Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 26 Apr 2007, Steffen Kaiser wrote:
Hello,
after digging in the CMU Sieve lib sources, I found where the problem
stems from.
Somehow (I don't know why) in
dovecot-sieve-1.0.1/src/libsieve/script.c:671
/* first, let's figure out if we should respond to this */
ret = makehash(hash, a->u.vac.send.addr,
a->u.vac.send.msg);
u.vac.send.addr is NULL.
Although, in dovecot-sieve-1.0.1/src/libsieve/bc_eval.c:256
I get the impression that this error handled by silently skipping
vacation, if no return-path is available. It didn't happened for me.
BTW: I want to have those replys ;-)
The reason is that by default sendmail does not pass forth Return-Path
to the MDA and Dovecot deliver does not use the -f option for this
reason.
The attached patch changes this by leting deliver_get_return_address()
return any information available:
str = mail_get_first_header(mail, "Return-Path");
if(!str)
str = envelope_sender != DEFAULT_ENVELOPE_SENDER
? envelope_sender /* -f option */
: mail_get_first_header(mail, "From"); /* That's not the
most correct one, but alas */
oh no. never ever send to the From header address. if your mail system
doesn't provide the necessary informations, fix it or do whatever you
want, but please don't add yet another broken outscatter system...
this is clear in RFC 3834:
<excerpt source=rfc3834>
If the response is to be generated after delivery, and there is no
Return-Path field in the subject message, there is an implementation
or configuration error in the SMTP server that delivered the message
or gatewayed the message outside of SMTP. A Personal or Group
responder SHOULD NOT deliver a response to any address other than
that in the Return-Path field, even if the Return-Path field is
missing. It is better to fix the problem with the mail delivery
system than to rely on heuristics to guess the appropriate
destination of the response. Such heuristics have been known to
cause problems in the past.
</excerpt>
In case you read the following sections, note that vacation is not a service
responder.
The problem still exists, if neither of the three information is
available, but, well ... .
If you don't have the necessary informations, don't send a vacation.
stay on the safe side.
Now, vacation is working.
maybe for you, probably not for the masses of backscatter victims...
