Rewrite the To: header?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Rewrite the To: header?

Jack Bates
Is there a feature I can use to rewrite the To: header, of "virtual
alias domain" mail, with the result of the following lookup, *after*
smtpd_milters are applied?

SELECT '[hidden email]' FROM my_table WHERE sender = '%s'

Or do I need to use a milter of my own for this?

recipient_canonical_maps and recipient_canonical_classes seem pretty
close! I can exclude the From: header and the envelope_recipient from
being rewritten, but they're applied *before* smtpd_milters. And I
haven't thought carefully about how to limit them to virtual alias
domain mail.

My specific situation is that I'm using the OpenDKIM milter to verify
mail, so that needs to happen before I rewrite the To: header.
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite the To: header?

Dominic Raferd
On 19 November 2017 at 16:36, Jack Bates <[hidden email]> wrote:

>
> Is there a feature I can use to rewrite the To: header, of "virtual alias domain" mail, with the result of the following lookup, *after* smtpd_milters are applied?
>
> SELECT '[hidden email]' FROM my_table WHERE sender = '%s'
>
> Or do I need to use a milter of my own for this?
>
> recipient_canonical_maps and recipient_canonical_classes seem pretty close! I can exclude the From: header and the envelope_recipient from being rewritten, but they're applied *before* smtpd_milters. And I haven't thought carefully about how to limit them to virtual alias domain mail.
>
> My specific situation is that I'm using the OpenDKIM milter to verify mail, so that needs to happen before I rewrite the To: header.


Just checking that you really want/need to rewrite the To: header and
not just the actual recipient? virtual_alias_(domains|maps) can do the
latter. Otherwise, maybe smtp_generic_maps.
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite the To: header?

Bill Cole-3
In reply to this post by Jack Bates
On 19 Nov 2017, at 11:36 (-0500), Jack Bates wrote:

> Is there a feature I can use to rewrite the To: header, of "virtual
> alias domain" mail, with the result of the following lookup, *after*
> smtpd_milters are applied?
>
> SELECT '[hidden email]' FROM my_table WHERE sender = '%s'

Do you actually have a field named '[hidden email]' in my_table? That
is an unusual choice....

> Or do I need to use a milter of my own for this?

Simpler to do with a content filter, unless you already have a highly
flexible milter (e.g. MIMEDefang) already in place that can be made to
mangle messages. See the FILTER_README file for details.

> recipient_canonical_maps and recipient_canonical_classes seem pretty
> close! I can exclude the From: header and the envelope_recipient from
> being rewritten, but they're applied *before* smtpd_milters. And I
> haven't thought carefully about how to limit them to virtual alias
> domain mail.
>
> My specific situation is that I'm using the OpenDKIM milter to verify
> mail, so that needs to happen before I rewrite the To: header.

OK, but this leaves an obvious unanswered question: WHY?
Modifying the To header invalidates any DKIM signature so that if the
end recipient tries to verify it, the message will appear to be a fake
or tampered-with (which it is.) If something downstream is dependent on
the To header (instead of the envelope recipient or a header derived
from it) that should be corrected, rather than invalidating the
signature on the message.





--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite the To: header?

Viktor Dukhovni
In reply to this post by Jack Bates


> On Nov 19, 2017, at 11:36 AM, Jack Bates <[hidden email]> wrote:
>
> Is there a feature I can use to rewrite the To: header, of "virtual alias domain" mail, with the result of the following lookup, *after* smtpd_milters are applied?
>
> SELECT '[hidden email]' FROM my_table WHERE sender = '%s'
>
> Or do I need to use a milter of my own for this?

Header rewriting in cleanup(8) happens before headers are passed to milters.
The header address rewriting mechanism that happens after milters is done
in smtp(8) via smtp_generic_maps.  So if the mail in question will be
forwarded-on via SMTP, you can configure your rewriting logic via
smtp_generic_maps, but keep in mind that with smtp_generic_maps:

  * You can't make the rewriting of recipient addresses depend on the
    sender.  The only input to each lookup is the address that may be
    replaced.

  * All addresses are rewritten, envelope and header, sender and recipient,
    not just header recipient addresses.

Your example of:

    SELECT '[hidden email]' FROM my_table WHERE sender = '%s'

will rewrite any address listed in the table to <[hidden email]>
whether it is a sender or recipient address, a header address or
an envelope address.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Rewrite the To: header?

Jack Bates
In reply to this post by Bill Cole-3
On 19/11/17 12:20 PM, Bill Cole wrote:

> On 19 Nov 2017, at 11:36 (-0500), Jack Bates wrote:
>> Is there a feature I can use to rewrite the To: header, of "virtual
>> alias domain" mail, with the result of the following lookup, *after*
>> smtpd_milters are applied?
>>
>> SELECT '[hidden email]' FROM my_table WHERE sender = '%s'
>
> Do you actually have a field named '[hidden email]' in my_table? That
> is an unusual choice....
>
>> Or do I need to use a milter of my own for this?
>
> Simpler to do with a content filter, unless you already have a highly
> flexible milter (e.g. MIMEDefang) already in place that can be made to
> mangle messages. See the FILTER_README file for details.

Yes, an after-queue content filter would also work.

>> recipient_canonical_maps and recipient_canonical_classes seem pretty
>> close! I can exclude the From: header and the envelope_recipient from
>> being rewritten, but they're applied *before* smtpd_milters. And I
>> haven't thought carefully about how to limit them to virtual alias
>> domain mail.
>>
>> My specific situation is that I'm using the OpenDKIM milter to verify
>> mail, so that needs to happen before I rewrite the To: header.
>
> OK, but this leaves an obvious unanswered question: WHY?
> Modifying the To header invalidates any DKIM signature so that if the
> end recipient tries to verify it, the message will appear to be a fake
> or tampered-with (which it is.) If something downstream is dependent on
> the To header (instead of the envelope recipient or a header derived
> from it) that should be corrected, rather than invalidating the
> signature on the message.

Yes, breaking the signature certainly is a drawback. (I have to trust
the Authentication-Results: header that OpenDKIM adds instead.)

I want to rewrite the To: header to fix the reply all feature in my
MUA(s). I think it's common that MUAs let you configure one email
address (per account). When you hit reply all, they collect all the
recipients (To:, Cc:, etc.) minus your email address. The result is that
I'm constantly removing manually one of my email addresses from the
reply (if it's not the one configured in my MUA). The way to fix this
for all MUAs is to rewrite the To: (Cc:, etc.) header to a single email
address (hence SELECT '[hidden email]' ...).

I guess the other way would be to remove my email addresses from the To:
(Cc:, etc.) header (and envelope recipient) of *outgoing* mail ... That
wouldn't break the signature (I'd do it before signing) but would still
require a milter/content filter, I think?
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite the To: header?

Jack Bates
In reply to this post by Viktor Dukhovni
On 19/11/17 05:04 PM, Viktor Dukhovni wrote:

>> On Nov 19, 2017, at 11:36 AM, Jack Bates <[hidden email]> wrote:
>> Is there a feature I can use to rewrite the To: header, of "virtual alias domain" mail, with the result of the following lookup, *after* smtpd_milters are applied?
>>
>> SELECT '[hidden email]' FROM my_table WHERE sender = '%s'
>>
>> Or do I need to use a milter of my own for this?
>
> Header rewriting in cleanup(8) happens before headers are passed to milters.
> The header address rewriting mechanism that happens after milters is done
> in smtp(8) via smtp_generic_maps.  So if the mail in question will be
> forwarded-on via SMTP, you can configure your rewriting logic via
> smtp_generic_maps, but keep in mind that with smtp_generic_maps:
>
>    * You can't make the rewriting of recipient addresses depend on the
>      sender.  The only input to each lookup is the address that may be
>      replaced.
>
>    * All addresses are rewritten, envelope and header, sender and recipient,
>      not just header recipient addresses.
>
> Your example of:
>
>      SELECT '[hidden email]' FROM my_table WHERE sender = '%s'
>
> will rewrite any address listed in the table to <[hidden email]>
> whether it is a sender or recipient address, a header address or
> an envelope address.

My virtual alias domain mail isn't forwarded on via SMTP (it's delivered
to a Maildir). Thank you nonetheless for your suggestion and
explanation! I'm now confident that I'll need to use a milter.