Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5

Olaf Hopp Olaf.Hopp at kit.edu
Sun Apr 22 11:09:54 EEST 2018 

On 04/21/2018 03:25 PM, Bill Shirley wrote:
> On 4/20/2018 8:53 AM, Olaf Hopp wrote:
>> On 04/20/2018 02:01 PM, Olaf Hopp wrote:
>>> Hi (Stephan?),
>>> is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of
>>> a redirected mail or simply a bug ?
>>>
>>> A sends mail to B, B redirects to C
>>> C sees B (not A!) as envelope sender.
>>> It is not a problem if C gets the mail but if that mail bounces
>>> for various reasons it goes back to B and A will never know about this.
>>>
>>> I thick this is came with 2.3 / pigeonhole 0.5 ?
>>>
>>> # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf
>>> # Pigeonhole version 0.5.devel (61b47828)
>>> # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)
>>>
>>>
>>> Regards,
>>> Olaf
>>>
>>
>> I moved one version back, same config except those changes in 10-ssl.conf necessary for the 2.2->2.3 upgrade
>>
>> # 2.2.35 (b1cb664): /opt/dovecot/etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.4.23 (b2e41927)
>> # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)
>>
>> and this version keeps the envelope sender untouched.
>> So this a regression with 2.3 / 0.5
>> Envelope *senders* should never ever be modified.
>>
>> Regards,
>> Olaf
>>
>>
> 
> My father is subscribed to a mailing list that instead of using list at xyz.org in the envelope
> it actually modifies the envelope to the poster's email address. When they try to send
> the email to my server and the envelope says "Hi, I'm coming from bob at example.com",
> I know they are lying because *my mail server is the mail handler* for example.com. REJECT
> 
> If you accept mail that's obviously forging the envelope sender, any spammer can just
> send email saying I am you and get passed by a whitelist statement in Spamassassin
> because... user at example.com "oh, he's a good guy.  Let him through."
> 
> Bill
> 

Of course, mailing lists are an exeption to this.
It's usual to put listname-bounces at ... into the envelope sender,
so that bounce processing might be done by the mailing list software.
Olaf


-- 
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: Olaf.Hopp at kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5304 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180422/d8b37c51/attachment.p7s>

More information about the dovecot mailing list