unwanted sender header via smtp submission [partly resolved]

Brady, Mike mike.brady at devnull.net.nz
Fri Mar 28 00:02:55 CET 2014 

Hede

I got tied up with other things yesterday and am only just getting back 
to this.

I was on the same path, but have taken a long time to get to this point, 
so well done.

> I think I've got it. This mail will get long...
> 
> There's a policy in /etc/kolab/kolab.conf when and which Sender-headers 
> Kolab
> should add to your mails:
> delegate_sender_header, alias_sender_header, sender_header and 
> xsender_header
> 

I have some differences here on my Centos 6.5/Kolab 3.1 system in that I 
only have sender_header and xsender_header.  I am assuming the others 
have been added in 3.2.

> If you only want to get rid of the sender-header, change those values.
> No need to read further.

Done.  But I kept reading anyway :-)

> 
> Those Values got read by /usr/lib/postfix/kolab_smtp_access_policy, 
> which is
> executed by postfix' master.cf via submission_policy, which is 
> configured
> to run at several stages in main.cf.
> 
> The thing is... there's something broken with this python script - in 
> my eyes.
> Or at least partly developed or even postfix itself is broken in the 
> way it
> handles the output from the script.
> 
> I tried to investigate how it works, and fiddled a bit in it. I'm 
> pretty
> sure I've undone all my temporary changes but now I even get those
> Sender-headers with squirrelmail and claws-mail, which were fine 
> before.
> Yes, that's the correct behaviour now because I'm using aliases for 
> sending
> in all those MUAs and kolab.conf is configured to add Sender-headers 
> and now
> this is correctly working and previously it was wrong (with headers not 
> always
> added). But... why it was incorrectly working before???
> 
> I don't know what I have done. :-(
> I even compared all files I have touched with older ones (backup), 
> nothing.
> But kolabs behaviour has changed! Inexplicable!

I hate it when that happens.

> 
> But, it's ok, the behaviour is correct now and if I configure 
> kolab.conf to
> not add Sender headers for aliases, it doesn't do so:
> alias_sender_header = False
> 
> Further things I see (I don't know if the following is 100% correct):
> 
> If the "from:" field is an alias or delegated email address and 
> kolab.conf is
> configured to add headers in this case, the script instructs postfix to 
> add
> "Sender:" and "X-Sender" headers, without checking if there's already 
> one.
> It adds a second "Sender:" header if there's already one existing.
> That's maybe true for you, Mike. ;-)

For me the From: field has never been an alias or delegated, it has 
always been the primary email address.  As far as I can tell (could be 
wrong of course) the 3.1 kolab_smtp_access_policy script always adds the 
sender: header if it enabled in the kolab.conf file.  Maybe this is 
different in 3.2?  The Outlook/Bynari connector also always has a 
Sender: header.  This is not correct based on my interpretation of 
RFC5322 section 3.6.2 because the author and transmitter are the same in 
my case. So it isn't correct, but it is valid IMF.

> 
> If both, Sender and X-Sender, are instructed to be assigned, only the 
> first
> one really gets added (which is "Sender:" and not "X-Sender:").
> The script generates two lines with "action=PREPEND ..." but postfix 
> still
> adds only the first of them. That's not a bug in postfix, it is clearly
> defined in postfix' SMTPD_POLICY_README that the reply should be
> only "one name=value attribute". And even worse: If there's only one
> PREPENT-line added, it still breaks this rule because it always adds
> "action=PERMIT".
> 
> So, the result is: If a header gets added, it gets added and no PERMIT
> action is fed to postfix. (!)
> 
> Maybe it's at all the wrong place to add headers like "Sender" and
> "X-Sender" via smtpd_data_restrictions and check_policy_service.
> It's not destined for adding headers AND add UCE restriction like 
> PERMIT
> at the same time. Only one at a time.
> 
> And there seems to be some more work needed. The value used to add
> the (X-)Sender-header is policy_request.sasl_username, which is the
> value the user uses to log-in to postfix/smtp. But with kolab 3
> that's not necessarily an email-address. So for me it adds only
> my surname for the sender address, which is definitely wrong.
> 
> I think I will add some bug reports... (I think a plural number is
> appropriate here)

Agreed there are quite a number of things wrong here.

> 
> And btw., off topic, I commented out the cache_uri-line in kolab.conf
> because it seems to be some non-working default value:
> ;cache_uri = mysql://user:pass@localhost/database
> (this removes errors in /var/log/kolab/pykolab.log with every sent 
> mail)
> 

Already logged that one - https://issues.kolab.org/show_bug.cgi?id=2920.

This just adds more issues with the configuration done by setup-kolab.  
In the my 3.1 kolab.conf kolab_smtp_access_policy section I now have 4 
of the 6 lines provided commented out because they are just plain wrong.

My kolab_smtp_access_policy section now looks like this.
[kolab_smtp_access_policy]
cache_retention = 86400
#cache_uri = mysql://user:pass@localhost/database
#empty_sender_hosts = 3.2.1.0/24, 6.6.6.0/24
#sender_header = True
address_search_attrs = mail, alias
#xsender_header = True

Again well done on finding this one.  It has saved me a lot of time.

Regards

Mike

More information about the users mailing list