Sender restriction to reject message with multiple from addresses

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Sender restriction to reject message with multiple from addresses

Pau Peris
Hi,

is there a sender restriction to reject a message with multiple from
addresses? Which would be?

Thanks,

--
Pau

Aquest correu electrònic conté informació de caràcter confidencial
dirigida exclusivament al seu/s destinatari/s en còpia present. Tant
mateix, queda prohibida la seva divulgació, copia o distribució a
tercers sense prèvia autorització escrita per part de Pau Peris
Rodriguez. En cas d'haver rebut aquesta informació per error, es
demana que es notifiqui immediatament d'aquesta circumstancia
mitjançant la direcció electrònica del emissor.
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Noel Jones-2

On 10/6/2020 6:52 PM, Pau Peris wrote:
> Hi,
>
> is there a sender restriction to reject a message with multiple from
> addresses? Which would be?
>
> Thanks,
>



If you're seeing multiple addresses in a single From: header you may
be able to carefully craft a header_checks to detect them, but
detecting multiple From: headers (more than one From: header)
requires a milter or content_filter.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Pau Peris
I'm hosting my dad's webpage which has a contact form (which should be
improved to avoid spam and/or bots) and from time to time someone
types multiple email addresses in the from field of the form so
contact emails with multiple from addresses like "from:
[hidden email], [hidden email]" are generated. I though that those
kind of messages should get rejected and thought that maybe there was
a builtin restriction for this use case.

On Tue, Oct 6, 2020 at 10:12 PM Noel Jones <[hidden email]> wrote:

>
>
> On 10/6/2020 6:52 PM, Pau Peris wrote:
> > Hi,
> >
> > is there a sender restriction to reject a message with multiple from
> > addresses? Which would be?
> >
> > Thanks,
> >
>
>
>
> If you're seeing multiple addresses in a single From: header you may
> be able to carefully craft a header_checks to detect them, but
> detecting multiple From: headers (more than one From: header)
> requires a milter or content_filter.
>
>
>    -- Noel Jones



--
Pau Peris Rodriguez
Chief Executive Officer (CEO)
Tel: 669650292
C/Balmes 211, Principal Segunda
Barcelona 08006
http://www.webeloping.es

Aquest correu electrònic conté informació de caràcter confidencial
dirigida exclusivament al seu/s destinatari/s en còpia present. Tant
mateix, queda prohibida la seva divulgació, copia o distribució a
tercers sense prèvia autorització escrita per part de Pau Peris
Rodriguez. En cas d'haver rebut aquesta informació per error, es
demana que es notifiqui immediatament d'aquesta circumstancia
mitjançant la direcció electrònica del emissor.
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Viktor Dukhovni
On Wed, Oct 07, 2020 at 12:27:09AM +0000, Pau Peris wrote:

> I'm hosting my dad's webpage which has a contact form (which should be
> improved to avoid spam and/or bots) and from time to time someone
> types multiple email addresses in the from field of the form so
> contact emails with multiple from addresses like "from:
> [hidden email], [hidden email]" are generated. I though that those
> kind of messages should get rejected and thought that maybe there was
> a builtin restriction for this use case.

You may of course choose to try to block such messages, but in terms of
general syntax, they are valid email messages:

    https://tools.ietf.org/html/rfc5322#section-3.6.2

The only constraint is that a message with multiple authors (multiple
"From" mailboxes), is required to have a "Sender" header which indicates
who is to blame for actually sending the message.  The requirement is
unlikely to be enforced by most MUAs.  I don't know what DMARC makes of
multi-author messages (but since I don't use, recommend or think much of
DMARC, I have much reason to care about that).

RFC5322.From syntax is rather non-trivial, and trying to parse it with
regular expressions is not a terribly good idea.  While most addresses
are simple, and you might not ever see the exceptions, I do not
recommend ad-hoc half-right parsers for the mailbox syntax.

Therefore, the right solution would be in a content filter or milter,
coupled with a solid email address (list) parsing library.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Pau Peris
Hi Viktor,

thanks a lot for your opinion.

Could you explain to me which would be the benefits of implementing
such behaviour on a filter or milter instead of doing it on
header_checks?

Also, do you know in which cases would be useful to allow or make use
of multiple From addresses? Just in case I'm missing something.

Thanks in advanced,

On Tue, Oct 6, 2020 at 10:50 PM Viktor Dukhovni
<[hidden email]> wrote:

>
> On Wed, Oct 07, 2020 at 12:27:09AM +0000, Pau Peris wrote:
>
> > I'm hosting my dad's webpage which has a contact form (which should be
> > improved to avoid spam and/or bots) and from time to time someone
> > types multiple email addresses in the from field of the form so
> > contact emails with multiple from addresses like "from:
> > [hidden email], [hidden email]" are generated. I though that those
> > kind of messages should get rejected and thought that maybe there was
> > a builtin restriction for this use case.
>
> You may of course choose to try to block such messages, but in terms of
> general syntax, they are valid email messages:
>
>     https://tools.ietf.org/html/rfc5322#section-3.6.2
>
> The only constraint is that a message with multiple authors (multiple
> "From" mailboxes), is required to have a "Sender" header which indicates
> who is to blame for actually sending the message.  The requirement is
> unlikely to be enforced by most MUAs.  I don't know what DMARC makes of
> multi-author messages (but since I don't use, recommend or think much of
> DMARC, I have much reason to care about that).
>
> RFC5322.From syntax is rather non-trivial, and trying to parse it with
> regular expressions is not a terribly good idea.  While most addresses
> are simple, and you might not ever see the exceptions, I do not
> recommend ad-hoc half-right parsers for the mailbox syntax.
>
> Therefore, the right solution would be in a content filter or milter,
> coupled with a solid email address (list) parsing library.
>
> --
>     Viktor.



--
Pau

Aquest correu electrònic conté informació de caràcter confidencial
dirigida exclusivament al seu/s destinatari/s en còpia present. Tant
mateix, queda prohibida la seva divulgació, copia o distribució a
tercers sense prèvia autorització escrita per part de Pau Peris
Rodriguez. En cas d'haver rebut aquesta informació per error, es
demana que es notifiqui immediatament d'aquesta circumstancia
mitjançant la direcció electrònica del emissor.
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Viktor Dukhovni
On Wed, Oct 07, 2020 at 10:35:39PM +0000, Pau Peris wrote:

> Could you explain to me which would be the benefits of implementing
> such behaviour on a filter or milter instead of doing it on
> header_checks?

As I wrote upthread, and you quoted in your message:

> > RFC5322.From syntax is rather non-trivial, and trying to parse it with
> > regular expressions is not a terribly good idea.  While most addresses
> > are simple, and you might not ever see the exceptions, I do not
> > recommend ad-hoc half-right parsers for the mailbox syntax.

It is non-trivial to craft robust regular expressions for RFC*22 mailbox
syntax, not quite as bad as:

    https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags/1732454#1732454

but naïve attempts are likely to fall short of the full grammar.  It
might be simpler to arrange for multi-recipient messages to the
purported author of the message to be dropped, by passing mail
submission from the Web form through an SMTP service that rejects
all multi-recipient mail (and making sure that the envelope is
not split before that happens).

On the other hand, for a web contact form, if you want to only permit
a single

    localpart@domain

format, rather than any of the more general

    phrase <mailbox>
    "quoted-text" <mailbox>
    mailbox (comment)
    ...

variants, then a regular expression becomes somewhat simpler, until
you also need to handle EAI (non-ASCII localpart and/or domain), e.g.

    виктор1spam@духовный.org

the possible forms are then:

    - dot-atom@domain
    - quoted-string@domain

Where the first variant is matched by:

    # PCRE: ASCII dot-atom @ domain
    /^ (?: [^][()<>:;@\\,."\x00-\x20\x7f-\xff]+ \.)? [^][()<>:;@\\,."\x00-\x20\x7f-\xff]+ @ (?: [a-z\d]+ (-+[a-z\d]+)* \.)+ [a-z\d]+ (-+[a-z\d]+)* /x  DUNNO

    # PCRE: quoted-string sans NUL @ domain
    /^ " ( [^\\"\x00]+ | \\[^\x00] )+ " @ (?: [a-z\d]+ (-+[a-z\d]+)* \.)+ [a-z\d]+ (-+[a-z\d]+)* /x  DUNNO

    # Not a valid address
    /^/     whatever action is appropriate

You may want to replace /^/ with /^From:\s*/ if this is header checks.

Postfix does not currently support matching unicode with PCRE, so
validating EAI addresses with pcre_table(5) may not yet be possible.

> Also, do you know in which cases would be useful to allow or make use
> of multiple From addresses? Just in case I'm missing something.
>
> Thanks in advanced,
>
> On Tue, Oct 6, 2020 at 10:50 PM Viktor Dukhovni
> <[hidden email]> wrote:
> >
> > On Wed, Oct 07, 2020 at 12:27:09AM +0000, Pau Peris wrote:
> >
> > > I'm hosting my dad's webpage which has a contact form (which should be
> > > improved to avoid spam and/or bots) and from time to time someone
> > > types multiple email addresses in the from field of the form so
> > > contact emails with multiple from addresses like "from:
> > > [hidden email], [hidden email]" are generated. I though that those
> > > kind of messages should get rejected and thought that maybe there was
> > > a builtin restriction for this use case.
> >
> > Therefore, the right solution would be in a content filter or milter,
> > coupled with a solid email address (list) parsing library.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Tom Hendrikx
In reply to this post by Pau Peris
On 07-10-2020 02:27, Pau Peris wrote:
> I'm hosting my dad's webpage which has a contact form (which should be
> improved to avoid spam and/or bots) and from time to time someone
> types multiple email addresses in the from field of the form so
> contact emails with multiple from addresses like "from:
> [hidden email], [hidden email]" are generated. I though that those
> kind of messages should get rejected and thought that maybe there was
> a builtin restriction for this use case.
>
Your basic setup is lacking, and causing you problems. The website
should not send the emails using the email addresses of the person
submitting data on your website in the From: header.

If the email address has DKIM/SPF/DMARC policies attached, actual
delivery of the message is likely harder, because f.i. the webserver is
not listed in the SPF policy of the sender domain. Essentially, the
email your website is sending, is spoofing the From: header. This might
not be too obvious when all email sent from the website ends up in your
mailbox (being the website administrator), but when you try to deliver
to 3rd parties, you'll find this out very quickly.

Conceptually, you could even say that ther person entering data in the
form did not send an email: he/she entered data into a form on a
website, and the website sent the email. Hence, the From: header should
contain [hidden email].

Back to your problem: the website controls the From: header so no
multiple email addresses in there. You could configure the website to
put the email address of the person entering data in the form in the
Reply-To: header.

Kind regards,

     Tom

Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Pau Peris
Thanks a lot for you comments, opinion and help! :)

As Tom said, before posting this question here, I already noticed the
logic behaviour handling the contact form was wrong because emails
should never be sent on behalf of someone else. When I developed that
website, it's my dad's website, I did it like a spare time favour and
so mistakes were made.

Before posting here, I already fixed the form contact handling so
emails, now, are sent using legitimate From addresses but I already
wanted to work on the multiple From addresses handling. Running some
tests, I noticed Gmail rejects those kind of messages even they comply
with the RFC. That's why I wondered which would be use cases for using
multiple From addresses.

Even, the form contact is now fixed (I'm even finishing to integrate
invisible reCaptcha v2 to keep spammers away) and free of bugs, I'm
still curious on how to improve my Postfix setup.

So I'm wondering, in case anyone could help:
* I've found some regexp to validate email addresses strings, and I
wonder if would it be ok to run this test on heaer_checks instead of
the proposed milter solution?
* When a message gets rejected because of multiple From addresses,
could I generate a custom bouncing email message? If so, how should I
proceed?
* Which would be the real use case(s) where would be useful to use
multiple From addresses?

Thanks a lot for your time and help,

On Thu, Oct 8, 2020 at 9:37 AM Tom Hendrikx <[hidden email]> wrote:

>
> On 07-10-2020 02:27, Pau Peris wrote:
> > I'm hosting my dad's webpage which has a contact form (which should be
> > improved to avoid spam and/or bots) and from time to time someone
> > types multiple email addresses in the from field of the form so
> > contact emails with multiple from addresses like "from:
> > [hidden email], [hidden email]" are generated. I though that those
> > kind of messages should get rejected and thought that maybe there was
> > a builtin restriction for this use case.
> >
> Your basic setup is lacking, and causing you problems. The website
> should not send the emails using the email addresses of the person
> submitting data on your website in the From: header.
>
> If the email address has DKIM/SPF/DMARC policies attached, actual
> delivery of the message is likely harder, because f.i. the webserver is
> not listed in the SPF policy of the sender domain. Essentially, the
> email your website is sending, is spoofing the From: header. This might
> not be too obvious when all email sent from the website ends up in your
> mailbox (being the website administrator), but when you try to deliver
> to 3rd parties, you'll find this out very quickly.
>
> Conceptually, you could even say that ther person entering data in the
> form did not send an email: he/she entered data into a form on a
> website, and the website sent the email. Hence, the From: header should
> contain [hidden email].
>
> Back to your problem: the website controls the From: header so no
> multiple email addresses in there. You could configure the website to
> put the email address of the person entering data in the form in the
> Reply-To: header.
>
> Kind regards,
>
>      Tom
>


--
Pau

Aquest correu electrònic conté informació de caràcter confidencial
dirigida exclusivament al seu/s destinatari/s en còpia present. Tant
mateix, queda prohibida la seva divulgació, copia o distribució a
tercers sense prèvia autorització escrita per part de Pau Peris
Rodriguez. En cas d'haver rebut aquesta informació per error, es
demana que es notifiqui immediatament d'aquesta circumstancia
mitjançant la direcció electrònica del emissor.
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Ron Wheeler
You need to fix your contact form.
There is no such thing as multiple from addresses.
As Tom said, your contact form is not creating an email. It is collecting information that it processes to produce some intelligent response or that it
sends to you (or an automated proxy) requesting that you (or your proxy) respond to a person (or a list of people).

That information that the user supplies should not be in the headers at all in any message that you get. It is just data
.
As Tom pointed out, the email to you or to the address entered on the form should be from your website not from e-mail addresses provided by the users.

In your processing of the data, you could throw away data with multiple addresses.

I am not sure why you would want a bounce in the case that users enter invalid (multiple) addresses.
You contact form should validate the email address field to ensure that only one email address is provided and tell the user immediately to fix their input.

I am not sure why you would care about other e-mail arriving at postfix with multiple from addresses.
Does it ever happen from anyone else?

Ron

On 2020-10-09 4:59 a.m., Pau Peris wrote:
Thanks a lot for you comments, opinion and help! :)

As Tom said, before posting this question here, I already noticed the
logic behaviour handling the contact form was wrong because emails
should never be sent on behalf of someone else. When I developed that
website, it's my dad's website, I did it like a spare time favour and
so mistakes were made.

Before posting here, I already fixed the form contact handling so
emails, now, are sent using legitimate From addresses but I already
wanted to work on the multiple From addresses handling. Running some
tests, I noticed Gmail rejects those kind of messages even they comply
with the RFC. That's why I wondered which would be use cases for using
multiple From addresses.

Even, the form contact is now fixed (I'm even finishing to integrate
invisible reCaptcha v2 to keep spammers away) and free of bugs, I'm
still curious on how to improve my Postfix setup.

So I'm wondering, in case anyone could help:
* I've found some regexp to validate email addresses strings, and I
wonder if would it be ok to run this test on heaer_checks instead of
the proposed milter solution?
* When a message gets rejected because of multiple From addresses,
could I generate a custom bouncing email message? If so, how should I
proceed?
* Which would be the real use case(s) where would be useful to use
multiple From addresses?

Thanks a lot for your time and help,

On Thu, Oct 8, 2020 at 9:37 AM Tom Hendrikx [hidden email] wrote:
On 07-10-2020 02:27, Pau Peris wrote:
I'm hosting my dad's webpage which has a contact form (which should be
improved to avoid spam and/or bots) and from time to time someone
types multiple email addresses in the from field of the form so
contact emails with multiple from addresses like "from:
[hidden email], [hidden email]" are generated. I though that those
kind of messages should get rejected and thought that maybe there was
a builtin restriction for this use case.

Your basic setup is lacking, and causing you problems. The website
should not send the emails using the email addresses of the person
submitting data on your website in the From: header.

If the email address has DKIM/SPF/DMARC policies attached, actual
delivery of the message is likely harder, because f.i. the webserver is
not listed in the SPF policy of the sender domain. Essentially, the
email your website is sending, is spoofing the From: header. This might
not be too obvious when all email sent from the website ends up in your
mailbox (being the website administrator), but when you try to deliver
to 3rd parties, you'll find this out very quickly.

Conceptually, you could even say that ther person entering data in the
form did not send an email: he/she entered data into a form on a
website, and the website sent the email. Hence, the From: header should
contain [hidden email].

Back to your problem: the website controls the From: header so no
multiple email addresses in there. You could configure the website to
put the email address of the person entering data in the form in the
Reply-To: header.

Kind regards,

     Tom



-- 
Ron Wheeler
Artifact Software
438-345-3369
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Bill Cole-3
On 9 Oct 2020, at 8:09, Ron Wheeler wrote:

> That information that the user supplies should not be in the headers
> at all in any message that you get. It is just data.
> As Tom pointed out, the email to you or to the address entered on the
> form should be from your website not from e-mail addresses provided by
> the users.

This is an important point.

A web form feeding a script that turns arbitrary input into bogus email
is a 1990s problem. The right solution is not to make your MTA reject
that mail, it should be to replace the mis-designed form and script.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Pau Peris
In reply to this post by Ron Wheeler
Thanks a lot Ron,

I probably didn't explain myself well.

The contact form was fixed before posting this topic here, but I'm
currently managing a personal server where I host family websites
among many other services and also a Postfix setup where I handle
about 8 different domains. As you said, I collect data through a
contact form and then send an email to my dad so he can give an answer
if he feels so. Obviously, the From headers are not an issue now but I
also would like to work on this use case.

I hope now it's clear how the form manages the data.

On the other hand, if someone knows how to help, I'm still interested
on the following matter:
* I've found some regexp to validate email addresses strings, and I
wonder if would it be ok to run this test on heaer_checks instead of
the proposed milter solution?
* When a message gets rejected because of multiple From
addresses,could I generate a custom bouncing email message? If so, how
should I proceed?
* Which would be the real use case(s) where it would be useful to use
multiple From addresses?

Thanks a lot for your time and help,

On Fri, Oct 9, 2020 at 2:10 PM Ron Wheeler
<[hidden email]> wrote:

>
> You need to fix your contact form.
> There is no such thing as multiple from addresses.
> As Tom said, your contact form is not creating an email. It is collecting information that it processes to produce some intelligent response or that it
> sends to you (or an automated proxy) requesting that you (or your proxy) respond to a person (or a list of people).
>
> That information that the user supplies should not be in the headers at all in any message that you get. It is just data.
> As Tom pointed out, the email to you or to the address entered on the form should be from your website not from e-mail addresses provided by the users.
>
> In your processing of the data, you could throw away data with multiple addresses.
>
> I am not sure why you would want a bounce in the case that users enter invalid (multiple) addresses.
> You contact form should validate the email address field to ensure that only one email address is provided and tell the user immediately to fix their input.
>
> I am not sure why you would care about other e-mail arriving at postfix with multiple from addresses.
> Does it ever happen from anyone else?
>
> Ron
>
> On 2020-10-09 4:59 a.m., Pau Peris wrote:
>
> Thanks a lot for you comments, opinion and help! :)
>
> As Tom said, before posting this question here, I already noticed the
> logic behaviour handling the contact form was wrong because emails
> should never be sent on behalf of someone else. When I developed that
> website, it's my dad's website, I did it like a spare time favour and
> so mistakes were made.
>
> Before posting here, I already fixed the form contact handling so
> emails, now, are sent using legitimate From addresses but I already
> wanted to work on the multiple From addresses handling. Running some
> tests, I noticed Gmail rejects those kind of messages even they comply
> with the RFC. That's why I wondered which would be use cases for using
> multiple From addresses.
>
> Even, the form contact is now fixed (I'm even finishing to integrate
> invisible reCaptcha v2 to keep spammers away) and free of bugs, I'm
> still curious on how to improve my Postfix setup.
>
> So I'm wondering, in case anyone could help:
> * I've found some regexp to validate email addresses strings, and I
> wonder if would it be ok to run this test on heaer_checks instead of
> the proposed milter solution?
> * When a message gets rejected because of multiple From addresses,
> could I generate a custom bouncing email message? If so, how should I
> proceed?
> * Which would be the real use case(s) where would be useful to use
> multiple From addresses?
>
> Thanks a lot for your time and help,
>
> On Thu, Oct 8, 2020 at 9:37 AM Tom Hendrikx <[hidden email]> wrote:
>
> On 07-10-2020 02:27, Pau Peris wrote:
>
> I'm hosting my dad's webpage which has a contact form (which should be
> improved to avoid spam and/or bots) and from time to time someone
> types multiple email addresses in the from field of the form so
> contact emails with multiple from addresses like "from:
> [hidden email], [hidden email]" are generated. I though that those
> kind of messages should get rejected and thought that maybe there was
> a builtin restriction for this use case.
>
> Your basic setup is lacking, and causing you problems. The website
> should not send the emails using the email addresses of the person
> submitting data on your website in the From: header.
>
> If the email address has DKIM/SPF/DMARC policies attached, actual
> delivery of the message is likely harder, because f.i. the webserver is
> not listed in the SPF policy of the sender domain. Essentially, the
> email your website is sending, is spoofing the From: header. This might
> not be too obvious when all email sent from the website ends up in your
> mailbox (being the website administrator), but when you try to deliver
> to 3rd parties, you'll find this out very quickly.
>
> Conceptually, you could even say that ther person entering data in the
> form did not send an email: he/she entered data into a form on a
> website, and the website sent the email. Hence, the From: header should
> contain [hidden email].
>
> Back to your problem: the website controls the From: header so no
> multiple email addresses in there. You could configure the website to
> put the email address of the person entering data in the form in the
> Reply-To: header.
>
> Kind regards,
>
>      Tom
>
>
>
> --
> Ron Wheeler
> Artifact Software
> 438-345-3369
> [hidden email]



--
Pau
Aquest correu electrònic conté informació de caràcter confidencial
dirigida exclusivament al seu/s destinatari/s en còpia present. Tant
mateix, queda prohibida la seva divulgació, copia o distribució a
tercers sense prèvia autorització escrita per part de Pau Peris
Rodriguez. En cas d'haver rebut aquesta informació per error, es
demana que es notifiqui immediatament d'aquesta circumstancia
mitjançant la direcció electrònica del emissor.
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Ron Wheeler
I am also the family genealogist and just moved to Gramps from FTM.

I am not sure what "multiple from addresses" actually means. It is not possible for an email to come from more than one email address at a time in reality.
Of course, as you already know, the sending e-mail system can put whatever it wants in the headers (otherwise spam and phishing wouldn't work).

Multiple reply-to addresses might make some sense if the sender wanted any reply to be sent to 2  or more email addresses rather than one.
I doubt if many e-mail clients would respect this instruction. Likely would pick one for a Reply and ignore the second.

The only possible use case for multiple "from address" would be if the e-mail SMTP server batched up a bunch of e-mails from various clients and looked through all of the emails to be sent and detected that 2 identical e-mails were being sent to the same address from 2 people. Not a good idea since sometimes timestamps are important for legal reasons and they would be different.
Never going to happen!
E-mail servers are generally stateless and process each e-mail as a separate request that is to be processed as received not lumped in with any other.

If I got an e-mail with multiple "From addresses" and I cared to check, I would just drop it.
No point sending a bounce to a spammer or someone with a poorly written e-mail client.

My 2 cents.

Ron


 


On 2020-10-09 1:20 p.m., Pau Peris wrote:
Thanks a lot Ron,

I probably didn't explain myself well.

The contact form was fixed before posting this topic here, but I'm
currently managing a personal server where I host family websites
among many other services and also a Postfix setup where I handle
about 8 different domains. As you said, I collect data through a
contact form and then send an email to my dad so he can give an answer
if he feels so. Obviously, the From headers are not an issue now but I
also would like to work on this use case.

I hope now it's clear how the form manages the data.

On the other hand, if someone knows how to help, I'm still interested
on the following matter:
* I've found some regexp to validate email addresses strings, and I
wonder if would it be ok to run this test on heaer_checks instead of
the proposed milter solution?
* When a message gets rejected because of multiple From
addresses,could I generate a custom bouncing email message? If so, how
should I proceed?
* Which would be the real use case(s) where it would be useful to use
multiple From addresses?

Thanks a lot for your time and help,

On Fri, Oct 9, 2020 at 2:10 PM Ron Wheeler
[hidden email] wrote:
You need to fix your contact form.
There is no such thing as multiple from addresses.
As Tom said, your contact form is not creating an email. It is collecting information that it processes to produce some intelligent response or that it
sends to you (or an automated proxy) requesting that you (or your proxy) respond to a person (or a list of people).

That information that the user supplies should not be in the headers at all in any message that you get. It is just data.
As Tom pointed out, the email to you or to the address entered on the form should be from your website not from e-mail addresses provided by the users.

In your processing of the data, you could throw away data with multiple addresses.

I am not sure why you would want a bounce in the case that users enter invalid (multiple) addresses.
You contact form should validate the email address field to ensure that only one email address is provided and tell the user immediately to fix their input.

I am not sure why you would care about other e-mail arriving at postfix with multiple from addresses.
Does it ever happen from anyone else?

Ron

On 2020-10-09 4:59 a.m., Pau Peris wrote:

Thanks a lot for you comments, opinion and help! :)

As Tom said, before posting this question here, I already noticed the
logic behaviour handling the contact form was wrong because emails
should never be sent on behalf of someone else. When I developed that
website, it's my dad's website, I did it like a spare time favour and
so mistakes were made.

Before posting here, I already fixed the form contact handling so
emails, now, are sent using legitimate From addresses but I already
wanted to work on the multiple From addresses handling. Running some
tests, I noticed Gmail rejects those kind of messages even they comply
with the RFC. That's why I wondered which would be use cases for using
multiple From addresses.

Even, the form contact is now fixed (I'm even finishing to integrate
invisible reCaptcha v2 to keep spammers away) and free of bugs, I'm
still curious on how to improve my Postfix setup.

So I'm wondering, in case anyone could help:
* I've found some regexp to validate email addresses strings, and I
wonder if would it be ok to run this test on heaer_checks instead of
the proposed milter solution?
* When a message gets rejected because of multiple From addresses,
could I generate a custom bouncing email message? If so, how should I
proceed?
* Which would be the real use case(s) where would be useful to use
multiple From addresses?

Thanks a lot for your time and help,

On Thu, Oct 8, 2020 at 9:37 AM Tom Hendrikx [hidden email] wrote:

On 07-10-2020 02:27, Pau Peris wrote:

I'm hosting my dad's webpage which has a contact form (which should be
improved to avoid spam and/or bots) and from time to time someone
types multiple email addresses in the from field of the form so
contact emails with multiple from addresses like "from:
[hidden email], [hidden email]" are generated. I though that those
kind of messages should get rejected and thought that maybe there was
a builtin restriction for this use case.

Your basic setup is lacking, and causing you problems. The website
should not send the emails using the email addresses of the person
submitting data on your website in the From: header.

If the email address has DKIM/SPF/DMARC policies attached, actual
delivery of the message is likely harder, because f.i. the webserver is
not listed in the SPF policy of the sender domain. Essentially, the
email your website is sending, is spoofing the From: header. This might
not be too obvious when all email sent from the website ends up in your
mailbox (being the website administrator), but when you try to deliver
to 3rd parties, you'll find this out very quickly.

Conceptually, you could even say that ther person entering data in the
form did not send an email: he/she entered data into a form on a
website, and the website sent the email. Hence, the From: header should
contain [hidden email].

Back to your problem: the website controls the From: header so no
multiple email addresses in there. You could configure the website to
put the email address of the person entering data in the form in the
Reply-To: header.

Kind regards,

     Tom



--
Ron Wheeler
Artifact Software
438-345-3369
[hidden email]



-- 
Ron Wheeler
Artifact Software
438-345-3369
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Wietse Venema
Ron Wheeler:
> I am also the family genealogist and just moved to Gramps from FTM.
>
> I am not sure what "multiple from addresses" actually means. It is not
> possible for an email to come from more than one email address at a time
> in reality.

Multiple addresses in one From: header are allowed by the RFC 5322 spec.
Multiple From: headers in a message are not OK.

Syntax from https://tools.ietf.org/html/rfc5322#section-3.6.2

   from            =   "From:" mailbox-list CRLF
   sender          =   "Sender:" mailbox CRLF
   reply-to        =   "Reply-To:" address-list CRL

https://tools.ietf.org/html/rfc5322#section-3.4 defines
of mailbox-list, mailbox, and address-list.

And a table in  https://tools.ietf.org/html/rfc5322#section-3.6
defines the minimum and maximum number of times that a message
header field is allowed in an email message.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Demi M. Obenour
On 10/9/20 8:45 PM, Wietse Venema wrote:
> Ron Wheeler:
>> I am also the family genealogist and just moved to Gramps from FTM.
>>
>> I am not sure what "multiple from addresses" actually means. It is not
>> possible for an email to come from more than one email address at a time
>> in reality.
>
> Multiple addresses in one From: header are allowed by the RFC 5322 spec.
> Multiple From: headers in a message are not OK.

What are the semantics of a From: header with multiple addresses?

Demi

OpenPGP_0xB288B55FFF9C22C1.asc (3K) Download Attachment
OpenPGP_signature (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Viktor Dukhovni
On Fri, Oct 09, 2020 at 09:28:58PM -0400, Demi M. Obenour wrote:

> > Multiple addresses in one From: header are allowed by the RFC 5322 spec.
> > Multiple From: headers in a message are not OK.
>
> What are the semantics of a From: header with multiple addresses?

The message purports to be the work of multiple authors.  Such a message
is required to have a "Sender" header, but in most cases that constraint
is unlikely to be enforced.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Demi M. Obenour
On 10/9/20 9:48 PM, Viktor Dukhovni wrote:
>> What are the semantics of a From: header with multiple addresses?
> The message purports to be the work of multiple authors.  Such a message
> is required to have a "Sender" header, but in most cases that constraint
> is unlikely to be enforced.

I love DKIM, but it should have been on the Sender header and not
the From header.  However, for that to work, MUAs would have had to
display something like "[hidden email] claims that this message
is from [hidden email] and [hidden email]", and they do not.
That lead to the current design.

Demi

OpenPGP_0xB288B55FFF9C22C1.asc (3K) Download Attachment
OpenPGP_signature (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Viktor Dukhovni
On Fri, Oct 09, 2020 at 10:59:33PM -0400, Demi M. Obenour wrote:

> I love DKIM, but it should have been on the Sender header and not
> the From header.  However, for that to work, MUAs would have had to
> display something like "[hidden email] claims that this message
> is from [hidden email] and [hidden email]", and they do not.

Actually, Outlook does exactly that, and other MUAs would have come on
board if there was good cause to do that.  At this point however, nobody
is investing much many in MUA development.  All the $$$ are going into
walled-garden cloud webmail systems. :-(

> That lead to the current design.

You're perhaps confusing DKIM with DMARC.  DKIM just signs the message
content and whatever headers it is configured to sign.  It is mere
integrity protection, not policy.  The signing domain is determined from
the selector and the "d" field in the DKIM header, and is not tied to
either From or Sender.

DKIM is fine.  The actual breakage is in DMARC.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Demi M. Obenour
On 10/9/20 11:06 PM, Viktor Dukhovni wrote:

> On Fri, Oct 09, 2020 at 10:59:33PM -0400, Demi M. Obenour wrote:
>
>> I love DKIM, but it should have been on the Sender header and not
>> the From header.  However, for that to work, MUAs would have had to
>> display something like "[hidden email] claims that this message
>> is from [hidden email] and [hidden email]", and they do not.
>
> Actually, Outlook does exactly that, and other MUAs would have come on
> board if there was good cause to do that.  At this point however, nobody
> is investing much many in MUA development.  All the $$$ are going into
> walled-garden cloud webmail systems. :-(
Someone should probably file enhancement requests with other MUAs.
And at least NeoMutt and Thunderbird are actively developed.

>> That lead to the current design.
>
> You're perhaps confusing DKIM with DMARC.  DKIM just signs the message
> content and whatever headers it is configured to sign.  It is mere
> integrity protection, not policy.  The signing domain is determined from
> the selector and the "d" field in the DKIM header, and is not tied to
> either From or Sender.
>
> DKIM is fine.  The actual breakage is in DMARC.

Sadly, it is too late to change DMARC.  Hopefully we can add a
new header that means what From once did.  Doing away with DMARC
isn't an option either, as it creates a massive security hole.

Demi

OpenPGP_0xB288B55FFF9C22C1.asc (3K) Download Attachment
OpenPGP_signature (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Viktor Dukhovni
On Fri, Oct 09, 2020 at 11:46:22PM -0400, Demi M. Obenour wrote:

> > Actually, Outlook does exactly that, and other MUAs would have come on
> > board if there was good cause to do that.  At this point however, nobody
> > is investing much many in MUA development.  All the $$$ are going into
> > walled-garden cloud webmail systems. :-(
>
> Someone should probably file enhancement requests with other MUAs.
> And at least NeoMutt and Thunderbird are actively developed.

By all means...

> > DKIM is fine.  The actual breakage is in DMARC.
>
> Sadly, it is too late to change DMARC.  Hopefully we can add a
> new header that means what From once did.  Doing away with DMARC
> isn't an option either, as it creates a massive security hole.

Indeed, but some of us don't feel obligated to use it.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Sender restriction to reject message with multiple from addresses

Richard Salts
In reply to this post by Demi M. Obenour
On Saturday, 10 October 2020 1:59:33 PM AEDT Demi M. Obenour wrote:

> On 10/9/20 9:48 PM, Viktor Dukhovni wrote:
> >> What are the semantics of a From: header with multiple addresses?
> >
> > The message purports to be the work of multiple authors.  Such a message
> > is required to have a "Sender" header, but in most cases that constraint
> > is unlikely to be enforced.
>
> I love DKIM, but it should have been on the Sender header and not
> the From header.  However, for that to work, MUAs would have had to
> display something like "[hidden email] claims that this message
> is from [hidden email] and [hidden email]", and they do not.
> That lead to the current design.
With multiple authors in the From field you could sign with DKIM headers which
align with each of the authors' sending domains and it would align for the
purposes of DMARC, however the RFCs for DMARC punt on this situation and leave
it up to the policy at the receiving MTA, which probably doesn't account for
it given the rarity of such messages in the wild.

>
> Demi