Dear Unix mailers: please allow more forgery

February 6, 2011

Here is a peculiar irritation I have with Unix mailers (the combination of both MTAs and MUAs): I wish they made it easier for people to forge their outgoing email address, the address that appears as the From: and in the envelope sender and so on.

Unix mailers generally make it at least possible and sometimes easy to do a half-assed job of forgery. You can put in your own From: and many mailers will leave it alone, but they'll then also add a Sender: header and usually won't touch the envelope sender address. When I am in a cautious mood, this is not good enough; I want no traces in the headers that an outsider could easily use to identify my email address or even to identify that the From: address is not a fully real address.

Most IMAP-based MUAs make this thorough level of forgery so trivial that it's not even forgery, it's just multiple identities. I have four different ones configured in Thunderbird and the most difficult bit of setting them up was knowing that the 'manage identities' button was the Preferences option that I wanted (and Thunderbird is smart about using them, too). But Unix mail systems are (or at least seem to be) pointlessly stubborn about this.

(Please don't suggest that I abandon my Unix mailer for some IMAP client. I am very attached to my Unix MUA of choice and it's probably the single oldest piece of my Unix environment by now.)

In today's world of spam and untrusted destinations there are lots of reasons to want to thoroughly use other sender addresses, and given that you can already do this through other mechanisms I think that Unix mailer environments should at least default to allowing this and making it relatively easy.

(This should not affect your ability to trace email back to its actual sender if someone complains; just put the UID that the email was received from in the Received: headers or the like. I believe that this is more or less the default for Unix MTAs these days.)

PS: since I only use one Unix MUA and it's an uncommon choice, maybe all of the common ones have changed over to doing what I want and I'm really just griping about a single MUA.

Comments on this page:

From at 2011-02-06 16:15:13:

I'd love to see a "building block of my environment"-type post on your mail setup. Surely, something can be learned there.

From at 2011-02-06 21:48:49:

You don't mention which MUA you use, but it seems like my ancient MUA (nmh with the mh-e front end) lets me fake things pretty well, with a correct From: and From line and no Sender line betraying them. The Message-ID and initial Received lines still mention the machine it was sent from (which won't necessarily correspond, but most people never look at those lines anyway).

From at 2011-02-06 21:57:08:

Mostly the Sender: header is added by the MTA, not the MUA.

If using Exim, set the "untrusted_set_sender" option and normal users will be able to use -f (to set the envelope sender) . Also unset "local_from_check" so that From: won't be checked for validity and Sender: won't be added.

-Phil P

By cks at 2011-02-07 00:19:00:

Now this is interesting. We use a null-client Postfix configuration (which is perfectly happy to let you forge the origin address in several different ways), and I use the stock Ubuntu nmh (with lots of customizations in my personal MH environment, like any long-term MH user). Something in this combination is inserting Sender: headers (and not forging the envelope origin address from the From: when I use an explicit From:); I suspect that it is nmh, but clearly it's not something nmh does all the time.

By Dan.Astoorian at 2011-02-07 09:35:10:

Has all of your testing consisted of sending messages to yourself?

A bit of playing around has led me to the conclusion that the Sender: header is likely being added at the receiving end (either by Postfix, or by procmail or whatever other mail filter(s) you use), not necessarily by nmh.

Having said that, though, I'll note that sendmail on my system appears to transcribe the envelope sender into a Return-Path: header; this suggests that your wish to be able to completely obfuscate your "real" mail address in all of the headers of the messages you send has implications with respect to handling bounces. (/usr/lib/sendmail typically has a -f option to let you set the envelope address, but many implementations stick a warning like "X-Authentication-Warning: realuser set sender to XYZZY using -f" into the headers unless specifically configured not to.)


From at 2011-02-16 23:50:46:

You're using pine and wanting to 'bounce' emails, huh? I do that too. It's a great tool to just resend things to people. Sendmail and postfix allow for forging the From header, but I know that Exchange won't.

Written on 06 February 2011.
« A side note on Google Chrome and the future of HTML
My brute force email archive »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Feb 6 01:03:34 2011
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.