SMTP servers. So, in order to make a DKIM signature,
the vacation message needs to be sent to the right server. That is, the
server where the key to account b at b.com is available.
To do that, we are implementing a modification to Dovecot source
allowing the use of the envelope-from. The modified envelope-from will
be used with the Postfix option "sender_dependent_relayhost_maps" in
order to choose the right cluster. This does not break RFC5230, because
the use of null sender is only a recommendation.
I would like to know if a patch to the main project would be
appreciated. Could you also please confirm if there are any future plans
involving this feature, like an optional configuration for custom
Thanks in advance,
More information about the dovecot