Bug#377000: Exim4 envelope-sender action incompatible with private networks

[Jack Carroll]

Package: exim4-base
Version: 4.62-1

	By design, exim4 generates an envelope-sender address by
concatenating the user name and host FQDN, when the From: header contains an
e-mail address different from the user account and host name.  As described
in the manual, there is no way to turn this off; the no_local_from_check
statement only stops the generation of Sender: headers.
	This is intended as an anti-forgery feature, and it's acceptable on
a host that has both an IP address visible from the Internet and incoming
mail service.  For a host on a private network, it's a fatal bug which
causes the ISP's smarthost to reject all outgoing mail.
	Consider a workstation on a non-routable private network, behind an
iptables stateful firewall.  Outgoing mail is sent through the ISP's SMTP
server.  Incoming mail comes first to accounts on several public mail
servers which have static IP addresses and regular DNS names.  The host
retrieves mail from those incoming servers using fetchmail, and exim4
delivers it to the user's local mailbox.
	If an outgoing message to the ISP's mail server has an envelope
address of the form user at workstation.local, the server rejects it, because
the domain is invalid -- it can't be found in a DNS search starting at the
root servers.  Thus, a bounce message can't be sent back to that address. 
A bounce message couldn't be sent back to it anyway, because it's both on
a non-routable IP address, and it's behind a firewall that has no SMTP port
open on the Internet side.  So the mail server is behaving correctly in
rejecting it.
	exim4 provides the /etc/email-addresses configuration file.  This is
only a partial answer.  It allows each user account to have one e-mail
address which is substituted into the envelope-sender address for all
outgoing messages.  If the file contains several lines of the form
user:address, only the first such line is effective.  All messages from that
user, regardless of the From: header, get that same envelope-sender address. 
This is a potential security problem for a user who has several remote
e-mail accounts used for different purposes; the one common envelope-sender
goes to all recipients, and may be revealed to spammers and other
malefactors.  It's also very hard to find out about this config file; it's
buried in an obscure place in the documentation, and isn't in the config
dialog where an average non-expert sysadmin needs it to be -- nor is it in
/etc/exim4, where a sysadmin would look for config files related to exim4.

	This problem doesn't occur with Postfix.  It just doesn't mess with
return addresses in the first place.

	Possible fixes:

1.  Provide a configuration option to prevent envelope-sender manipulation,
or a switch to make the return addresses always identical to the From:
header in messages leaving the local domain.

2.  Recognize unlimited user:address statements in /etc/email-addresses, and
pick the one that matches the From: header.

3.  Add a configuration file in /home/user to allow the From: header and
return addresses to depend not only on the user name and/or
/etc/email-addresses, but on the destination address as well.  That helps to
avoid mistakes in, for example, setting the wrong identity in Mutt when
composing a message.  It's better to do this in the MTA than the MUA anyway,
so that this function doesn't depend on the choice of client program.  Yes,
this does mean that the MTA would need to fork copies of the message if it's
being sent to multiple destinations that require different From: headers.
Exim is a sophisticated program, and can justify a feature like this.

4.  Whatever solution is chosen, at least mention its availability and what
docs to read in the standard configuration dialogue.  Preferably, offer to
flip the switch.  This thing is a showstopper.