[Pymilter] pysrs - Preventing SRS if "From" address is local

fleece at compuserve.com fleece at compuserve.com
Mon Aug 14 12:25:11 EDT 2023 

@Stuart, first thanks for your contributions to SPF, internet email, and the pymilter and pysrs open source software.  

@All, 

I'm having trouble with my new pysrs (socketmap) and sendmail solution.  My install is unnecessarily rewriting sender with SRS for outgoing email originally sent from the home domain.  Any thoughts on root cause, and a fix/workaround?

The forwarding to a single recipient is working great using sendmail's virtusertable and SRS. Incoming email to local domain that is not forwarded is ignored as expected. I haven't been able to test yet a bounce case (Return-Path) with forwarded SRS signed emails and multiple MTA hops after the forward.  I'm using sendmail 8.14.4-9.el6_8.1, python-pymilter 1.0-1.el6 (rpm), python-pysrs-1.0-4 (rpm). SElinux is disabled. I know el6 is old and out of usual security support.
 
After reviewing the m4 macro and python code (I'm a novice at these languages.), it seems pysrs should prevent SRS if "From" address is local, as noted in this m4 macro code and its comments...

/usr/share/sendmail-cf/hack/pysrs.m4 (excerpt):

> SMakeSrs
> ifdef(`NO_SRS_FROM_LOCAL',`dnl
> #
> # Prevent SRS encapsulation if "From" address is local
> # (With a local from address, the forwarder mail will pass any SPF checks
> # anyways, so why bother with SRS?)
> R$* < @ $=w > $*                $@ $1 < @ $2 > $3
> R$* < @ $=w . > $*              $@ $1 < @ $2 . > $3
> ')dnl
> R$*                             $: $&h $| $1


Here's relevant config and logging to help understand my install and its behavior...  

In these examples below, "bob.net" is my local domain (fictional for security reasons here).  I have some users that still need to receive at bob.net but have moved on to outlook.com and marymail.com as their regular mailboxes, therefore these users' incoming email needs to be forwarded. Outlook.com (our beloved Microsoft) and marymail.com (fictional) have recently been rejecting forwarded emails due to strict DMARC requiring valid SPF.

etc/mail/pysrs.cfg

> # sample SRS configuration
> [srs]
> secret="--redacted--"
> maxage=21
> hashlength=5
> # if defined, SRS uses a database for opaque rewriting
> ;database=/var/log/milter/srsdata
> # sign these domains using SES to prevent forged bounces instead of SRS
> ;ses = localdomain1.com, localdomain2.org
> # sign these domains using SRS in signing mode to prevent forged bounces
> sign = bob.net
> # rewrite all other domains to this domain using SRS
> fwdomain = bob.net
> # reject unsigned mail to these domains in pymilter (used by pymilter)
> ;srs = otherdomain.com
> # do not rewrite mail to these domains
> ;nosrs =


/etc/mail/sendmail.mc (excerpt):

> INPUT_MAIL_FILTER(`opendkim', `S=inet:8891 at localhost, T=S:30s;R:1m')
> MAILER(`smtp')
> define(`NO_SRS_FILE',`/etc/mail/no-srs-mailers')
> define(`NO_SRS_FROM_LOCAL')
> HACK(`pysrs',`/var/run/milter/pysrs')
> LOCAL_RULESETS
LOCAL_CONFIG


/var/log/milter/pysrs.log (excerpt with 'redct' for varying hash):

> 2023Aug14 09:34:12 make_srs outlook.com.▒rewards<@e.starbucks.com.>
> 2023Aug14 09:34:12 h = outlook.com.
> 2023Aug14 09:34:12 OK SRS0=redct=D7=e.starbucks.com=rewards<@bob.net.>
> 2023Aug14 10:00:43 make_srs marymail.com.▒v-cofhfic_bglmbiifjmj_jgekmhnj_jgekmhnj_a<@bounce.mail.visticgardens.com.>
> 2023Aug14 10:00:43 h = marymail.com.
> 2023Aug14 10:00:43 OK SRS0=redct=D7=bounce.mail.visticgardens.com=v-cofhfic<@bob.net.>
> 2023Aug14 10:21:23 make_srs outlook.com.▒bounce-1234-momam=bob.net<@s1.csa1.acemsc2.com.>
> 2023Aug14 10:21:23 h = outlook.com.
> 2023Aug14 10:21:23 OK SRS0=redct=D7=s1.csa1.acemsc2.com=bounce-1234-momam=bob.net<@bob.net.>
...
> 2023Aug14 11:03:14 make_srs outlook.com.▒bounce-88_html-168208427-5190397-6170071-5012<@bounce.email.undercovertourist.com.>
> 2023Aug14 11:03:14 h = outlook.com.
> 2023Aug14 11:03:14 OK SRS0=redct=D7=bounce.email.undercovertourist.com=bounce-88_html-1234<@bob.net.>
> 2023Aug14 11:08:30 make_srs marymail.com.▒vogel.park<@dnr.ga.gov.>
> 2023Aug14 11:08:30 h = marymail.com.
> 2023Aug14 11:08:30 OK SRS0=tSBBi=D7=dnr.ga.gov=nice.park<@bob.net.>

Note: In same log lines below you can see the problem from my outgoing email (sam at bob.net) sent from my internal mail server and local domain...

> 2023Aug14 10:52:53 make_srs gmail.com.▒sam<@bob.net.>
> 2023Aug14 10:52:53 h = gmail.com.
> 2023Aug14 10:52:53 OK SRS0=redct=D7==sam<@bob.net.>


I cannot reasonably exempt gmail with NO_SRS_FILE as I need to send to countless domains.

Thanks for any help one can offer.

Sam F.

More information about the Pymilter mailing list