Re: [PATCH] hooks--update: new, required, config variable: hooks.envelopesender,

[Jim Meyering <jim@meyering.net>]

> On Friday 2007 March 23 15:25, Jim Meyering wrote:
>> Andy Parkins <andyparkins@gmail.com> wrote:
>> > On Friday 2007 March 23 13:29, Jim Meyering wrote:
>> >> It works for me using the sendmail from sendmail, and I have tested
>> >> this with the one from postfix, too.
>> >
>> > Is your user set as a trusted user for sendmail though?
>>
>> No.  There is no need for that.
>>
>> > As a normal user wouldn't be allowed to do it.
>>
>> You mean with exim's sendmail?
>> sendmail -f alt-envelope-sender works just fine when run by a
>> non-privileged user when it's Sendmail's sendmail or the one from Postfix.
>> It's a shame if it doesn't work with exim's implementation.
>
> Okay; I went and found a sendmail manpage:
>
> "-fname       Sets the name of the ``from'' person (i.e., the sender of the
>               mail).  -f can only be used by ``trusted'' users (normally
>               root,  daemon, and network) or if the person you are trying to
>               become is the same as the person you are."
>
> Seems the same as exim to me.  Perhaps your distribution sets it up to allow
> if for anyone?

I suspect that the above is from older documentation.
As you'll see in the excerpts below, the "can only be used"
is replaced with "should...", to permit using -f in cases like mine.

The documentation from sendmail-8.11.7/doc/op/op.me says this:

-f addr   The envelope sender address is set to addr.  This
          address  may  also  be used in the From: header if
          that header is missing during initial  submission.
          The envelope sender address is used as the recipi-
          ent for delivery status notifications and may also
          appear in a Return-Path: header.

Then, in cf/README, they explain the trusted-users file is solely
to avoid a warning:

use_ct_file     Read the file /etc/mail/trusted-users file to get the
                names of users that will be ``trusted'', that is, able to
                set their envelope from address using -f without generating
                a warning message.  The actual filename can be overridden
                by redefining confCT_FILE.

A quick search found lots like this:
  http://www.linuxmanpages.com/man8/sendmail.8.php

    -fname
        Sets the name of the ``from'' person (i.e., the envelope sender of
        the mail). This address may also be used in the From: header if
        that header is missing during initial submission. The envelope
        sender address is used as the recipient for delivery status
        notifications and may also appear in a Return-Path: header. -f
        should only be used by ``trusted'' users (normally root, daemon,
        and network) or if the person you are trying to become is the
        same as the person you are. Otherwise, an X-Authentication-Warning
        header will be added to the message.

So that was classic sendmail (8.11.7).  Here's the description of -f
for postfix's sendmail (man sendmail):

       -f sender
              Set the envelope sender  address.  This  is  the  address  where
              delivery problems are sent to. With Postfix versions before 2.1,
              the  Errors-To:  message  header  overrides  the  error   return
              address.

In addition, I have tested this by sending myself a message
via printf '...' |sendmail -f nobody@nowhere.com -oi -t -v, and
examined the headers in the received messages.  The first I sent
from a system running sendmail-8.11.7, the second from one running
Debian/unstable's Postfix 2.3.8-2.  Both were sent by a "regular" (non-root)
user, and the envelope sender was the requested "nobody@nowhere.com"
in each case.

> So; in short: I don't have a good answer to offer you, and it seems that "-f"
> is working for you.

Yes, it does work for me.  And it would work for anyone with
sendmail or Postfix.  Whether it works for an exim-based
sendmail is a question of policy, and the default in Debian-based
systems is to allow it:

>From /etc/exim4/conf.d/main/02_exim4-config_options:

  .ifndef MAIN_FORCE_SENDER
  local_from_check = false
  local_sender_retain = true
  untrusted_set_sender = *
  .endif

> However, I'm still not convinced that this is the
> correct thing to do in the default hook.  My main gripe is still all
> these "trusted user" paragraphs in the MTA manual pages.

There is a legitimate need for this functionality, and -f does
usually work, so how about a compromise:

  Include support for using sendmail's "-f envelope-sender" option
  in the default hook, but enable it only if/when hooks.envelopesender
  is set in the config file.