Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.7.0, 3.8.0, 3.7.1, 3.7.3, 3.7.4, 3.8.1, 3.7.5
-
None
-
None
Description
The issue
GIVEN bob@my-domain.tld set up a forward for alice@external-domain.tld
WHEN cedric@another-external-domain.tld sends a mail to bob@my-domain.tld
MAIL FROM: <cedric@another-external-domain.tld>
RCPT TO: <bob@my-domain.tld>
THEN James RRT rewrites the transport envelop as:
MAIL FROM: <cedric@another-external-domain.tld>
RCPT TO: <alice@external-domain.tld>
AND would attempt the delivery to the remote server with such a transport envelop
The problem lies down to the fact that James is not authorised to send email for arbitrary domains. James can only send emails for my-domain.tld where the SPF and DKIM settings are set solely for this domain.
When James attempt to deliver a mail from another-external-domain.tld all the SPF and DKIM checks are turning into red...
The (functional) solution
Outgoing forwards senders (MAIL FROM) needs to be rewritten into the original recipient.
In the above example if we end up with :
MAIL FROM: <bob@my-domain.tld> RCPT TO: <alice@external-domain.tld>
Then we would comply with the SPF / DKIM policies...
Test cases
Case 1: Simple foward
GIVEN RRT: bob@mydomain.tld forwards mails to alice@mydomain.tld WHEN cedric@mydomain.tld sends a mail to bob@mydomain.tld THEN the transport envelope becomes: MAIL FROM: bob@mydomain.tld RCPT TO: alice@mydomain.tld
Case 2: Part of the recipient have fowards
GIVEN RRT: bob@mydomain.tld forwards mails to alice@mydomain.tld WHEN cedric@mydomain.tld sends a mail to bob@mydomain.tld and delphine@mydomain.tld THEN the transport envelope becomes (2 mails instead of one): MAIL FROM: bob@mydomain.tld RCPT TO: alice@mydomain.tld AND MAIL FROM: cedric@mydomain.tld RCPT TO: delphine@mydomain.tld
Case 3: Several recipient have forwards
GIVEN RRT: bob@mydomain.tld forwards mails to alice@mydomain.tld AND RRT: delphine@mydomain.tld forwards mails to edgard@mydomain.tld WHEN cedric@mydomain.tld sends a mail to bob@mydomain.tld and delphine@mydomain.tld THEN the transport envelope becomes (2 mails instead of one): MAIL FROM: bob@mydomain.tld RCPT TO: alice@mydomain.tld AND MAIL FROM: delphine@mydomain.tld RCPT TO: edgard@mydomain.tld
Case 4: Chaining forwards
GIVEN RRT: bob@mydomain.tld forwards mails to alice@mydomain.tld AND RRT: alice@mydomain.tld forwards mails to edgard@mydomain.tld WHEN cedric@mydomain.tld sends a mail to bob@mydomain.tld THEN the transport envelope becomes: MAIL FROM: alice@mydomain.tld RCPT TO: edgard@mydomain.tld
Case 5: Handling Alias for people having forwards
GIVEN RRT: bob@mydomain.tld forwards mails to alice@mydomain.tld
AND ALIAS: bob-alias@mydomain.tld for bob@mydomain.tld
WHEN cedric@mydomain.tld sends a mail to bob-alias@mydomain.tld
THEN the transport envelope becomes:
MAIL FROM: bob@mydomain.tld
RCPT TO: alice@mydomain.tld
Case 6: handling group registration for people having forwards
GIVEN RRT: bob@mydomain.tld forwards mails to alice@mydomain.tld AND bob@mydomain.tld is part of group@mydomain.tld WHEN cedric@mydomain.tld sends a mail to group@mydomain.tld THEN the transport envelope becomes: MAIL FROM: bob@mydomain.tld RCPT TO: alice@mydomain.tld
Case 7: Handling Alias for forwads target
GIVEN RRT: bob@mydomain.tld forwards mails to alice-alias@mydomain.tld
AND ALIAS: alice-alias@mydomain.tld for alice@mydomain.tld
WHEN cedric@mydomain.tld sends a mail to bob@mydomain.tld
THEN the transport envelope becomes:
MAIL FROM: bob@mydomain.tld
RCPT TO: alice@mydomain.tld
Case 8: handling group registration for forwads target
GIVEN RRT: bob@mydomain.tld forwards mails to group@mydomain.tld AND alice@mydomain.tld is part of group@mydomain.tld WHEN cedric@mydomain.tld sends a mail to bob@mydomain.tld THEN the transport envelope becomes: MAIL FROM: bob@mydomain.tld RCPT TO: alice@mydomain.tld
Also Validate that validRCPTHandler accepts bob@domain.tld with a Forward, and that all kind of RRT can be applied to it (unit tests?)
Also validate that Forwards are still taken into account by RRT loop detection upon insert (JMAP + webadmin tests? )
Of course those cases can be mixed!
DOD -> Integration tests (into `/server/mailets/integration-tests` using a mail repository to capture)
How to implement
It is likely WAY easier to do this in two steps as doing it in one WOULD REQUIRE A COMPLETE REWRITE OF THE RRT ALGORITHM (really scary)
The idea would be
- To write a mailet dedicated to forwards. Without recursivity, this mailets looks at each recipient, see if there is a direct forward. If so remove the recipient, copies the mail, modify recipient and sender and submits a brand new mail via the mailet context.
- Have an option in RRT to not take forwards into account. This implies that just next to it there is the ForwardTo mailet...
Note that interactions between RRTs and forwards would be taken into account naturally with such a set up: recursivity of Forward rewrites and integration to the RRT rule engine would be taken into account via multiple submissions to the mailet container...
Checklist
- [ ] Documentation for the new mailet
- [ ] Clear upgrade instructions
- [ ] Sample config is updated
TLDR: good luck!
Attachments
Issue Links
- links to