Mailing List Archive

On 06/09/2020 21:04, Johannes Vogel via Exim-users wrote:
> When I forward an address to an @bluewin.ch address, they bring back an
> error like this:
>
> SMTP error from remote mail server after end of data:
> 554 5.2.0 sc971: SPF hard fail

Yes, SPF breaks forwarding.

Option "return_path" on the transport:

http://exim.org/exim-html-current/doc/html/spec_html/ch-generic_options_for_transports.html
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hi

Am 07.09.20 um 13:23 schrieb Jeremy Harris via Exim-users:
> On 06/09/2020 21:04, Johannes Vogel via Exim-users wrote:
>> When I forward an address to an @bluewin.ch address, they bring back an
>> error like this:
>>
>> SMTP error from remote mail server after end of data:
>> 554 5.2.0 sc971: SPF hard fail
> Yes, SPF breaks forwarding.
>
> Option "return_path" on the transport:
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch-generic_options_for_transports.html

Thank you for the hint! But I don't know what content I should assign.

In my example I'd like to set the to address of the forwarded mail.

original message: mike@gmail.com --> lisa@mydomain.tld
new envelope: lisa@mydomain.tld --> lisa@otherhoster.tld
new mail header: mike@gmail.com --> lisa@otherhoster.tld

Is the information of the original to address at this moment available?
Does this solve my problem with SPF?

Best regards,
Johannes

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hi, Johannes -

Firstly, don't change the contents of the To or CC headers! The message
might have been digitally signed and authenticated using a technology such
as DKIM. This protects various key headers as well as the message body and
the attachments. If you change any of them you will break the signature and
cause further delivery problems.

Instead you just want to change the MAIL FROM (sender) address in the SMTP
envelope so it uses an email address within your own domain. The best way
of doing this is *not* to set it to one of your user's email addresses.
Instead use SRS (Sender Rewriting Scheme) to encode the original sender's
address into a specially formatted address that ends with "@' and your own
domain name. The site you forward the message onward to will then check the
MAIL FROM address against your SPF policy instead of that belonging to the
original sender.

SRS is good because if there's a problem delivering the message further on
it will come back to your mail service (because your domain is now in the
MAIL FROM of the envelope). You'll then be able to undo the SRS-rewritten
address to retrieve that of the original sender so you can relay the
delivery failure back to them.

Something to watch out for…

If the original sender's email domain is protected using DMARC then you
might still hit problems. This is because whilst SPF now passes, it'll
still fail DMARC's tighter SPF requirements — that the domain name in the
MAIL FROM address aligns with ("is similar to") that in the "From" header.

Hopefully the original sender's site won't just be relying on their SPF
record though, but also DKIM-signing their messages. So as long as you
don't break that signature (by altering the Fro/To/Cc headers!) things will
likely be OK and your relayed message will get through.

As for how to use the *return_path* — just assign the email address you
want to become the new MAIL FROM in the envelope to it. It's all described
in Exim's extensive documentation. :-)

Cheers,
Mike B-)

On Wed, 9 Sep 2020 at 15:38, Johannes Vogel via Exim-users <
exim-users@exim.org> wrote:

> Hi
>
> Am 07.09.20 um 13:23 schrieb Jeremy Harris via Exim-users:
> > On 06/09/2020 21:04, Johannes Vogel via Exim-users wrote:
> >> When I forward an address to an @bluewin.ch address, they bring back an
> >> error like this:
> >>
> >> SMTP error from remote mail server after end of data:
> >> 554 5.2.0 sc971: SPF hard fail
> > Yes, SPF breaks forwarding.
> >
> > Option "return_path" on the transport:
> >
> >
> http://exim.org/exim-html-current/doc/html/spec_html/ch-generic_options_for_transports.html
>
> Thank you for the hint! But I don't know what content I should assign.
>
> In my example I'd like to set the to address of the forwarded mail.
>
> original message: mike@gmail.com --> lisa@mydomain.tld
> new envelope: lisa@mydomain.tld --> lisa@otherhoster.tld
> new mail header: mike@gmail.com --> lisa@otherhoster.tld
>
> Is the information of the original to address at this moment available?
> Does this solve my problem with SPF?
>
> Best regards,
> Johannes
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>


--
*My normal working days are Tuesdays, Wednesdays and Thursdays.*

Systems Administrator working in Teaching & Learning
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811
Email Disclaimer: www.york.ac.uk/about/legal-statements/email-disclaimer/

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 06.09.20 22:04, Johannes Vogel via Exim-users wrote:
> When I forward an address to an @bluewin.ch address, they bring back an
> error like this:
> SMTP error from remote mail server after end of data:
> 554 5.2.0 sc971: SPF hard fail

do forwarding in dovecot's sieve and set sieve_redirect_envelope_from to
orig_recipient.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hi Mike, hi all others

Thanks you very much for your (very long) help!

I added the following line to my transport macros:

REMOTE_SMTP_RETURN_PATH=$header_to:

This works for me perfectly. Maybe for others too.

All the best
Johannes

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Wed, Sep 16, 2020 at 11:09:42PM +0200, Johannes Vogel via Exim-users wrote:
> I added the following line to my transport macros:
>
> REMOTE_SMTP_RETURN_PATH=$header_to:
>
> This works for me perfectly. Maybe for others too.

1. Generally $header_to: is not a pure address. However, it should
contain some address, which may be extracted with ${address:..}
function, but note that header To: may contain several addresses,
in this case ${address:..} function returns empty string.

2. Debian configuration use REMOTE_SMTP_RETURN_PATH for "remote_smtp"
and "remote_smtp_smarthost" transports regardless of mail origin.
So in your configuration local mails are genarally sent with
return path (env_from) equal to destination address. It lead at least
to delivery failures for destination domains with SPF enabled.

3. Content of To: header may be unrelated to destination envelope_to.
In particular, for mail lists, such as "exim-users". Consequently
with your configuration bounces on forwarding errors would try
to be sent to mail list.

So, this appoach is inadequate. You have better to implement
some kind of SRS, as Mike Brudenell proposed.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/