Bug 4024 - SPF and X-Envelope-From and sendmail
Summary: SPF and X-Envelope-From and sendmail
Status: RESOLVED WONTFIX
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Plugins (show other bugs)
Version: 3.0.1
Hardware: All All
: P4 normal
Target Milestone: 3.2.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-10 12:27 UTC by Mark
Modified: 2006-12-06 10:34 UTC (History)
1 user (show)


Attachment Type Modified Status Actions Submitter/CLA Status
patch against 3.0 patch None Daryl C. W. O'Shea [HasCLA]
patch against trunk patch None Daryl C. W. O'Shea [HasCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark 2004-12-10 12:27:35 UTC 
The USAGE document says:

However,sendmail will not expose the MAIL FROM: sender address by default.  So 
if you're using sendmail, please add this to /etc/sendmail.cf :
      H?l?X-Envelope-From: $f

This works fine as long as the message is received from a server that is not 
also set to add this header.  But if the header has already been added by a 
previous server, then sendmail won't add another one.  The existing header will 
be below the latest Received: line so SpamAssasin won't trust it and no SPF 
checks will be done.  By SPF I mean the real SPF checks, not the SPF_HELO 
checks.

Example headers from one that works:

X-Envelope-From: cpicciotto@kalisystems.com
Return-Path: <cpicciotto@kalisystems.com>
Received: from picciotto.net (picciotto.net [66.91.143.194])
	by mail.tippingmar.com (8.12.10/8.12.10) with ESMTP id iBAJ9Ye1001721
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <mark@tippingmar.com>; Fri, 10 Dec 2004 11:09:35 -0800
Received: from [192.168.0.4] (cpe-66-91-125-24.hawaii.rr.com [66.91.125.24])
	(authenticated bits=0)
	by picciotto.net (8.12.11/8.12.11) with ESMTP id iBAJ9QC5015715
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <mark@tippingmar.com>; Fri, 10 Dec 2004 09:09:26 -1000
Message-ID: <41B9F469.7060307@kalisystems.com>


Example of one that doesn't work:

Return-Path: <cpicciotto@kalisystems.com>
Received: from picciotto.net (picciotto.net [66.91.143.194])
	by mail.tippingmar.com (8.12.10/8.12.10) with ESMTP id iBAIise1001311
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <mark@tippingmar.com>; Fri, 10 Dec 2004 10:44:55 -0800
X-Envelope-From: cpicciotto@kalisystems.com
Received: from [192.168.0.4] (cpe-66-91-125-24.hawaii.rr.com [66.91.125.24])
	(authenticated bits=0)
	by picciotto.net (8.12.11/8.12.11) with ESMTP id iBAIijMY015420
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <mark@tippingmar.com>; Fri, 10 Dec 2004 08:44:45 -1000
Message-ID: <41B9EE24.9070509@kalisystems.com>
Comment 1 Mark 2004-12-15 14:22:29 UTC 
You can work around this problem to a large extent by using:

H?l?X-uniquename-Env-From: $f

and then specifying the header name with:
envelope_sender_header X-uniquename-Env-From
in local.cf

so the chances of there already being such a header in the incoming message are 
greatly reduced.

Of course this problem only relates to use of SpamAssassin on gateways or in 
programs like MailScanner, where the message has not yet been given to a 
delivery agent.  When sendmail passes the message to a delivery agent, it adds 
the Return-Path header, which SpamAssassin knows how to use.
Comment 2 Daryl C. W. O'Shea 2005-01-08 23:01:58 UTC 
Of course there's nothing we can do if the header is added by an untrusted
relay, but we can use it if it was added by a trusted relay.

Adding the HELO value found in the last trusted relay's received header to the
current regex should do the trick.

This also applies to the regexes for Envelope-Sender and Return-Path.


Daryl
Comment 3 Mark 2005-01-09 16:30:51 UTC 
I'm not sure what you mean.  The HELO and the Envelope-From are often different
for legitimate messages.  True SPF requires the Envelope-From address.  As noted
in the first post, the problem is with real SPF checks, not the SPF_HELO tests.
Comment 4 Daryl C. W. O'Shea 2005-01-09 19:01:22 UTC 
What I'm suggesting has nothing to do with SPF checks.  It only has to do with
determining when we can trust the X-Envelope-From, Envelope-Sender and/or Return
Path found in a message, and when we can't.

If these headers are found above the last trusted relay's received header, we
can trust them.  By modifying the current regexes, used to determine if we can
use the 3 aforementioned headers, to include a token that appears in the last
trusted relay's received header (and no sooner, but likely also later) we can
determine whether or not we trust those 3 headers.

I'll write a patch tonight if I can get some other work out of the way.


Daryl
Comment 5 Mark 2005-01-10 09:22:32 UTC 
I see.  Currently the header is only trusted if it is above the final Received 
header.  You are saying we can also trust the header if it is above the last 
TRUSTED relay.
Comment 6 Justin Mason 2005-01-10 10:48:17 UTC 
daryl -- I'm not sure your position is correct.

it's entirely plausible that a *trusted* relay could forward the mail with a new
envelope-sender address.  my fetchmail setup, for exmaple, does this; also if
the mail is resent via a Mailman/ezmlm mailing list, that will also do that.
Comment 7 Daniel Quinlan 2005-01-10 13:53:07 UTC 
Subject: Re:  SPF and X-Envelope-From and sendmail

I would say we should use the first envelope-sender header encountered
above the last trusted received line.
Comment 8 Daryl C. W. O'Shea 2005-01-10 16:34:58 UTC 
Subject: Re:  SPF and X-Envelope-From and sendmail

The current code won't use the headers, regardless of where they are, if 
it finds an X-Sender header and a fetchmail received header since 
fetchmail may alter the envelope-sender.

I don't suggest that this check be eliminated if we were to check for 
the 3 headers in between the trusted relays' received headers.

That said, is there anytime fetchmail will alter the envelope-sender if 
it doesn't find an X-Sender header?  Should the X-Sender requirement be 
removed (and just look for 'fetchmail') or should we also be looking for 
other headers that may cause fetchmail to alter the envelope-sender?


Daryl
Comment 9 Daryl C. W. O'Shea 2005-01-10 20:53:23 UTC 
Created attachment 2596 [details]
patch against 3.0
Comment 10 Daryl C. W. O'Shea 2005-01-10 21:11:33 UTC 
Created attachment 2597 [details]
patch against trunk
Comment 11 Justin Mason 2006-10-19 07:15:41 UTC 
Daryl -- do we still need this?
Comment 12 Daryl C. W. O'Shea 2006-10-20 10:19:28 UTC 
Forgot all about this... need to think about it a bit.

If we do need it, I don't like my implementation.  Looking for the last trusted
helo is lame.

Instead of using the "ALL" pseudo header, we should have an "ALL-TRUSTED" one to
work with.
Comment 13 Justin Mason 2006-11-02 15:27:33 UTC 
lowering pri
Comment 14 Daryl C. W. O'Shea 2006-12-06 10:34:50 UTC 
I can't convince myself that this is a good thing to do.  It's messy and
unreliable.  As soon as you start messing with the return path you've got to
give up on SPF.

r483169 and r483171 removes the bogus info from the USAGE doc.  Closing as WONTFIX.