Re: [exim] How to rewrite From: header of offsite forwards o…

Top Page
Delete this message
Reply to this message
Author: Pete Schaefers
Date:  
To: Exim-users
Subject: Re: [exim] How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error
Mike, thanks for taking the time to detail that! I guess I assumed
(maybe wrongly) that when EXIM forwards a message that the SPF and DKIM
of the domain on the EXIM server would apply and be in the sent forward.
In that case wouldn't all entities align?

Just to make sure I'm stating what I'm trying to do clearly...

joe@??? ---> sue@???, which is set to forward to
sue@???
EXIM sends the forward to SES as joe@??? ---> sue@???
SES responds 554 because yahoo.com is not verified in the SES account,
even though the headers clearly show that the *forward* is coming from
myserver.com which *is* verified in the SES account.

Why am I doing this? My sending IP is clean a s a whistle, but due to MS
(outlook, live, hotmail) and Yahoo (along with others) have a guilty
until proven innocent attitude, a lot of email from my server going to
those accounts (if the send isn't already in their address book) goes
Junk, or worse yet, is rejected and bounced. I have jumped MS's hoops
and added my IP to their system, but is still happens. MS is now zero help.

I turned to SES and also to MailGun to use their sending server/IP and
that solved the problem, but each of them have a serious failing.
MailGun doesn't return bounces to the sender (SES does), and SES doesn't
allow forwards such as this (MG does). So I'm stuck with three "pretty
good" SMTP solutions, but each has a unique issue, and this is one
avenue I'm looking down to make it work.

-Pete

On 2018-03-19 12:26, Mike Brudenell wrote:
> Be careful if you plan to start rewriting the RFC5322.From header. If the
> message has had a DKIM signature applied to it that header's content will
> almost certainly be covered by the signature to detect
> tampering/alterations such as you're proposing, and you'll be

invalidating
> it; this might give you problems delivering to sites that validate DKIM
> signatures. So you'll likely have to sign it again yourself, possibly

also
> using ARC to confirm the authenticity chain.
>
> Without knowing your situation it sounds like you're trying to do the

same
> sort of thing as mailing lists do: send out messages originating from
> senders (list contributors) from arbitrary domains? You have to be

careful
> with these, especially if the sender's domain has a DMARC policy

other than
> "none" in place. This requires the one or both of the standard SPF

and DKIM
> tests to pass *and* for the domain being considered to align with that in
> the RFC5321.From header in order for DMARC to consider it an acceptable
> pass. Modern mailing list manager software handles this by rewriting the
> RFC5322.From header to use its own domain, which it can then DKIM-sign it
> using its own keys.
>
> In passing, SRS rewrites the RFC5321.MailFrom address (sender address in
> the SMTP envelope) not the RFC5322.From or Sender headers. Any change to
> the Sender header will likely be a byproduct, I think.
>
> Cheers,
> Mike B-)
>
> On 18 March 2018 at 19:21, Pete Schaefers via Exim-users <
> exim-users@???> wrote:
>
> > When Amazon SES receives mail is validates the From: against verified
> > domains and addresses. If it does not find it valid it drops the

mail and
> > returns error 554. (See last couple posts in this thread for more

info if
> > desired: https://forums.aws.amazon.com/message.jspa?messageID=745028#
> > 745028 )
> >
> > I am running a hosting server with cPanel and EXIM. I had hoped

that SRS
> > would fix this denial by changing the Sender: header and SES would

accept
> > it, but apparently SES ignores that, and still rejects. Amazon seems
> > hesitant to address this, so I'm looking for other ways to address it.
> >
> > The one that seems best to me would be to rewrite the From: header

to one
> > that will validate (that of on sending server rather than the off

server
> > original). I would only want to do that when the mail is a forward,
> > original sender is off server, and the recipient is off server.

This would
> > also mean making sure the Replyto: was set to the original sender,

I would
> > think.
> >
> > I have only a little experience with EXIM rewrites, and the syntax

of the
> > config file, so I'm looking for some help in programming the logic

of this
> > rewrite.
> >
> > Does this seem like a good approach, or am I missing something easier,
> > such as re-configuring something already built in to EXIM about how it
> > treats forward From: addresses?
> >
> > Thanks in advance for anyone's contribution.
> >
> > -Pete