Re: Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5
Op 24-4-2018 om 10:17 schreef Olaf Hopp: On 04/23/2018 03:46 PM, Olaf Hopp wrote: On 04/23/2018 03:22 PM, Stephan Bosch wrote: Op 20-4-2018 om 14:01 schreef Olaf Hopp: Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ? A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this. I thick this is came with 2.3 / pigeonhole 0.5 ? # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) Probably same as issue in this thread: https://www.dovecot.org/pipermail/dovecot/2018-April/111482.html Yes maybe. But I didn't see any sieve errors in the logs. In my case there is exim sitting in front of dovecot lmtp and as said trusted_users = exim:dovecot in thge exim.conf resolved this issue for me. Regards, Olaf I digged deeper: in https://www.dovecot.org/pipermail/dovecot/2018-April/111485.html Stephan wrote | Yeah, this is likely due to the fact that sendmail is now invoked using | the program-client (same as Sieve extprograms), which takes great care | to drop any unwanted (seteuid) root privileges. and thats the reason why my exim now needs the dovecot user as trusted user so that those redirects can retain the original envelope sender. It could also be the Systemd issues reported in that thread. I haven't experimented with that. Regards, Stephan.
Re: Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5
On 04/23/2018 03:46 PM, Olaf Hopp wrote: On 04/23/2018 03:22 PM, Stephan Bosch wrote: Op 20-4-2018 om 14:01 schreef Olaf Hopp: Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ? A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this. I thick this is came with 2.3 / pigeonhole 0.5 ? # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) Probably same as issue in this thread: https://www.dovecot.org/pipermail/dovecot/2018-April/111482.html Yes maybe. But I didn't see any sieve errors in the logs. In my case there is exim sitting in front of dovecot lmtp and as said trusted_users = exim:dovecot in thge exim.conf resolved this issue for me. Regards, Olaf I digged deeper: in https://www.dovecot.org/pipermail/dovecot/2018-April/111485.html Stephan wrote | Yeah, this is likely due to the fact that sendmail is now invoked using | the program-client (same as Sieve extprograms), which takes great care | to drop any unwanted (seteuid) root privileges. and thats the reason why my exim now needs the dovecot user as trusted user so that those redirects can retain the original envelope sender. Thanks, Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu atis.informatik.kit.edu www.kit.edu KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
Re: Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5
On 04/23/2018 03:22 PM, Stephan Bosch wrote: Op 20-4-2018 om 14:01 schreef Olaf Hopp: Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ? A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this. I thick this is came with 2.3 / pigeonhole 0.5 ? # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) Probably same as issue in this thread: https://www.dovecot.org/pipermail/dovecot/2018-April/111482.html Yes maybe. But I didn't see any sieve errors in the logs. In my case there is exim sitting in front of dovecot lmtp and as said trusted_users = exim:dovecot in thge exim.conf resolved this issue for me. Regards, Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu atis.informatik.kit.edu www.kit.edu KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
Re: Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5
Op 20-4-2018 om 14:01 schreef Olaf Hopp: Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ? A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this. I thick this is came with 2.3 / pigeonhole 0.5 ? # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) Probably same as issue in this thread: https://www.dovecot.org/pipermail/dovecot/2018-April/111482.html Regards, Stephan.
Re: Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5
On 04/23/2018 07:28 AM, Steffen Kaiser wrote: Envelope *senders* should never ever be modified. If the domain of sender A has SPF records installed and B redirects to C, but keeps the envelope sender A, the SPF check will fail on C. That's the reason why I say SPF is broken by design. People using it, should hopefully know what they are doing. But that's a little bit OT for this list. Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu atis.informatik.kit.edu www.kit.edu KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
Re: Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 20 Apr 2018, Olaf Hopp wrote: On 04/20/2018 02:53 PM, Olaf Hopp wrote: On 04/20/2018 02:01 PM, Olaf Hopp wrote: Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ? A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this. That's just one problem these days. Envelope *senders* should never ever be modified. If the domain of sender A has SPF records installed and B redirects to C, but keeps the envelope sender A, the SPF check will fail on C. Looks like any redirect has potential to fail, unless to establish some sort of SRS as well. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBWt1u98QnQQNheMxiAQISqgf+JsHAG9PRFJ+A2XMOTgFN6fCeVHAHDA9+ bmoQV89lbU60TXyrEIsAsVafCZgNWpIeqI9x4gfkAEXkw9TW1AY0Sk7pk07K8Wbw G3aSpNI2VKFrgQ21ysLbiLn2urGapQzavmkV1UmWq4iIKfnNKPocFW+EXLWm7Gdx 7lXK9nMFwG0n8M3uLN8+p+quh6COF7cW0UKQmELcgYMBIiwZWbyTt9xo5Tj9eqsk blUaBHxREKQhs+FsgQPEaWsnE73wRUsWzt7yRRw+kZFa3r3OLUc1io9duc+AKJ2Y j3dkqq5bqHlDVoiprtdFVEicWhWgJ1t4YQWOZ8iLwprq2kwkHgk+gA== =cbC3 -END PGP SIGNATURE-
Re: Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5
On 04/21/2018 03:25 PM, Bill Shirley wrote: On 4/20/2018 8:53 AM, Olaf Hopp wrote: On 04/20/2018 02:01 PM, Olaf Hopp wrote: Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ? A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this. I thick this is came with 2.3 / pigeonhole 0.5 ? # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) Regards, Olaf I moved one version back, same config except those changes in 10-ssl.conf necessary for the 2.2->2.3 upgrade # 2.2.35 (b1cb664): /opt/dovecot/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.23 (b2e41927) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) and this version keeps the envelope sender untouched. So this a regression with 2.3 / 0.5 Envelope *senders* should never ever be modified. Regards, Olaf My father is subscribed to a mailing list that instead of using l...@xyz.org in the envelope it actually modifies the envelope to the poster's email address. When they try to send the email to my server and the envelope says "Hi, I'm coming from b...@example.com", I know they are lying because *my mail server is the mail handler* for example.com. REJECT If you accept mail that's obviously forging the envelope sender, any spammer can just send email saying I am you and get passed by a whitelist statement in Spamassassin because... u...@example.com "oh, he's a good guy. Let him through." Bill Of course, mailing lists are an exeption to this. It's usual to put listname-bounces@... into the envelope sender, so that bounce processing might be done by the mailing list software. Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu www.atis.informatik.kit.edu www.kit.edu KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
Re: Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5
On 4/20/2018 8:53 AM, Olaf Hopp wrote: On 04/20/2018 02:01 PM, Olaf Hopp wrote: Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ? A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this. I thick this is came with 2.3 / pigeonhole 0.5 ? # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) Regards, Olaf I moved one version back, same config except those changes in 10-ssl.conf necessary for the 2.2->2.3 upgrade # 2.2.35 (b1cb664): /opt/dovecot/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.23 (b2e41927) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) and this version keeps the envelope sender untouched. So this a regression with 2.3 / 0.5 Envelope *senders* should never ever be modified. Regards, Olaf My father is subscribed to a mailing list that instead of using l...@xyz.org in the envelope it actually modifies the envelope to the poster's email address. When they try to send the email to my server and the envelope says "Hi, I'm coming from b...@example.com", I know they are lying because *my mail server is the mail handler* for example.com. REJECT If you accept mail that's obviously forging the envelope sender, any spammer can just send email saying I am you and get passed by a whitelist statement in Spamassassin because... u...@example.com "oh, he's a good guy. Let him through." Bill
Re: Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5
OK, I found a solution: trusted_users = exim:dovecot in my exim.conf fixed it. Anyway this is an important change of behavour between 2.2 und 2.3 In 2.2 the "dovecot" under exims "trusted_users" was not necessary. Olaf On 04/20/2018 02:53 PM, Olaf Hopp wrote: On 04/20/2018 02:01 PM, Olaf Hopp wrote: Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ? A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this. I thick this is came with 2.3 / pigeonhole 0.5 ? # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) Regards, Olaf I moved one version back, same config except those changes in 10-ssl.conf necessary for the 2.2->2.3 upgrade # 2.2.35 (b1cb664): /opt/dovecot/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.23 (b2e41927) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) and this version keeps the envelope sender untouched. So this a regression with 2.3 / 0.5 Envelope *senders* should never ever be modified. Regards, Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu atis.informatik.kit.edu www.kit.edu KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
Re: Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5
On 04/20/2018 02:01 PM, Olaf Hopp wrote: Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ? A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this. I thick this is came with 2.3 / pigeonhole 0.5 ? # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) Regards, Olaf I moved one version back, same config except those changes in 10-ssl.conf necessary for the 2.2->2.3 upgrade # 2.2.35 (b1cb664): /opt/dovecot/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.23 (b2e41927) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) and this version keeps the envelope sender untouched. So this a regression with 2.3 / 0.5 Envelope *senders* should never ever be modified. Regards, Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu atis.informatik.kit.edu www.kit.edu KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
Sieve "redirect" changes envelope sender in 2.3. / pigeonhole 0.5
Hi (Stephan?), is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of a redirected mail or simply a bug ? A sends mail to B, B redirects to C C sees B (not A!) as envelope sender. It is not a problem if C gets the mail but if that mail bounces for various reasons it goes back to B and A will never know about this. I thick this is came with 2.3 / pigeonhole 0.5 ? # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) Regards, Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu atis.informatik.kit.edu www.kit.edu KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
