Mailing List Archive

Design question: cleaning up/restricting From: and Reply-To: headers to valid domains on outbound mail
Hi,

Router condition or systemfilter?

The latter works - I just wondered if it was considered the "best" way?

Here's a snippet of the system filter I have:

if
not $h_from matches "(@example.com)" and
not $h_from matches "(@mydept.example.com)" and
not $h_from matches "(@lists.mydept.example.com)"
then
fail text "Malformed From: header"
endif



For reasons of professionalism, I want to ensure that outbound emails
leaving my system contain From: or Reply-To: (and Envelope) domains that
match a limited list that I am responsible for.

I'll be arranging to collect these fails for debugging - either by
appending to a file or bouncing to postmaster (me).


This is not a "user email" system - there's no debate about the ethics
of rewriting Reply-To headers etc - these emails are either root mail or
system and application generated email originating from systems I am
responsible for.

One of the reasons is to catch any old apps that are sending malformed
email.


--
Tim Watts


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Design question: cleaning up/restricting From: and Reply-To: headers to valid domains on outbound mail [ In reply to ]
On 21/07/18 12:05, Tim Watts wrote:
> Hi,
>

Oh - and I forgot to add "thank you" - sorry, hit send too fast, did not
mean to be rude.

Seriously - would be very grateful for any comments :)

Kind regards,

Tim


--
Tim Watts
Systems Manager, King's Digital Lab
King's College London
Tel (VOIP): +44 (0)1580 848360 Internal: x7143

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Design question: cleaning up/restricting From: and Reply-To: headers to valid domains on outbound mail [ In reply to ]
I did that in the DATA ACL:

# Check that a From or Sender header is present.
require condition = ${if def:h_From: {1}{${if def:h_Sender: {1}{0}}}}
message = Missing From: or Sender: header. Consult RFC 5322.

# And use that to enforce our outbound policy.
require set acl_m_from_domain = ${if def:h_From: \
{${domain:$h_From:}} \
{${domain:$h_Sender:}} \
}
message = Not permitted to send as $acl_m_from_domain from here
sender_domains = +internal_domains

It at least covers the simple case; I'm not sure about handling lists in
the header---never had to. Reply-To should follow similarly.

If you're gathering data to notify users of the change in policy before
you implement it, I'd log the authenticated_id together with the
inappropriate domain to make it easy to pull out of the logs later
(change the second require to warn and message to log_message):

log_message = $authenticated_id tried to send as \
$acl_m_from_domain!


Rical

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Design question: cleaning up/restricting From: and Reply-To: headers to valid domains on outbound mail [ In reply to ]
On 07/21/2018 12:05 PM, Tim Watts via Exim-users wrote:
> Router condition or systemfilter?

There's multiple places it could be done, and really it
comes down to personal preference and how well it fits
with the rest of your config. I'm with Rical - do it in ACL.
You have most flexibility there.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/