4

I'm sending mails from PHP using postfix at ubuntu:

mail($to, $subject, $body, "Return-Path: <test@mail.com>");

Trying to set Return-Path header but it seems that postfix rewrites it to user@serverdomain

Found in postfix documentation message_drop_headers variable that by default has value bcc, content-length, resent-bcc, return-path

Tried to change it's value in postfix/main.cf but it gives warning on start:

/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: message_drop_headers=bcc content-length resent-bcc

What could be the reason? How can I configure postfix not to rewrite Return-Path header?

Index
  • 676
  • 1
  • 10
  • 27

2 Answers2

4

Setting the Return-Path: header on outbound email is pointless because it will be replaced by the recipient's MTA. If you want to control what gets written there, set the envelope sender (traditionally, sendmail -f address@example.com)

In some more detail, when you send a message, there are two layers: An envelope, which specifies the actual recipients, and the message itself, which often contains headers with the same information ... but sometimes it doesn't, and sometimes those headers lie, blatantly.

When that message is delivered to a recipient, the receiving MTA (Sendmail or Postfix or Exchange or what have you) will copy the envelope sender information into the Return-Path: header, adding one if it's missing, and usually simply overwriting it if it already existed.

So it doesn't really matter how you configure Return-Path: on your outgoing server; in order to properly control this, you would need to control the receiving behavior on every server which delivers the message to a recipient.

As a trivial example, subscribe to a public mailing list, observe how the headers often say something like:

From: Popular mailing list <popular-list@example.com>
To: Popular mailing list <popular-list@example.com>

And yet it arrived in your inbox. How did that happen? Why, by way of the envelope recipient information. The list software basically adds a Bcc: to every subscriber, but also convinces the server to ignore the actual To: address in the headers. This is surprising until you realize that the headers actually don't matter, and only the envelope addresses actually control where the message is eventually delivered.

Briefly, the envelope is specified by the SMTP MAIL FROM: and RCPT TO: verbs which are defined in RFC5321 (originally 822) and the actual message (including all the headers) are communicatd in the SMTP DATA section which is really just pure data as far as SMTP is concerned at this point. Their specification is RFC5322 (née 822) and once a message is actually delivered, the receiving server will actually add some headers of its own, but the From: and To: headers are still just basically ignored.

Community
  • 1
  • 1
tripleee
  • 175,061
  • 34
  • 275
  • 318
  • It's not pointless because it may disclose information you want to keep private. – greg Aug 30 '17 at 12:24
  • 1
    You are still disclosing that information, while also pointlessly adding a redundant `Return-Path:` header which does not prevent this disclosure. – tripleee Aug 30 '17 at 12:31
  • how am I disclosing this information, considering it's only in the return-path header? my co-worker found a way to prevent postfix from adding it, therefore it's not anywhere in the message anymore. – greg Aug 30 '17 at 18:23
  • 2
    The thing which ends up in the `Return-Path:` header is whatever is in the envelope sender. You are not masking the envelope in any way by overriding or suppressing the header because it gets added at the *recipient* end based on whatever was in the envelope. I don't see how I can make this any clearer, except maybe by asking you to make sure you understand what the SMTP envelope is (hint: the headers are a completely separate thing, and generally do not affect the envelope). If the thing you want to keep secret ends up in the envelope, it leaks, and you have failed to keep it secret. – tripleee Aug 30 '17 at 18:31
0

The solution is to declare a smtp_generic_maps table in Postfix main.cf and list local user and corresponding email in it.

For example : www-data test@mail.com

Look at https://www.postfix.org/generic.5.html for more infos.

Of course use only a real domain you manage and with at least a SPF record allowing sending mails from this server.

Patrick PREMARTIN
  • 282
  • 3
  • 7