Mailing List Archive: SpamAssassin: users

Multiple X-Envelope-From and SPF

Index | Next | Previous | View Threaded

ram at netcore

May 8, 2008, 12:34 AM

Post #1 of 9 (230 views)
Permalink

Multiple X-Envelope-From and SPF

At the MTA( postfix) I am inserting X-Envelope-From:
If The mail had already a X-Envelope-From before landing at my MTA then
There would be multiple lines of these

Then SA refuses to do SPF for these messages , and I can see in my
debug logs

-------------
[18469] dbg: message: X-Envelope-From header found after 1 or more
Received lines, cannot trust envelope-from
[18469] dbg: spf: relayed through one or more trusted relays, cannot use
header-based Envelope-From, skipping
--------------

How do I avoid this situation.

Thanks
Ram

mouss at netoyen

May 8, 2008, 2:19 PM

Post #2 of 9 (217 views)
Permalink

Re: Multiple X-Envelope-From and SPF [In reply to]

ram wrote:
> At the MTA( postfix) I am inserting X-Envelope-From:
> If The mail had already a X-Envelope-From before landing at my MTA then
> There would be multiple lines of these
>

configure postfix to replace previous ones
/^(X\-Envelope\-From:.*)/ REPLACE X-$1

I am assuming you are not adding them before header_checks.

> Then SA refuses to do SPF for these messages , and I can see in my
> debug logs
>
>
> -------------
> [18469] dbg: message: X-Envelope-From header found after 1 or more
> Received lines, cannot trust envelope-from
> [18469] dbg: spf: relayed through one or more trusted relays, cannot use
> header-based Envelope-From, skipping
> --------------
>
> How do I avoid this situation.
>
>
> Thanks
> Ram
>
>
>

me at junc

May 8, 2008, 4:44 PM

Post #3 of 9 (215 views)
Permalink

Re: Multiple X-Envelope-From and SPF [In reply to]

On Thu, May 8, 2008 23:19, mouss wrote:

> configure postfix to replace previous ones
> /^(X\-Envelope\-From:.*)/ REPLACE X-$1

envelope from can here be forged

better for postfix is to add

envelope_sender_header Return-Path

in local.cf

Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

ram at netcore

May 8, 2008, 11:55 PM

Post #4 of 9 (212 views)
Permalink

Re: Multiple X-Envelope-From and SPF [In reply to]

On Fri, 2008-05-09 at 01:44 +0200, Benny Pedersen wrote:
> On Thu, May 8, 2008 23:19, mouss wrote:
>
> > configure postfix to replace previous ones
> > /^(X\-Envelope\-From:.*)/ REPLACE X-$1
>
> envelope from can here be forged

Precisely what I am afraid of. But the issue is whatever header I use
for envelope-from all of them can be trivially forged
I am trying replacing all the X-Envelope headers before sending them to
scan servers

Thanks
Ram

mouss at netoyen

May 9, 2008, 9:30 AM

Post #5 of 9 (207 views)
Permalink

Re: Multiple X-Envelope-From and SPF [In reply to]

Benny Pedersen wrote:
> On Thu, May 8, 2008 23:19, mouss wrote:
>
>
>> configure postfix to replace previous ones
>> /^(X\-Envelope\-From:.*)/ REPLACE X-$1
>>
>
> envelope from can here be forged
>

the header check above will rewrite any such header received from the
internet. so forgery is not an issue. to be clear, the rule rewrites:

X-Envelope-From => X-X-Envelope-From

That said, I agree that Return-Path is a better choice.
> better for postfix is to add
>
> envelope_sender_header Return-Path
>
> in local.cf
>

mouss at netoyen

May 9, 2008, 9:34 AM

Post #6 of 9 (207 views)
Permalink

Re: Multiple X-Envelope-From and SPF [In reply to]

ram wrote:
> On Fri, 2008-05-09 at 01:44 +0200, Benny Pedersen wrote:
>
>> On Thu, May 8, 2008 23:19, mouss wrote:
>>
>>
>>> configure postfix to replace previous ones
>>> /^(X\-Envelope\-From:.*)/ REPLACE X-$1
>>>
>> envelope from can here be forged
>>
>
> Precisely what I am afraid of. But the issue is whatever header I use
> for envelope-from all of them can be trivially forged
> I am trying replacing all the X-Envelope headers before sending them to
> scan servers
>

Return-Path is unique, so if your postfix generates one (if you use a
"pipe" transport, enable the flag to do so), it won't be a forged one.

also, Return-Path is not supposed to be seen in the "wire".

me at junc

May 9, 2008, 2:39 PM

Post #7 of 9 (207 views)
Permalink

Re: Multiple X-Envelope-From and SPF [In reply to]

On Fri, May 9, 2008 08:55, ram wrote:

> Precisely what I am afraid of. But the issue is whatever header I use
> for envelope-from all of them can be trivially forged
> I am trying replacing all the X-Envelope headers before sending them to
> scan servers

dont change headers on trusted routes, you will fail if you do it, but if you
have diff mta's with diff envelope_sender_header one might need to have diff
conetent scanners aswell

envelope_sender_header in local.cf does not solve that imho

Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

uhlar at fantomas

May 10, 2008, 9:34 AM

Post #8 of 9 (189 views)
Permalink

Re: Multiple X-Envelope-From and SPF [In reply to]

> On Fri, May 9, 2008 08:55, ram wrote:
>
> > Precisely what I am afraid of. But the issue is whatever header I use
> > for envelope-from all of them can be trivially forged
> > I am trying replacing all the X-Envelope headers before sending them to
> > scan servers

On 09.05.08 23:39, Benny Pedersen wrote:
> dont change headers on trusted routes, you will fail if you do it, but if you
> have diff mta's with diff envelope_sender_header one might need to have diff
> conetent scanners aswell
>
> envelope_sender_header in local.cf does not solve that imho

he reported that there are multiple such headers. Since ANY header can be in
e-mail when MTA received it, the header chosen to be used for envelope
sender address MUST be replaced by current MTA, it does not matter if it's
X-Envelope-From or Return-Path or wtf.

--
Matus UHLAR - fantomas, uhlar[at]fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.

me at junc

May 22, 2008, 9:16 AM

Post #9 of 9 (115 views)
Permalink

Re: Multiple X-Envelope-From and SPF [In reply to]

On Fri, May 9, 2008 08:55, ram wrote:
>
> On Fri, 2008-05-09 at 01:44 +0200, Benny Pedersen wrote:
>> On Thu, May 8, 2008 23:19, mouss wrote:
>>
>> > configure postfix to replace previous ones
>> > /^(X\-Envelope\-From:.*)/ REPLACE X-$1
>>
>> envelope from can here be forged
>
> Precisely what I am afraid of. But the issue is whatever header I use
> for envelope-from all of them can be trivially forged
> I am trying replacing all the X-Envelope headers before sending them to
> scan servers

what mta do you use ?

postfix uses Return-Path as envelope sender header

Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com