Loading ...
Sorry, an error occurred while loading the content.

Can Postfix automatically add line "Resent-From: " in the header?

Expand Messages
  • Xie, Wei
    Greetings, Our OSU State University uses Microsoft exchange servers as our main email system. Many users email accounts are forwarding accounts, which forward
    Message 1 of 8 , Jul 29, 2014
    • 0 Attachment

      Greetings,

       

      Our OSU State University uses Microsoft exchange servers as our main email system. Many users’ email accounts are forwarding accounts, which forward emails of name.n@... (i. e.  smith.8113@...) to other email systems such as gmail, yahoo, Hotmail, Buckeyemail, etc. Before these outbound emails are leaving from Ohio state university, they are scanned by our Security DLP (Data Loss Protection) servers on which MTA Postfix is running.

       

      Here we have a question about postfix. When the message passes by Postfix, can Postfix automatically add line "Resent-From: <OSU email address>" in the header?

       

      For example:

       

      From: webmaster@...

      To: test.13@...           (which is forwarded to smith.8113@...)

       

      The message is sent from  webmaster@... to test.13@.... The Microsoft exchange HUB server receives the message, checks AD (Active Directory) server and see this account test.13@... is forwarding account to  smith.8113@..., the HUB server delivers the message for smith.8113@... to Security DLP (Data Loss Protection) server. After scanning, DLP (Data Loss Protection) server delivers this outbound email to next hop. On DLP server, Postfix is running. Can it automatically identify the address test.13@... in “To:” field and add the line "Resent-From: <test.13@...>" in the header before the message is handed over to next hop?

       

      If yes, further ask: Can Postfix identify the “from address or envelope-from address” is non-OSU.EDU address or non-OHIO-STATE.EDU address (i. e. webmaster@...), then take action to pick up “to address” (i.e. test.13@...), add the line “Resent-From: to address” (i. e. Resent-From: test.13@...) into header of message?

       

       

      Here is the header of test message for the reference:

       

      Received: from BN1PR01MB135.prod.exchangelabs.com (10.242.217.24) by

      BY2PR01MB139.prod.exchangelabs.com (10.242.233.152) with Microsoft SMTP

      Server (TLS) id 15.0.990.7 via Mailbox Transport; Thu, 24 Jul 2014 13:56:34

      +0000

      Received: from BL2PR01CA0022.prod.exchangelabs.com (10.141.66.22) by

      BN1PR01MB135.prod.exchangelabs.com (10.242.217.24) with Microsoft SMTP Server

      (TLS) id 15.0.990.7; Thu, 24 Jul 2014 13:56:33 +0000

      Received: from BN1BFFO11FD029.protection.gbl (2a01:111:f400:7c10::1:190) by

      BL2PR01CA0022.outlook.office365.com (2a01:111:e400:c1b::22) with Microsoft

      SMTP Server (TLS) id 15.0.995.14 via Frontend Transport; Thu, 24 Jul 2014

      13:56:33 +0000

      Received: from na01-by2-obe.outbound.protection.outlook.com (207.46.163.243)

      by BN1BFFO11FD029.mail.protection.outlook.com (10.58.144.92) with Microsoft

      SMTP Server (TLS) id 15.0.980.11 via Frontend Transport; Thu, 24 Jul 2014

      13:56:32 +0000

      Received: from BN1AFFO11FD022.protection.gbl (10.58.52.33) by

      BN1AFFO11HUB033.protection.gbl (10.58.52.144) with Microsoft SMTP Server

      (TLS) id 15.0.980.11; Thu, 24 Jul 2014 13:56:30 +0000

      Received: from cio-tnc-pf04.osuad.osu.edu (164.107.81.218) by

      BN1AFFO11FD022.mail.protection.outlook.com (10.58.52.82) with Microsoft SMTP

      Server (TLS) id 15.0.980.11 via Frontend Transport; Thu, 24 Jul 2014 13:56:30

      +0000

      Received: from CIO-KRC-HT01.osuad.osu.edu (cio-krc-ht01.osuad.osu.edu [164.107.81.37])

                      (using TLSv1 with cipher AES128-SHA (128/128 bits))

                      (No client certificate requested)

                      by cio-tnc-pf04.osuad.osu.edu (Postfix) with ESMTPS id BD29938005A

                      for <smith.8113@...>; Thu, 24 Jul 2014 09:56:29 -0400 (EDT)

       

      Resent-From: <smith.8113@...>    (which is the line we want Postfix to add)

       

      Received: from na01-by2-obe.outbound.protection.outlook.com (207.46.163.243)

      by CIO-KRC-HT01.osuad.osu.edu (164.107.81.37) with Microsoft SMTP Server

      (TLS) id 14.3.174.1; Thu, 24 Jul 2014 09:56:27 -0400

      Received: from BN1AFFO11FD018.protection.gbl (10.58.52.30) by

      BN1AFFO11HUB016.protection.gbl (10.58.52.126) with Microsoft SMTP Server

      (TLS) id 15.0.980.11; Thu, 24 Jul 2014 13:56:26 +0000

      Received: from vps4520.inmotionhosting.com (70.39.249.76) by

      BN1AFFO11FD018.mail.protection.outlook.com (10.58.52.78) with Microsoft SMTP

      Server (TLS) id 15.0.980.11 via Frontend Transport; Thu, 24 Jul 2014 13:56:25

      +0000

      Received: from [127.0.0.1] (port=34753 helo=webmail.endeavorwebdesign.com)            by

      vps4520.inmotionhosting.com with esmtpa (Exim 4.80.1)             (envelope-from

      <webmaster@...>)        id 1XAJVR-0008Gs-8b     for test.13@...;

      Thu, 24 Jul 2014 09:56:25 -0400

      MIME-Version: 1.0

      Content-Type: text/plain; charset="UTF-8"; format=flowed

      Content-Transfer-Encoding: 7bit

      Date: Thu, 24 Jul 2014 09:56:25 -0400

      From: <webmaster@...>

      To: <test.13@...>

      Subject: Test 4 EWD

      Message-ID: <5b1dfd6d8a13ea9c0b6ea8c9d5d8aef7@...>

      X-Sender: webmaster@...

      User-Agent: Roundcube Webmail/0.9.3

      X-OutGoing-Spam-Status: No, score=-0.8

      X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

      X-AntiAbuse: Primary Hostname - vps4520.inmotionhosting.com

      X-AntiAbuse: Original Domain - osu.edu

      X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

      X-AntiAbuse: Sender Address Domain - endeavorwebdesign.com

      X-Get-Message-Sender-Via: vps4520.inmotionhosting.com: authenticated_id: webmaster@...

      X-Source:

      X-Source-Args:

      X-Source-Dir:

      X-EOPAttributedMessage: 2

      X-Forefront-Antispam-Report-Untrusted: CIP:70.39.249.76;CTRY:US;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(6009001)(438002)(199002)(189002)(80022001)(2171001)(46102001)(64706001)(86152002)(6806004)(551214005)(54356999)(36756003)(83072002)(555874004)(229853001)(44976005)(558084003)(74662001)(77982001)(107046002)(83506001)(93046001)(23676002)(92566001)(102836001)(83322001)(45086001)(31966008)(47776003)(4396001)(104016003)(71366001)(79102001)(81342001)(2351001)(50466002)(85852003)(20776003)(74502001)(83832001)(110136001)(95666004)(106466001)(107886001)(81542001)(33646002)(86362001)(21056001)(50986999)(99396002)(76482001)(85306003)(87836001)(113156001)(108616002)(24736002)(558944008)(19559445001)(15288005002);DIR:INB;SFP:;SCL:1;SRVR:BN1AFFO11HUB016;H:vps4520.inmotionhosting.com;FPR:;MLV:ovr;PTR:vps4520.inmotionhosting.com;A:1;MX:1;LANG:;

      X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:

      Received-SPF: Fail (: domain of endeavorwebdesign.com does not designate

      207.46.163.243 as permitted sender) receiver=; client-ip=207.46.163.243;

      helo=na01-by2-obe.outbound.protection.outlook.com;

      Authentication-Results: spf=fail (sender IP is 207.46.163.243)

      smtp.mailfrom=webmaster@...;

      Return-Path: webmaster@...

      X-Forefront-Antispam-Report-Untrusted: CIP:164.107.81.218;CTRY:US;IPV:NLI;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(6009001)(199002)(189002)(50986999)(54356999)(79102001)(81342001)(77982001)(31966008)(107046002)(107886001)(21056001)(109096001)(81542001)(2351001)(33646002)(23676002)(551214005)(558084003)(71366001)(64706001)(106466001)(46102001)(104016003)(74662001)(86362001)(50466002)(44976005)(83072002)(93346002)(4396001)(76482001)(83832001)(86152002)(80022001)(95666004)(6806004)(229853001)(105606002)(555874004)(20776003)(83322001)(45086001)(87936001)(74502001)(85852003)(85306003)(93046001)(83506001)(2171001)(110136001)(102836001)(92566001)(99396002)(36756003)(47776003)(113156001)(108616002)(24736002)(558944008)(15288005002)(19559445001);DIR:OUT;SFP:;SCL:1;SRVR:BN1AFFO11HUB033;H:cio-tnc-pf04.osuad.osu.edu;FPR:;MLV:ovr;PTR:cio-tnc-pf04.osuad.osu.edu;A:1;MX:1;LANG:;

      X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:

      X-Forefront-PRVS: 028256169F

      X-MS-Exchange-Organization-MessageDirectionality: Incoming

      X-Forefront-Antispam-Report: CIP:207.46.163.243;CTRY:US;IPV:NLI;IPV:NLI;EFV:NLI;SFV:SPM;SFS:(6009001)(489007)(199002)(189002)(50986999)(36756003)(83832001)(31966008)(99396002)(77982001)(22756004)(33646002)(83072002)(83506001)(102836001)(44976005)(23676002)(54356999)(81342001)(104016003)(71366001)(4396001)(80022001)(20776003)(76482001)(86362001)(47776003)(21056001)(229853001)(64706001)(2171001)(87836001)(50466002)(74662001)(110136001)(79102001)(85306003)(95666004)(2351001)(74502001)(105606002)(107886001)(81542001)(551214005)(92566001)(85852003)(85426001)(107046002)(93046001)(46102001)(86152002)(93346002)(555874004)(6806004)(558084003)(106466001)(83322001)(45086001)(113156001)(108616002);DIR:INB;SFP:;SCL:5;SRVR:BN1PR01MB135;H:na01-by2-obe.outbound.protection.outlook.com;FPR:;MLV:ovr;PTR:mail-by2lp0243.outbound.protection.outlook.com;A:1;MX:1;LANG:;

      X-MS-Exchange-Organization-Network-Message-Id: b12da29d-aa7b-4146-c1e5-08d1755e3623

      X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:

      X-MS-Exchange-Organization-AVStamp-Service: 1.0

      X-MS-Exchange-Organization-SCL: 5

      X-FOSE-spam: This message appears to be spam.

      X-MS-Exchange-Organization-AuthSource: BN1BFFO11FD029.protection.gbl

      X-MS-Exchange-Organization-AuthAs: Anonymous

       

      Thanks to all in advance!

       

      Carl Xie

      OCIO/Infrastructure/Enterprise Messaging Group

      Ohio State University

      614-688-4787

       

    • Viktor Dukhovni
      ... That would be wrong. Resent-From: is appropriate when a user takes a message delivered to his mailbox (possibly long after initial delivery) and resends
      Message 2 of 8 , Jul 29, 2014
      • 0 Attachment
        On Tue, Jul 29, 2014 at 03:10:59PM +0000, Xie, Wei wrote:

        > Here we have a question about postfix. When the message passes by Postfix,
        > can Postfix automatically add line "Resent-From: <OSU email address>" in
        > the header?

        That would be wrong. "Resent-From:" is appropriate when a user
        takes a message delivered to his mailbox (possibly long after
        initial delivery) and resends it to another user (typically not an
        original recipient). It is not appropriate for simple forwarding
        to a recipient's mailbox.

        Whatever in-band signalling you might need should be something other
        than "Resent-From" (usually accompanied by Resent-To, Resent-Date, and
        Resent-Message-Id).

        If the forwarding is via local(8) aliases, the "Delivered-To:" header
        may be something along the lines of what you're looking for.

        There are also various extensions to Postfix to handle SPF and SRS.

        --
        Viktor.
      • Wietse Venema
        ... How would Postfix know out that mail is forwarded from OSU Microsoft exchange servers? Is it mail with a non-OSU envelope sender from a system inside OSU?
        Message 3 of 8 , Jul 29, 2014
        • 0 Attachment
          Xie, Wei:
          > Greetings,
          >
          > Our OSU State University uses Microsoft exchange servers as our
          > main email system. Many users' email accounts are forwarding
          > accounts, which forward emails of name.n@...<mailto:name.n@...>
          > (i. e. smith.8113@...<mailto:smith.8113@...>) to other
          > email systems such as gmail, yahoo, Hotmail, Buckeyemail, etc.
          > Before these outbound emails are leaving from Ohio state university,
          > they are scanned by our Security DLP (Data Loss Protection) servers
          > on which MTA Postfix is running.
          >
          > Here we have a question about postfix. When the message passes by
          > Postfix, can Postfix automatically add line "Resent-From: <OSU
          > email address>" in the header?

          How would Postfix know out that mail is forwarded from OSU Microsoft
          exchange servers? Is it mail with a non-OSU envelope sender from a
          system inside OSU? Must it also have a non-OSU envelope recipient?
          If the rule is complex, then I recommend using an external content
          filter. Amavisd-new supports policies that trigger on all kinds of
          message properties. Postfix just an MTA.

          Wietse
        • Xie, Wei
          Wietse, ... Postfix only receives all outbound emails from 8 exchange hub servers. The email received by Postfix is probably 1) osu.edu account to non-osu.edu
          Message 4 of 8 , Jul 29, 2014
          • 0 Attachment
            Wietse,

            >>How would Postfix know out that mail is forwarded from OSU Microsoft exchange servers?
            Postfix only receives all outbound emails from 8 exchange hub servers. The email received by Postfix is probably 1) osu.edu account to non-osu.edu account; 2) osu.edu account to osu.edu forwarding account which is non-osu.edu email address; 3) non-osu.edu account to osu.edu forwarding account which is non-osu.edu address.

            >>Is it mail with a non-OSU envelope sender from a system inside OSU?
            Not really. For example. Somebody from his/her yahoo account sends an mail to my osu.edu email which is forwarded to my Hotmail account.

            >>Must it also have a non-OSU envelope recipient?
            From postfix logs, recipient address must be a non-OSU envelope recipient.

            >>If the rule is complex, then I recommend using an external content filter. Amavisd-new supports policies that trigger on all kinds of message properties. Postfix just an MTA.

            When I sent the mail to ask, I feel our rule is a little complicated. Can't Postfix header_checks perform too complicated rules? Amavisd-new maybe another big change to us, but this is option.

            Thanks,

            Carl

            -----Original Message-----
            From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Wietse Venema
            Sent: Tuesday, July 29, 2014 11:33 AM
            To: Postfix users
            Subject: Re: Can Postfix automatically add line "Resent-From: <email address>" in the header?

            Xie, Wei:
            > Greetings,
            >
            > Our OSU State University uses Microsoft exchange servers as our main
            > email system. Many users' email accounts are forwarding accounts,
            > which forward emails of name.n@...<mailto:name.n@...>
            > (i. e. smith.8113@...<mailto:smith.8113@...>) to other email
            > systems such as gmail, yahoo, Hotmail, Buckeyemail, etc.
            > Before these outbound emails are leaving from Ohio state university,
            > they are scanned by our Security DLP (Data Loss Protection) servers on
            > which MTA Postfix is running.
            >
            > Here we have a question about postfix. When the message passes by
            > Postfix, can Postfix automatically add line "Resent-From: <OSU email
            > address>" in the header?

            How would Postfix know out that mail is forwarded from OSU Microsoft exchange servers? Is it mail with a non-OSU envelope sender from a system inside OSU? Must it also have a non-OSU envelope recipient?
            If the rule is complex, then I recommend using an external content filter. Amavisd-new supports policies that trigger on all kinds of message properties. Postfix just an MTA.

            Wietse
          • Xie, Wei
            Viktor, ... We understand what you mean. Just boss ask whether the change can be made. ... If we like to add line Resent-to: , is it
            Message 5 of 8 , Jul 29, 2014
            • 0 Attachment
              Viktor,

              >> Here we have a question about postfix. When the message passes by
              >> Postfix, can Postfix automatically add line "Resent-From: <OSU email
              >> address>" in the header?
              >
              >That would be wrong. "Resent-From:" is appropriate when a user takes a message delivered to his mailbox (possibly long after initial delivery) and resends it >to another user (typically not an original recipient). It is not appropriate for simple forwarding to a recipient's mailbox.

              We understand what you mean. Just boss ask whether the change can be made.

              >>Whatever in-band signalling you might need should be something other than "Resent-From" (usually accompanied by Resent-To, Resent-Date, and Resent->>Message-Id).

              If we like to add line Resent-to: <OSU email address>, is it possible for Postfix?

              >> If the forwarding is via local(8) aliases, the "Delivered-To:" header may be something along the lines of what you're looking for.

              The forwarding is not in local aliases. We have 100,000+ forwarding accounts. It is tough to add so many forwarding accounts into 8 Postfix servers and keep real time update.

              >> There are also various extensions to Postfix to handle SPF and SRS.

              Would you please talk a little more about above topic?

              Thanks,

              Carl

              -----Original Message-----
              From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Viktor Dukhovni
              Sent: Tuesday, July 29, 2014 11:32 AM
              To: postfix-users@...
              Subject: Re: Can Postfix automatically add line "Resent-From: <email address>" in the header?

              On Tue, Jul 29, 2014 at 03:10:59PM +0000, Xie, Wei wrote:

              > Here we have a question about postfix. When the message passes by
              > Postfix, can Postfix automatically add line "Resent-From: <OSU email
              > address>" in the header?

              That would be wrong. "Resent-From:" is appropriate when a user takes a message delivered to his mailbox (possibly long after initial delivery) and resends it to another user (typically not an original recipient). It is not appropriate for simple forwarding to a recipient's mailbox.

              Whatever in-band signalling you might need should be something other than "Resent-From" (usually accompanied by Resent-To, Resent-Date, and Resent-Message-Id).

              If the forwarding is via local(8) aliases, the "Delivered-To:" header may be something along the lines of what you're looking for.

              There are also various extensions to Postfix to handle SPF and SRS.

              --
              Viktor.
            • Viktor Dukhovni
              ... Postfix neither has nor should have any built-in feature to add Resent-From: , it is not only the wrong header to use, but the modification is recipient
              Message 6 of 8 , Jul 29, 2014
              • 0 Attachment
                On Tue, Jul 29, 2014 at 06:28:29PM +0000, Xie, Wei wrote:

                > >> There are also various extensions to Postfix to handle SPF and SRS.
                >
                > Would you please talk a little more about above topic?

                Postfix neither has nor should have any built-in feature to add
                "Resent-From:", it is not only the wrong header to use, but the
                modification is recipient dependent, and messages can have multiple
                recipients, so such modifications are only possible at delivery
                time, when the envelope is "split" to one recipient per transaction.

                Forwarding via virtual(5) aliases happens on input, before the
                envelope is split for delivery, and cannot and does not modify
                message content. Forwarding to a single recipient at a time, via
                a delivery agent like local(8) can modify the message content
                (headers). Currently, a "Delivered-To" header is added. One might
                add features to add more headers (ideally not misuse Resent-From).

                You can create a pipe(8) or similar delivery agent or even an SMTP
                proxy filter configured for single-recipient concurrency that
                performs the relevant content modifications.

                --
                Viktor.
              • Wietse Venema
                ... Sorry, delivery decisions MUST NOT be made based on email headers. Email headers do not say where mail comes from, and they do not say where mail goes to.
                Message 7 of 8 , Jul 29, 2014
                • 0 Attachment
                  Xie, Wei:
                  > Can't Postfix header_checks perform too complicated rules? Amavisd-new
                  > maybe another big change to us, but this is option.

                  Sorry, delivery decisions MUST NOT be made based on email headers.

                  Email headers do not say where mail comes from, and they do not say
                  where mail goes to.

                  If this is a surprise to you, then you only have to look at this
                  mailing list message. It has my porcupine.org address in the From:
                  header, but it was distributed from cloud9.net. It was delivered
                  to you, but it does not have your address in the header.

                  I recommend that you read up on RFC 5321 and RFC 5322, the Internet
                  email standards.

                  Wietse
                • Wietse Venema
                  ... Postfix it will add a Delivered-To: header, when it delivers mail to a non-virtual alias, or to a user. If the user forwards the mail
                  Message 8 of 8 , Jul 29, 2014
                  • 0 Attachment
                    Xie, Wei:
                    > Here we have a question about postfix. When the message passes by
                    > Postfix, can Postfix automatically add line "Resent-From: <OSU
                    > email address>" in the header?

                    Postfix it will add a "Delivered-To: <OSU email address>" header,
                    when it delivers mail to a non-virtual alias, or to a user. If the
                    user forwards the mail with a .forward file or with a procmail rule,
                    then the forwarded message will contain that "Delivered-To:" header.

                    Other forms of Postfix email forwarding silently replace the recipient
                    address, without adding information to the message header.

                    As noted in other follow-ups, Resent-from is not appropriate It
                    already has a meaning that is different than what you request.

                    Wietse
                  Your message has been successfully submitted and would be delivered to recipients shortly.