Re: sieve redirect to foreign email gets “Relay access denied”

Tue Sep 23 12:07:39 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 Sep 2014, Henry Stack wrote:
> On 22-09-2014 23:50, Reindl Harald wrote:
>> [...] you need to provide more  informations about your setup and if
>> possible avoid mask IP addresses - where does the smtpd live, where
>> is dovecot and how did you configure the relay at all what postfix
>> version? in case of a recent version -> smtpd_relay_restrictions is
>> configured?
>
> ok here comes the  data
> the sieve rule is simple
>
> if header :contains ["subject"] ["redirect"]  {redirect "henry at gmail.com"; 
> stop;}
>
> first of all the main issue is the sieve "redirect" to a email address on a 
> foreign server. In our case gmail.
> (sieve is a part of dovecot, and I found no possibility to make sieve more 
> verbose.)
> I can make postfix verbose but it just say that relay is not permitted.
>
> to test sieve and the rule I send a email from henry at live.de (Hotmail) to my 
> account on the server. henry at example.net and expect it to be redirected to 
> henry at gmail.com
>
> The only interesting line in the log-file is still
> NOQUEUE: reject: RCPT from mail.example.net[62.78.xxx.xxx]: 554 5.7.1 
> <henry at gmail.com>: Relay access denied; from=<henry at live.de> 
> to=<henry at gmail.com> proto=ESMTP helo=<mail.example.net>
>
> it say that sieve is trying to make a email FROM henry at live.de TO 
> henry at gmail.com and send it via  mail.example.net.
> *this is crazzy.*
> I think that this is the reason why I get the relay not permitted.
> afaik it should envelope the email using  henry at example.net
>
> Even I transform my own server in a open relay and send the email like sieve 
> want it to be redirected it will be rejected by the destination server 
> because my server is no authority for gmail.

1) There is a difference between "resent" and "redirect" (which is also 
known as "forward" or sometimes "bounce"). You want a redirect, Sieve 
forwards. Both ways have pros and cons.

2) You do not change your server into an open relay, if you permit just 
this host to drop messages there, depending what other services the Sieve 
host hosts. I don't know for certain, if Pigeonhole implements client SMTP 
AUTH - that would certainly help, but I found no setting for it. On the 
other hand, you can use a sendmail script instead of SMTP to circumvent 
that limitation.

See:
# Binary to use for sending mails.
#sendmail_path = /usr/sbin/sendmail

# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
submission_host = localhost

> Does somebody know how I can teach sieve to send as envelope ?

If you resent messages, bounces and other notifications (vacation) return 
to the resender not the original sender. What this means in your 
situation, I don't know.

Stuff like: https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme shall 
overcome this problem, but then each envelope sender is unique because 
of the timestamp. What this means for your recipients, I don't know as 
well.

You can teach Sieve doing so by patching the source code and submit a 
patch Stephan might consider to include into the source.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVCFijHz1H7kL/d9rAQJvUQf+L1iIZj/VuKtfPVB3MiAeQn0s+P5yHFnq
eq+m4c393KNLeCyHiYYEjnZ/tadm6dU22LPuaZD+2ClzorMC4AJq3zLBN7MDLQZ1
aUBOYcyvwMsA4500zMRBldx2++P2QoZevH/MbIS3MCBEq5YbSOYbIbIz/8U36l6O
cwhNhC6XLb9329Slw4ru9MUn1j6VWcpXvq2E6OeEUiNM/crvZ5a12reQ3ksIskA9
YoAsy8rCYhXHVse0p5rlt1MVg4YrcgP9WH8zziqSd4iB50vSjdku7OMFTxT+J0uJ
tnNMF8vFX+DznE5vToz5dPd5NbXBMm4QR1e9ILRgV371YtokPWQQOA==
=tKmq
-----END PGP SIGNATURE-----