A patch that allows sieve redirects without SPF caused problems

Wed Jul 5 10:07:20 EDT 2017

Hello,

Attached is patch that allows cyrus to ask another program about return
path of a mail that is going to be redirected by sieve.

Motivation:
-----------
Redirecting emails by sieve can cause problems in case sender's domain
has SPF record. Cyrus doesn't change the return path, so for the final
recipient (redirect destination) an SPF check will find conflict between
return path and sender's (not the original one) IP address/hostname.

In order to avoid this type of problems, attached patch allows cyrus to
ask another program about return path. I choose solution with another
program because in different systems appropriate return path can be
constructed in different ways:

* The simplest solution is to use as a return path recipient's email
address. In this way the SPF check is OK, but in case of email bounced
on redirect destination it won't go back to the original sender;

* More complex solution is to construct return path that will allow
either MTA or another system to rewrite headers and to forward bounced
message to the original sender. MTA can utilize components like
https://github.com/roehling/postsrsd. Alternatively all the return paths
can be from dedicated domain/subdomain, configured to catch all emails
in single mailbox and a script that reads this mailbox and forwards
bounced messages. In both ways the return path should contain some sort
of security token that will prevent using the system as open relay. In
our system the return path consists of original sender e-mail address,
recipient's e-mail address(not username), truncated part of the subject,
timestamp and a token thus allowing us, in case of bounced e-mail, to
send to the original sender bilingual, easy to understand message with
technical details attached.

Proposed patch is against version 2.5.10 and is backward compatible. It
introduces two configuration parameters:

* sieve_redirect_get_return_path - the path to the program, responsible
for return path generation;
* sieve_redirect_return_path_details - switch - whether to send to
return path generator the e-mail content or not. Content can be used to
extract some additional data - subject, etc.

Please note that config2header must be executed after changes in
imapoptions file.

Here is a perl template for a program that will communicate with cyrus
and will generate return path:

---------------------------
#! /usr/bin/perl
use strict;
use utf8;

### command line options
# -s the sender email address
# -u the recipient username (could be different from e-mail address)
# -d redirect destination email address
#
# then the whole message comes through STDIN (optional), can be used to
extract
# some data - subject, from header, etc.
###

my (%args, $sender_email, $recipient_email, $redirect_destination,
$msg_text,  $line, $return_path);

# read command line parameters
%args = @ARGV;

$sender_email = $args{'-s'};
$recipient_email = $args{'-u'};
$redirect_destination = $args{'-d'};

while($line = <STDIN> )
{
        $line =~ s/\0//;
        $msg_text .= $line;
}

###
#
# Do what is necessary to construct return path
# based on parameters and message (optional). The all
# Return-path header must be shorter than 255 ASCII characters
#
###

print STDOUT $return_path;

exit(0);

---------------------------

I hope it will be useful for other cyrus users since SPF is very popular
part of anti-spam systems.

Best regards,
Atanas Karashenski
BlueBoard LLC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sieve_forward.patch
Type: text/x-patch
Size: 4482 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20170705/d9b03de7/attachment.bin>