[BALUG-Talk] Recommendations for email resender/"forwarder"? (infrastructure: Debian oldstable amd64, MTA exim4)

Glen Martin glen@glen-martin.com
Sat Aug 12 18:18:38 PDT 2017 

Rick rather correctly pointed out:

 > shell pipelines in /etc/aliases are so notoriously a security hazard 
that modern MTAs of my experience disable parsing them by default, and 
you re-enable that parsing at your peril.

I completely agree with that! I'd imagined, perhaps erroneously, that 
this query was about a local system over which posters have ~exclusive 
control and thus some confidence of security, rather than work or some 
multi-user system.

You can probably configure a milter to strip pre-existing DKIM on 
outbound. I haven't tried. Maybe the milter stretches that way, maybe 
you need to hack it. opendkim seems to have a config switch, 
RemoveOldSignatures.

But as I mentioned, you may have to go a little further than just the 
proper DKIM headers, eg non-standard DKIM and other provenance headers. 
Google seems to be trying to hard to catch removal of DKIM .. there are 
more than a couple of X-G* and other headers in there that will give 
away that they've seen the message before. I don't immediately see a way 
to remove those trivially in opendkim milter.

Unforseen consequences notwithstanding, I haven't had a complaint from 
my recipients for a while, neither for something going missing, nor for 
the flag of shame on my list messages, so I guess it is working. Part of 
it might just be that I have a somewhat working DKIM, DMARC, SPF, etc 
alphabet soup. :)

HTH

glen


On 8/12/2017 5:28 PM, Rick Moen wrote:
> Quoting Glen Martin (glen@glen-martin.com):
>
>> MLMs can achieve this, imperfectly, and are overkill. But they're
>> not magic, they just screw with the headers so downstream can't
>> detect the envelope or body changes.
> What you call screwing with the headers is, in my experience, the only
> way that retransmitted mail is going to arrive at its end-destination
> not seeming like an attempt to forge the upstream sender's domain.
>
>> Have you tried to use the pipe syntax of aliases, eg
>>      don@linuxmafia.org: | /usr/sbin/DKIMstripper-sendmail.sh
>>             donmarti@whereever.com
>>             // I just made this up, don't shoot me
> Alas, shell pipelines in /etc/aliases are so notoriously a security
> hazard that modern MTAs of my experience disable parsing them by
> default, and you re-enable that parsing at your peril.
>
> Of course, there are other ways of stripping DKIM headers, and that's
> tempting.  I can imagine any number of reasons why this action might
> end up having adverse consequences, though.
>
> _______________________________________________
> BALUG-Talk mailing list
> BALUG-Talk@temp.balug.org
> https://temp.balug.org/cgi-bin/mailman/listinfo/balug-talk

More information about the BALUG-Talk mailing list