On Wed, 2 May 2018, Wietse Venema wrote: > > What would be the best way to identify email which is forwarded to > > external addresses by .forward, procmail or sieve rules? > > > > We have control over the mail gateways which handle all incoming-outgoing > > traffic, but no real access to the internal servers where the forward > > rules may be entered. > > > > Add a specific header (e.g. X-Delivered-To) to the incoming email (it > > could be deleted, but let's ignore the possibility) and check it in the > > ougoing ones? What are the possibilities for false positives and > > negatives? Checking the Received lines looks harder and not better > > approach. > > Look at the top-level Received: header (the one that is added by Postfix > on your gateway). That is deinitive evidence that mail came from inside. > Determining if it was forwarded requires some heuristics, because all > the other content might be altered.
This is what I suspected. DKIM signing the Received: lines does not help either, because the number of external Received: lines changes and I definitely don't want to delete those lines. Hm, the extra specific header (X-Delivered-To) however could be signed and any tampering could then be detected. Best regards, Jozsef - E-mail : kad...@blackhole.kfki.hu, kadlecsik.joz...@wigner.mta.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary
