[exim] about Sender: and envelope reverse-path in today's sy…

Top Page
Delete this message
Reply to this message
Author: Marc Haber
Date:  
To: exim-users
Subject: [exim] about Sender: and envelope reverse-path in today's systems
Hi,

I would like to discuss the way a modern MTA should behave when
installed out of the box in a Linux distribution. Being co-maintainer
of the Debian exim4 packages, the result of this discussion might
influence the way exim4 will behave in future versions of Debian
GNU/Linux.



Executive Summary
~~~~~~~~~~~~~~~~~

In my opinion, Sender: should not be generated by default, and users
should be able to define their own envelope sender. Anybody running an
MTA in a classic UNIX multi-user environment should be free to
configure the MTA to generate a Sender: header and to generate the
envelope sender as well. Optionally.




Rationale
~~~~~~~~~

Let U be a User who wants to use the e-mail adress Uloc@???, and
would like his Mails submitted to exim via /usr/lib/sendmail from his
account UHacct on host H with the FQDN h.example.com. His MUA properly
generates messages with a "From: User <Uloc@???>" header and
submits them via /usr/lib/sendmail.

Given exim's default behavior, these messages go out with envelope
sender <UHacct@???>, and have Sender: <UHacct@???>
added by exim automatically. Some versions of Outlook will display
these messages as "from User <UHacct@???> on behalf of User
<Uloc@???>, and some Outlook/Exchange combinations will even
send replies created by the Reply function to UHacct@???.

This is not the behavior desired by a user who explicitly configures
his MUA to use Uloc@??? as sender address.

Automatically adding a Sender: header according to the local account
at the local box is a good thing for big multi user machines, though.

RFC2822, 3.6.2:
|The "Sender:" field specifies the mailbox of the agent responsible for
|the actual transmission of the message.

The older RFC822 doesn't formally say what is bound to be in the
Sender: field, but mentions a few scenarios where Sender: should be
manually set for the individual message.

Neither RFC states that Sender: should be generated automatically.

RFC2821, 3.3:
|The <reverse-path> portion of the first or
|only argument contains the source mailbox (between "<" and ">"
|<brackets), which can be used to report errors

RFC821, 2:
| The argument to the MAIL command is a reverse-path, which specifies
| who the mail is from. [...] The forward-path
| is a source route, while the reverse-path is a return route(which
| may be used to return a message to the sender when an error occurs
| with a relayed message).


All three referenced documents say that the address in Sender: and
envelope should refer to a mailbox which can be used to send
messages to.

However, on today's systems is it neither guaranteed that UHacct has a
mailbox on h.example.com, nor is it guaranteed that h.example.com is
even reachable for SMTP from the outside at all. Hence, the automatic
generation of Sender: and envelope sender according to the local
account at the local host is bound to generate bad addresses on the
majority of systems out there, most probably the ones taken care of by
inexperienced people.



Conclusion
~~~~~~~~~~

I must therefore conclude that it would be a good idea to have exim
not generate a Sender: header by default and to allow all users to
specify their own envelope sender. Fortunately, this behavior can be
configured at run time, but I would like to stronly encourage Philip
to change the default behavior at some later time.

For tracing purposes, the account name and originating host can be
obtained from the Received:-Headers, or an optional
X-Authenticated-Sender which might be added for that purpose.
Unfortunately, exim can add the UHacct@??? either as Sender:
header or not at all. Maybe it would be a good idea to make the name
of the header added with the real account information configurable,
enabling sites to set some header like X-Authenticated-Sender to the
real account data if they wish to.



Implementation for Debian/GNU Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will suggest to the Debian exim4 maintainer team to change exim4's
default behavior for the Debian configuration.

# These settings allow local users to specify their own envelope sender
# in a locally submitted message. Sender: headers existing in a locally
# submitted message are not removed, and no automatic Sender: headers
# are added. These settings are fine for most hosts.
# If you run exim on a classical multi-user systems where all users
# have local mailboxes that can be reached via SMTP from the Internet
# with the local FQDN as the domain part of the address, you might want
# to disable the following three lines for traceability reasons.
local_from_check = false
local_sender_retain = true
untrusted_set_sender = *


Before I submit that change, I'd like to know if the exim community
stronly opposes or if people agree with the proposed change.



Wishlist request for exim upstream
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- local_from_check should have its default changed to false.
- local_sender_retain should have its default changed to true.
- untrusted_set_sender should have its default changed to *.
- There should be a new option, probably named like
local_sender_header, defaulting to "Sender", stating the header name
of a header containing a mail address constructed from the local
account name and the local FQDN. Introducing that option won't change
existing semantics since this header is now generated with a
hard-coded name of "Sender".


Thanks for your time, and for voicing your opinion.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835