[exim] Re: Handle sender on forwarding

Top Page
Delete this message
Reply to this message
Author: Chris Siebenmann
Date:  
To: Mihamina RKTMB
CC: exim-users, Chris Siebenmann
Subject: [exim] Re: Handle sender on forwarding
> I have an Exim installation where I just setup aliases.
[...]
> In other words, if I send a message to mihamina@???, it gets
> forwarded to rakotomandimby@???.
> When I test, the sender is mihamina@??? and the receiver is
> mihamina@???.
> The message is effectively forwarded to rakotomandimby@???, but
> the "From:" header is kept to mihamina@???.
>
> The problem:
> GMail rejects the message because my Exim server sends a message with a
> "From:" set to mihamina@??? but atscom.io's SPF does not allow
> this server to send such messages.
> I have no authority on senders domains SPF (that's fair).


Welcome to modern mail forwarding hell, where there are no good answers.
Today, GMail appears to require that incoming email messages either have
a valid DKIM signature for the From: domain or that the envelope sender
passes SPF checks (for the sending IP). I don't know if they're
requiring that the From: domain pass SPF checks, but maybe they will
someday. This is irregardless of any DMARC settings that the domain in
question may or may not have (which may make the situation worse,
depending on what they are; it's possible to set your DMARC so that you
forbid forwarding entirely[*]).

(In theory you are not supposed to require that the From: domain have a
DKIM signature if the domain doesn't have DMARC set, or has a permissive
DMARC. GMail doesn't care and does it anyways, because GMail is GMail.)

Normal Exim mail forwarding doesn't change the envelope sender (Exim's
errors_to and/or return_path), but it also doesn't invalidate any
existing DKIM signatures. In our experience, email forwarded by Exim in
this way will be accepted by GMail if it already has a valid DKIM
signature for the From: domain, even though the SPF check doesn't pass.
If the mail being forwarded doesn't have a valid DKIM signature that is
valid for its From: domain, we can currently get GMail to accept it by
changing the envelope sender to something in our domain (which will pass
SPF checks). In our environment, all forwarding has a natural 'owner'
(such as the account with a .forward), so we can set the envelope sender
to that owner if it's necessary to do so.

Actually implementing this in Exim is somewhat complex. We do it by
conditionally setting return_path in our SMTP transports, based on
information about DKIM validation status recorded in a message ACL
variable by a SMTP DKIM ACL and a router variable for the forwarding
owner that is set (and possibly cleared) by relevant forwarding-handling
routers (we have more than one for reasons; our Exim configuration is
complicated).

Some places that do forwarding always change the envelope sender to the
owner of the forwarding (Office365 appears to mostly do this, at least
as my university's O365 hosting is set up). This would be simpler to
implement, although you'd have to identify an owner for all forwarding.
Since O365 does it, it's very likely that places will accept it;
routinely rejecting email from O365 is on the order of as bad as
routinely rejecting email from GMail.

    - cks
[*: If a domain configures their DMARC settings to require strict
    alignment and then doesn't DKIM sign their messages, only SPF
    can make things pass, which means you can't forward their messages
    (well, not without rewriting the From: to something you can add a
    DKIM signature for).
]


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/