Re: [exim] How to rewrite From: header of offsite forwards o…

Góra strony
Delete this message
Reply to this message
Autor: Mike Brudenell
Data:  
Dla: Exim Users
Temat: Re: [exim] How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error
Be careful if you plan to start rewriting the RFC5322.From header. If the
message has had a DKIM signature applied to it that header's content will
almost certainly be covered by the signature to detect
tampering/alterations such as you're proposing, and you'll be invalidating
it; this might give you problems delivering to sites that validate DKIM
signatures. So you'll likely have to sign it again yourself, possibly also
using ARC to confirm the authenticity chain.

Without knowing your situation it sounds like you're trying to do the same
sort of thing as mailing lists do: send out messages originating from
senders (list contributors) from arbitrary domains? You have to be careful
with these, especially if the sender's domain has a DMARC policy other than
"none" in place. This requires the one or both of the standard SPF and DKIM
tests to pass *and* for the domain being considered to align with that in
the RFC5321.From header in order for DMARC to consider it an acceptable
pass. Modern mailing list manager software handles this by rewriting the
RFC5322.From header to use its own domain, which it can then DKIM-sign it
using its own keys.

In passing, SRS rewrites the RFC5321.MailFrom address (sender address in
the SMTP envelope) not the RFC5322.From or Sender headers. Any change to
the Sender header will likely be a byproduct, I think.

Cheers,
Mike B-)

On 18 March 2018 at 19:21, Pete Schaefers via Exim-users <
exim-users@???> wrote:

> When Amazon SES receives mail is validates the From: against verified
> domains and addresses. If it does not find it valid it drops the mail and
> returns error 554. (See last couple posts in this thread for more info if
> desired: https://forums.aws.amazon.com/message.jspa?messageID=745028#
> 745028 )
>
> I am running a hosting server with cPanel and EXIM. I had hoped that SRS
> would fix this denial by changing the Sender: header and SES would accept
> it, but apparently SES ignores that, and still rejects. Amazon seems
> hesitant to address this, so I'm looking for other ways to address it.
>
> The one that seems best to me would be to rewrite the From: header to one
> that will validate (that of on sending server rather than the off server
> original). I would only want to do that when the mail is a forward,
> original sender is off server, and the recipient is off server. This would
> also mean making sure the Replyto: was set to the original sender, I would
> think.
>
> I have only a little experience with EXIM rewrites, and the syntax of the
> config file, so I'm looking for some help in programming the logic of this
> rewrite.
>
> Does this seem like a good approach, or am I missing something easier,
> such as re-configuring something already built in to EXIM about how it
> treats forward From: addresses?
>
> Thanks in advance for anyone's contribution.
>
> -Pete
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>




--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm