Jerry, can you elaborate? The mailscanner is only in the picture as a tool because we couldn?t get the ?normal? MTA to do the job -- the ?normal? MTA is Exchange. For the mailscanner itself, the MTA is sendmail.

The envelope sender was easily handled - however that?s not enough, because the receivers are actually looking not just at the envelope but also at several of the message headers.

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: Tuesday, May 06, 2014 4:09 PM
To: MailScanner discussion
Subject: Re: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions?

I would suggest using your MTA to do this. Much easier.

On Tue, May 6, 2014 at 9:27 PM, Furnish, Trever G <TGFurnish at herffjones.com<mailto:TGFurnish at herffjones.com>> wrote:
My company has a subset of users for whom we are still doing "dumb forwards", and this practice is now resulting in undeliverable mail thanks to the recent change of dmarc policy published by AOL and Yahoo. I thought I could work around this by passing the mail for these users through a mailscanner system (just as it was on the verge of finally being decommissioned) and turning all mail into attachments. It looked promising, but it fails, because MailScanner still is using the original From and To message headers on the new message it creates even for attachments.

Is there any way anyone can suggest to get around this? At this point I'm even pondering just modifying the mailscanner code directly or trying to hook in an 'always called last' function to modify the message.

What's happening now:
MailScanner creates a new message and attaches the original. In both the new message and the attached original, there is a "From:" header saying e.g. "From: bob at aol.com<mailto:bob at aol.com>".

What I wanted to happen:
Mailscanner would create a new message and attach the original. In the NEW message the From header would have value "postmaster at mydomain.com<mailto:postmaster at mydomain.com>" or some such.

Any suggestions?

--
Trever Furnish, tgfurnish at herffjones.com<mailto:tgfurnish at herffjones.com>
Solutions Architect
Herff Jones Server Solutions Group (SSG)
Phone: 317.612.3519<tel:317.612.3519> Cell: 317.366.9258<tel:317.366.9258>

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



--

--
Jerry Benton
Mailborder Systems
www.mailborder.com<http://www.mailborder.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140507/d539204b/attachment.html

Hi, Mark. It's not breaking dkim, it's violating the receiver's implementation of SPF, which appears to be looking not just at the envelope header, but also at message headers -- I wonder whether this means they have actually implemented SenderID rather than SPF.

The envelope sender was easily handled - however that's not enough, because the receivers are actually looking not just at the envelope but also at several of the message headers.

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro
Sent: Tuesday, May 06, 2014 4:11 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions?
The real question here is why is your "dumb forward" breaking the original DKIM signature from Yahoo or AOL?

I am a Mailman developer, and we've been dealing with the fallout from this for weeks now. But the bottom line is that while I have had to invoke several mitigations in my production lists to operate in spite of DMARC p=reject policies, my forwarders (Postfix aliases) continue to work with no changes, even for mail from Yahoo.com forwarded to addresses in domains known to honor Yahoo's DMARC p=reject, even with the addition of X-...-MailScanner* headers:

My suggestion would be to work on whatever in the forwarding process is breaking the original DKIM sig. Certain things like MailScanner "disarming" will do it for sure, but for a message for which MailScanner doesn't modify the body or Subject:, you should be OK.
We have two basic ways of dealing with this in Mailman. Neither is ideal.

Method 1 we call Munge From. We take a message e.g.,

To: mailscanner at lists.mailscanner.info
From: Joe Blow <user at example.com>

and make it

From: Joe Blow via MailScanner discussion <mailscanner at lists.mailscanner.info>

and add

Reply-To: Joe Blow <user at example.com>

For Method 2 which we call Wrap Message, ewe basically create a new message with From: and Reply-To: as in Munge From and attach the original message to it.

I'm not sure how easy it would be to make MailScanner do this.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!