Mailing List Archive

How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error
When Amazon SES receives mail is validates the From: against verified
domains and addresses. If it does not find it valid it drops the mail
and returns error 554. (See last couple posts in this thread for more
info if desired:
https://forums.aws.amazon.com/message.jspa?messageID=745028#745028 )

I am running a hosting server with cPanel and EXIM. I had hoped that SRS
would fix this denial by changing the Sender: header and SES would
accept it, but apparently SES ignores that, and still rejects. Amazon
seems hesitant to address this, so I'm looking for other ways to address it.

The one that seems best to me would be to rewrite the From: header to
one that will validate (that of on sending server rather than the off
server original). I would only want to do that when the mail is a
forward, original sender is off server, and the recipient is off server.
This would also mean making sure the Replyto: was set to the original
sender, I would think.

I have only a little experience with EXIM rewrites, and the syntax of
the config file, so I'm looking for some help in programming the logic
of this rewrite.

Does this seem like a good approach, or am I missing something easier,
such as re-configuring something already built in to EXIM about how it
treats forward From: addresses?

Thanks in advance for anyone's contribution.

-Pete

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
Be careful if you plan to start rewriting the RFC5322.From header. If the
message has had a DKIM signature applied to it that header's content will
almost certainly be covered by the signature to detect
tampering/alterations such as you're proposing, and you'll be invalidating
it; this might give you problems delivering to sites that validate DKIM
signatures. So you'll likely have to sign it again yourself, possibly also
using ARC to confirm the authenticity chain.

Without knowing your situation it sounds like you're trying to do the same
sort of thing as mailing lists do: send out messages originating from
senders (list contributors) from arbitrary domains? You have to be careful
with these, especially if the sender's domain has a DMARC policy other than
"none" in place. This requires the one or both of the standard SPF and DKIM
tests to pass *and* for the domain being considered to align with that in
the RFC5321.From header in order for DMARC to consider it an acceptable
pass. Modern mailing list manager software handles this by rewriting the
RFC5322.From header to use its own domain, which it can then DKIM-sign it
using its own keys.

In passing, SRS rewrites the RFC5321.MailFrom address (sender address in
the SMTP envelope) not the RFC5322.From or Sender headers. Any change to
the Sender header will likely be a byproduct, I think.

Cheers,
Mike B-)

On 18 March 2018 at 19:21, Pete Schaefers via Exim-users <
exim-users@exim.org> wrote:

> When Amazon SES receives mail is validates the From: against verified
> domains and addresses. If it does not find it valid it drops the mail and
> returns error 554. (See last couple posts in this thread for more info if
> desired: https://forums.aws.amazon.com/message.jspa?messageID=745028#
> 745028 )
>
> I am running a hosting server with cPanel and EXIM. I had hoped that SRS
> would fix this denial by changing the Sender: header and SES would accept
> it, but apparently SES ignores that, and still rejects. Amazon seems
> hesitant to address this, so I'm looking for other ways to address it.
>
> The one that seems best to me would be to rewrite the From: header to one
> that will validate (that of on sending server rather than the off server
> original). I would only want to do that when the mail is a forward,
> original sender is off server, and the recipient is off server. This would
> also mean making sure the Replyto: was set to the original sender, I would
> think.
>
> I have only a little experience with EXIM rewrites, and the syntax of the
> config file, so I'm looking for some help in programming the logic of this
> rewrite.
>
> Does this seem like a good approach, or am I missing something easier,
> such as re-configuring something already built in to EXIM about how it
> treats forward From: addresses?
>
> Thanks in advance for anyone's contribution.
>
> -Pete
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>



--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
Mike, thanks for taking the time to detail that! I guess I assumed
(maybe wrongly) that when EXIM forwards a message that the SPF and DKIM
of the domain on the EXIM server would apply and be in the sent forward.
In that case wouldn't all entities align?

Just to make sure I'm stating what I'm trying to do clearly...

joe@yahoo.com ---> sue@myserver.com, which is set to forward to
sue@gmail.com
EXIM sends the forward to SES as joe@yahoo.com ---> sue@gmail.com
SES responds 554 because yahoo.com is not verified in the SES account,
even though the headers clearly show that the *forward* is coming from
myserver.com which *is* verified in the SES account.

Why am I doing this? My sending IP is clean a s a whistle, but due to MS
(outlook, live, hotmail) and Yahoo (along with others) have a guilty
until proven innocent attitude, a lot of email from my server going to
those accounts (if the send isn't already in their address book) goes
Junk, or worse yet, is rejected and bounced. I have jumped MS's hoops
and added my IP to their system, but is still happens. MS is now zero help.

I turned to SES and also to MailGun to use their sending server/IP and
that solved the problem, but each of them have a serious failing.
MailGun doesn't return bounces to the sender (SES does), and SES doesn't
allow forwards such as this (MG does). So I'm stuck with three "pretty
good" SMTP solutions, but each has a unique issue, and this is one
avenue I'm looking down to make it work.

-Pete

On 2018-03-19 12:26, Mike Brudenell wrote:
> Be careful if you plan to start rewriting the RFC5322.From header. If the
> message has had a DKIM signature applied to it that header's content will
> almost certainly be covered by the signature to detect
> tampering/alterations such as you're proposing, and you'll be
invalidating
> it; this might give you problems delivering to sites that validate DKIM
> signatures. So you'll likely have to sign it again yourself, possibly
also
> using ARC to confirm the authenticity chain.
>
> Without knowing your situation it sounds like you're trying to do the
same
> sort of thing as mailing lists do: send out messages originating from
> senders (list contributors) from arbitrary domains? You have to be
careful
> with these, especially if the sender's domain has a DMARC policy
other than
> "none" in place. This requires the one or both of the standard SPF
and DKIM
> tests to pass *and* for the domain being considered to align with that in
> the RFC5321.From header in order for DMARC to consider it an acceptable
> pass. Modern mailing list manager software handles this by rewriting the
> RFC5322.From header to use its own domain, which it can then DKIM-sign it
> using its own keys.
>
> In passing, SRS rewrites the RFC5321.MailFrom address (sender address in
> the SMTP envelope) not the RFC5322.From or Sender headers. Any change to
> the Sender header will likely be a byproduct, I think.
>
> Cheers,
> Mike B-)
>
> On 18 March 2018 at 19:21, Pete Schaefers via Exim-users <
> exim-users@???> wrote:
>
> > When Amazon SES receives mail is validates the From: against verified
> > domains and addresses. If it does not find it valid it drops the
mail and
> > returns error 554. (See last couple posts in this thread for more
info if
> > desired: https://forums.aws.amazon.com/message.jspa?messageID=745028#
> > 745028 )
> >
> > I am running a hosting server with cPanel and EXIM. I had hoped
that SRS
> > would fix this denial by changing the Sender: header and SES would
accept
> > it, but apparently SES ignores that, and still rejects. Amazon seems
> > hesitant to address this, so I'm looking for other ways to address it.
> >
> > The one that seems best to me would be to rewrite the From: header
to one
> > that will validate (that of on sending server rather than the off
server
> > original). I would only want to do that when the mail is a forward,
> > original sender is off server, and the recipient is off server.
This would
> > also mean making sure the Replyto: was set to the original sender,
I would
> > think.
> >
> > I have only a little experience with EXIM rewrites, and the syntax
of the
> > config file, so I'm looking for some help in programming the logic
of this
> > rewrite.
> >
> > Does this seem like a good approach, or am I missing something easier,
> > such as re-configuring something already built in to EXIM about how it
> > treats forward From: addresses?
> >
> > Thanks in advance for anyone's contribution.
> >
> > -Pete

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
Hi, Pete -

On 20 March 2018 at 22:04, Pete Schaefers via Exim-users <
exim-users@exim.org> wrote:

> Mike, thanks for taking the time to detail that! I guess I assumed (maybe
> wrongly) that when EXIM forwards a message that the SPF and DKIM of the
> domain on the EXIM server would apply and be in the sent forward. In that
> case wouldn't all entities align?
>

I don't think I can help with the SES side of things, but here we've got
full DKIM-signing in place along with tight SPF and DMARC policies in place
so might be able to help with that side of things a bit.

Going off memory the default Exim configuration didn't do any DKIM signing,
or rewriting of envelope or sender addresses. So if it has to forward on a
message then both the RFC5321.MailFrom envelope and RFC5322.From header
addresses are left entirely untouched; the incoming message is relayed
onward with the originals.

That means at the mail server you're relaying onward to:

- if it checks SPF and there's a policy published for the domain of the
RFC5321.MailFrom then this will fail in the general case — your servers
won't be listed in the SPF policy;
- if it checks DKIM and the original sender added a DKIM signature then
this will pass — because the body and signed headers haven't been altered
the message's DKIM signature will still verify.

If there's a DMARC policy for the domain of the RFC5322.From address then
this will pass because, although the SPF test has failed, the DKIM test
still passes and will (should!) have the domain of the signature align with
that in the RFC5322.From.

If you decide to rewrite the RFC5322.From without taking further measures
you will invalidate the message's original DKIM signature. That means with
neither the SPF nor DKIM tests passing the onward server may well be more
suspicious of the message and could end up marking it as spam or take other
measures. For example, Gmail usually puts a warning "Red Question Mark of
Gloom" (my name for it!) next to a message someone arrives that lacks both
SPF and DKIM passes.

The "further measures" would involve things like you adding your own DKIM
signature to the relayed message as you send it out, with its "d=
*domainname*" aligning with the domain you use in the rewritten
RFC5322.From header. Here you're effectively adding your own signature to
the message (which will should pass further down the line) even though
you've invalidated the original sender's DKIM signature.

You can add further authenticity to the message by using ARC (which I admit
freely that I don't fully understand!). I think this is a way of you
indicating to an onward mail server that when you received this message you
were able to verify its authenticity using SPF/DKIM/DMARC and so are adding
a signed header to indicate that, even though those measures might no
longer verify further down the line because you've rewritten headers and/or
changed body content (eg, by adding a "To leave this mailing list…" type of
footer). You can find a nice summary in the "Overview" section of this
document:

https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-12


ARC doesn't have a formal RFC yet but is certainly used by Google for one.

As you hadn't mentioned doing DKIM signing yourself I was erring on the
side caution and alerting you to possible problems. If you want to talk
further drop me a line direct, as this has veered away from Exim itself and
the mechanics of doing things.

Cheers,
Mike B-)

--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
Hi!

Now that someone points to ARC as that might be in our future,
does anyone already have a ARC implementation for exim ?

> https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-12

--
pi@opsec.eu +49 171 3101372 2 years to go !

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
On 21/03/18 12:41, Kurt Jaeger via Exim-users wrote:
> Now that someone points to ARC as that might be in our future,
> does anyone already have a ARC implementation for exim ?

Yup. But as an exim developer, I _should_ be operating on
the bleeding edge...

It's in the sourcebase, and will be in the upcoming release
under the EXPERIMENTAL_ARC compile-time control. It was
already in the first RC.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
Mike,

Thanks so much for the offer to direct contact you. In thinking this
over I'm getting the feeling that this route is just asking for trouble.
Even if I got it working now it might be a hassle to maintain and I
don't want to go there. But all this has me looking at what I think
would be a much simpler/safer solution.

Currently EXIM ignores mail between local accounts with regard to using
SES. I assume that is accomplished solely by a line in the prerouters
section.

PREROUTERS
send_via_ses:
driver = manualroute
domains = ! +local_domains <-----------------------------------------
this line, I assume
transport = ses_smtp
route_list = * email-smtp.us-west-2.amazonaws.com;

If I could also ignore all forwards, and handle them locally (as it does
those on local domains now) that would solve my problem because the
forwards I have in place now are doing fine without SES.

I haven't looked for the directive for this yet (I'll be googling on
that next...), so any help to get it right the first time would be
appreciated. I assume it would be another line in this section basically
stating: if !forward

It's a live production server, so I have to be careful and do my testing
at off-peak times. *yawn*

-Pete

On 2018-03-21 12:09, Mike Brudenell wrote:
> Hi, Pete -
>
> On 20 March 2018 at 22:04, Pete Schaefers via Exim-users <
> exim-users@???> wrote:
>
> > Mike, thanks for taking the time to detail that! I guess I assumed
(maybe
> > wrongly) that when EXIM forwards a message that the SPF and DKIM of the
> > domain on the EXIM server would apply and be in the sent forward.
In that
> > case wouldn't all entities align?
> >
>
> I don't think I can help with the SES side of things, but here we've got
> full DKIM-signing in place along with tight SPF and DMARC policies in
place
> so might be able to help with that side of things a bit.
>
> Going off memory the default Exim configuration didn't do any DKIM
signing,
> or rewriting of envelope or sender addresses. So if it has to forward
on a
> message then both the RFC5321.MailFrom envelope and RFC5322.From header
> addresses are left entirely untouched; the incoming message is relayed
> onward with the originals.
>
> That means at the mail server you're relaying onward to:
>
> - if it checks SPF and there's a policy published for the domain of the
> RFC5321.MailFrom then this will fail in the general case — your servers
> won't be listed in the SPF policy;
> - if it checks DKIM and the original sender added a DKIM signature then
> this will pass — because the body and signed headers haven't been altered
> the message's DKIM signature will still verify.
>
> If there's a DMARC policy for the domain of the RFC5322.From address then
> this will pass because, although the SPF test has failed, the DKIM test
> still passes and will (should!) have the domain of the signature
align with
> that in the RFC5322.From.
>
> If you decide to rewrite the RFC5322.From without taking further measures
> you will invalidate the message's original DKIM signature. That means
with
> neither the SPF nor DKIM tests passing the onward server may well be more
> suspicious of the message and could end up marking it as spam or take
other
> measures. For example, Gmail usually puts a warning "Red Question Mark of
> Gloom" (my name for it!) next to a message someone arrives that lacks
both
> SPF and DKIM passes.
>
> The "further measures" would involve things like you adding your own DKIM
> signature to the relayed message as you send it out, with its "d=
> *domainname*" aligning with the domain you use in the rewritten
> RFC5322.From header. Here you're effectively adding your own signature to
> the message (which will should pass further down the line) even though
> you've invalidated the original sender's DKIM signature.
>
> You can add further authenticity to the message by using ARC (which I
admit
> freely that I don't fully understand!). I think this is a way of you
> indicating to an onward mail server that when you received this
message you
> were able to verify its authenticity using SPF/DKIM/DMARC and so are
adding
> a signed header to indicate that, even though those measures might no
> longer verify further down the line because you've rewritten headers
and/or
> changed body content (eg, by adding a "To leave this mailing list…"
type of
> footer). You can find a nice summary in the "Overview" section of this
> document:
>
> https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-12
>
>
> ARC doesn't have a formal RFC yet but is certainly used by Google for
one.
>
> As you hadn't mentioned doing DKIM signing yourself I was erring on the
> side caution and alerting you to possible problems. If you want to talk
> further drop me a line direct, as this has veered away from Exim
itself and
> the mechanics of doing things.
>
> Cheers,
> Mike B-)
>
> --
> Systems Administrator
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
I've googled, posted in the cPanel forum, and searched through EXIM
docs, but I'm not finding what I need. I probably am not asking the
right question...

Am I correct that EXIM should be able to pretty easily know whether a
mail is a forward of a local address?

If so, would a line negating the router action to SES be the proper way
to prevent it from being sent through SES, and instead be handled
locally (sent out through my server's SMTP)?

I suppose some conditional statement could be made against the sending
domain's valiases file, and whether the recipient address is found in
it, but that seems like a lot more load than is necessary since it would
have to check every email sent.

I'm out of ideas about how to search this out.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
On 22/03/18 21:21, Pete Schaefers via Exim-users wrote:
> Am I correct that EXIM should be able to pretty easily know whether a
> mail is a forward of a local address?

Assuming you're doing forwarding the sane way (in routers)
compare $domain with $original_domain (and the same for
local_part).


> If so, would a line negating the router action to SES

I've no clue what SES is in this context.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
On 2018-03-22 21:49, Jeremy Harris wrote:
>
> I've no clue what SES is in this context.
> --
> Cheers,
> Jeremy

Sorry, that got lost in the thread.

SES is SMTP host from Amazon Web Services. This is the router:

send_via_ses:
driver = manualroute
domains = ! +local_domains
transport = ses_smtp
route_list = * email-smtp.us-west-2.amazonaws.com;

It sends all non-local mail to SES. I need to have it not send forwards
and let them be handled locally.

-Pete

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
On 22 Mar 2018, at 22:06, Pete Schaefers via Exim-users <exim-users@exim.org> wrote:
> send_via_ses:
> driver = manualroute
> domains = ! +local_domains
> transport = ses_smtp
> route_list = * email-smtp.us-west-2.amazonaws.com;
>
> It sends all non-local mail to SES. I need to have it not send forwards and let them be handled locally.

How exactly are the 'forwarded' emails generated? You've mentioned an alias lookup already but it isn't entirely clear how these are being generated.

The router above will punt anything for a recipient which is *not* in the local_domains domain list to your Amazon smarthost.

If you want to catch messages which have some other condition and deal with them locally, you'll need another router with a condition that can identify them (and a corresponding condition on this router to not handle them).

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
On 2018-03-23 10:10, Graeme Fowler wrote:
> On 22 Mar 2018, at 22:06, Pete Schaefers via Exim-users
<exim-users@???> wrote:
> > send_via_ses:
> > driver = manualroute
> > domains = ! +local_domains
> > transport = ses_smtp
> > route_list = * email-smtp.us-west-2.amazonaws.com;
> >
> > It sends all non-local mail to SES. I need to have it not send
forwards and let them be handled locally.
>
> How exactly are the 'forwarded' emails generated? You've mentioned an
alias lookup already but it isn't entirely clear how these are being
generated.
>
> The router above will punt anything for a recipient which is *not* in
the local_domains domain list to your Amazon smarthost.
>
> If you want to catch messages which have some other condition and
deal with them locally, you'll need another router with a condition that
can identify them (and a corresponding condition on this router to not
handle them).
>
> Graeme

Sorry to not be clear. I'm referring to aliases/forwards, not forwarded
email (which is still FROM a local domain). I just want to *not* send
mail to SES that it won't process (as well as not sending local
messages, which is already being accomplished by "domains = !
+local_domains" as you said). Anything not sent to SES then defaults to
local handling. SES rejects sending messages that are generated when an
outside address sends to a local account that is also aliased, or is
only an alias, because the FROM address is the original sender's outside
address. (Forwarding is setup on a cPanel server by cPanel creating a
list of aliases for each domain in /etc/valiases/example.com)

Am I correct that "domains =" only refers to the recipient (TO/CC/BCC)
domain, and that "sender =" only refers to the original sender (FROM)
domain? If so, then would the below prevent the forwards from being sent
through SES?

send_via_ses:
driver = manualroute
domains = ! +local_domains
senders = +local_domains
transport = ses_smtp
route_list = * email-smtp.us-west-2.amazonaws.com;

If I understand correctly this would dictate that only messages the are
*not* TO a local domain *and are* FROM a local domain go to SES. This
would seem to do what I want.

Or am I missing some additional case (other than a forward/alias) where
mail is sent TO a remote domain, and is not FROM a local domain?

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
On 2018-03-23 21:28, Pete Schaefers wrote:
> ...would the below prevent the forwards from being sent
> through SES?
>
> send_via_ses:
> driver = manualroute
> domains = ! +local_domains
> senders = +local_domains
> transport = ses_smtp
> route_list = * email-smtp.us-west-2.amazonaws.com;

Adding *senders = +local_domains* didn't work, and in the log it said:
*unknown named address list "+local_domains"
*
Then I discovered that sender = is expecting a full address, not just a
domain (made sense when I thought about it) so I added *@ to it, and it
works as anticipated!

domains = ! +local_domains
senders = *@+local_domains

I'm still curious if this code is likely to produce any other unexpected
results in logic as far as affecting mail routes the way I have desired.

Thoughts, anyone?

Thanks for the hints!
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
On 24/03/18 07:08, Pete Schaefers via Exim-users wrote:
> senders = *@+local_domains

That almost certainly will not work if the "local_domains"
list has more than one element, and I'm surprised it works
at all. You're abusing list-syntax there.

Instead, use a generic "condition=" router condition with
a value constructed using ${if } involving $sender_address_domain
and match_domain.
--
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
On 2018-03-24 13:22, Jeremy Harris wrote:
> On 24/03/18 07:08, Pete Schaefers via Exim-users wrote:
> > senders = *@+local_domains
>
> That almost certainly will not work if the "local_domains"
> list has more than one element, and I'm surprised it works
> at all. You're abusing list-syntax there.
>
> Instead, use a generic "condition=" router condition with
> a value constructed using ${if } involving $sender_address_domain
> and match_domain.
> --
> Jeremy

I appreciate your help. Clearly I'm just hacking at it, but I'm trying
to learn as I do.

I checked and "local_domains" comes from "domainlist local_domains =
lsearch;/etc/localdomains" and /etc/localdomains indeed has a list all
domains in it. Oddly it still works as intended in my tests. On further
looking I'm guessing "*@+local_domains" would be used in a rewrite.

Based on you comments I'm thinking this what you meant:

condition = ${if match_domain {$sender_address_domain}{+local_domains}}

It also seems to work on initial tests, but I'm learning that just
because EXIM accepts the config file and even seems to do what I want
doesn't make it right.

-Pete

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error [ In reply to ]
On 2018-03-25 09:53, Pete Schaefers wrote:
> On 2018-03-24 13:22, Jeremy Harris wrote:
> > On 24/03/18 07:08, Pete Schaefers via Exim-users wrote:
> > > senders = *@+local_domains
> >
> > That almost certainly will not work if the "local_domains"
> > list has more than one element, and I'm surprised it works
> > at all. You're abusing list-syntax there.
> >
> > Instead, use a generic "condition=" router condition with
> > a value constructed using ${if } involving $sender_address_domain
> > and match_domain.
> > --
> > Jeremy
>
> I appreciate your help. Clearly I'm just hacking at it, but I'm trying
> to learn as I do.
>
> I checked and "local_domains" comes from "domainlist local_domains =
> lsearch;/etc/localdomains" and /etc/localdomains indeed has a list all
> domains in it. Oddly it still works as intended in my tests. On further
> looking I'm guessing "*@+local_domains" would be used in a rewrite.
>
> Based on you comments I'm thinking this what you meant:
>
> condition = ${if match_domain {$sender_address_domain}{+local_domains}}
>
> It also seems to work on initial tests, but I'm learning that just
> because EXIM accepts the config file and even seems to do what I want
> doesn't make it right.
>
> -Pete
>
>

Is my syntax correct? Should that condition statement do as I expect
(insure that messages handled by this router are from a sender on a
local domain, and not a forward from an external sender)?

Thanks in advance for any input, positive or negative.

-Pete

--

-------------------------
Pete Schaefers
Owner, Hyssop Production
Video Production & Website Development
(541) 888-4336
https://www.hyssop.com
-------------------------


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/