Thanks a lot for you comments, opinion and help! :) As Tom said, before posting this question here, I already noticed the logic behaviour handling the contact form was wrong because emails should never be sent on behalf of someone else. When I developed that website, it's my dad's website, I did it like a spare time favour and so mistakes were made.
Before posting here, I already fixed the form contact handling so emails, now, are sent using legitimate From addresses but I already wanted to work on the multiple From addresses handling. Running some tests, I noticed Gmail rejects those kind of messages even they comply with the RFC. That's why I wondered which would be use cases for using multiple From addresses. Even, the form contact is now fixed (I'm even finishing to integrate invisible reCaptcha v2 to keep spammers away) and free of bugs, I'm still curious on how to improve my Postfix setup. So I'm wondering, in case anyone could help: * I've found some regexp to validate email addresses strings, and I wonder if would it be ok to run this test on heaer_checks instead of the proposed milter solution? * When a message gets rejected because of multiple From addresses, could I generate a custom bouncing email message? If so, how should I proceed? * Which would be the real use case(s) where would be useful to use multiple From addresses? Thanks a lot for your time and help, On Thu, Oct 8, 2020 at 9:37 AM Tom Hendrikx <t...@whyscream.net> wrote: > > On 07-10-2020 02:27, Pau Peris wrote: > > I'm hosting my dad's webpage which has a contact form (which should be > > improved to avoid spam and/or bots) and from time to time someone > > types multiple email addresses in the from field of the form so > > contact emails with multiple from addresses like "from: > > h...@example.com, f...@example.net" are generated. I though that those > > kind of messages should get rejected and thought that maybe there was > > a builtin restriction for this use case. > > > Your basic setup is lacking, and causing you problems. The website > should not send the emails using the email addresses of the person > submitting data on your website in the From: header. > > If the email address has DKIM/SPF/DMARC policies attached, actual > delivery of the message is likely harder, because f.i. the webserver is > not listed in the SPF policy of the sender domain. Essentially, the > email your website is sending, is spoofing the From: header. This might > not be too obvious when all email sent from the website ends up in your > mailbox (being the website administrator), but when you try to deliver > to 3rd parties, you'll find this out very quickly. > > Conceptually, you could even say that ther person entering data in the > form did not send an email: he/she entered data into a form on a > website, and the website sent the email. Hence, the From: header should > contain webs...@example.org. > > Back to your problem: the website controls the From: header so no > multiple email addresses in there. You could configure the website to > put the email address of the person entering data in the form in the > Reply-To: header. > > Kind regards, > > Tom > -- Pau Aquest correu electrònic conté informació de caràcter confidencial dirigida exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda prohibida la seva divulgació, copia o distribució a tercers sense prèvia autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut aquesta informació per error, es demana que es notifiqui immediatament d'aquesta circumstancia mitjançant la direcció electrònica del emissor.
