You need to fix your contact form.
There is no such thing as multiple from addresses.
As Tom said, your contact form is not creating an email. It is
collecting information that it processes to produce some intelligent
response or that it
sends to you (or an automated proxy) requesting that you (or your proxy)
respond to a person (or a list of people).
That information that the user supplies should not be in the headers at
all in any message that you get. It is just data.
As Tom pointed out, the email to you or to the address entered on the
form should be from your website not from e-mail addresses provided by
the users.
In your processing of the data, you could throw away data with multiple
addresses.
I am not sure why you would want a bounce in the case that users enter
invalid (multiple) addresses.
You contact form should validate the email address field to ensure that
only one email address is provided and tell the user immediately to fix
their input.
I am not sure why you would care about other e-mail arriving at postfix
with multiple from addresses.
Does it ever happen from anyone else?
Ron
On 2020-10-09 4:59 a.m., Pau Peris wrote:
Thanks a lot for you comments, opinion and help! :)
As Tom said, before posting this question here, I already noticed the
logic behaviour handling the contact form was wrong because emails
should never be sent on behalf of someone else. When I developed that
website, it's my dad's website, I did it like a spare time favour and
so mistakes were made.
Before posting here, I already fixed the form contact handling so
emails, now, are sent using legitimate From addresses but I already
wanted to work on the multiple From addresses handling. Running some
tests, I noticed Gmail rejects those kind of messages even they comply
with the RFC. That's why I wondered which would be use cases for using
multiple From addresses.
Even, the form contact is now fixed (I'm even finishing to integrate
invisible reCaptcha v2 to keep spammers away) and free of bugs, I'm
still curious on how to improve my Postfix setup.
So I'm wondering, in case anyone could help:
* I've found some regexp to validate email addresses strings, and I
wonder if would it be ok to run this test on heaer_checks instead of
the proposed milter solution?
* When a message gets rejected because of multiple From addresses,
could I generate a custom bouncing email message? If so, how should I
proceed?
* Which would be the real use case(s) where would be useful to use
multiple From addresses?
Thanks a lot for your time and help,
On Thu, Oct 8, 2020 at 9:37 AM Tom Hendrikx <t...@whyscream.net> wrote:
On 07-10-2020 02:27, Pau Peris wrote:
I'm hosting my dad's webpage which has a contact form (which should be
improved to avoid spam and/or bots) and from time to time someone
types multiple email addresses in the from field of the form so
contact emails with multiple from addresses like "from:
h...@example.com, f...@example.net" are generated. I though that those
kind of messages should get rejected and thought that maybe there was
a builtin restriction for this use case.
Your basic setup is lacking, and causing you problems. The website
should not send the emails using the email addresses of the person
submitting data on your website in the From: header.
If the email address has DKIM/SPF/DMARC policies attached, actual
delivery of the message is likely harder, because f.i. the webserver is
not listed in the SPF policy of the sender domain. Essentially, the
email your website is sending, is spoofing the From: header. This might
not be too obvious when all email sent from the website ends up in your
mailbox (being the website administrator), but when you try to deliver
to 3rd parties, you'll find this out very quickly.
Conceptually, you could even say that ther person entering data in the
form did not send an email: he/she entered data into a form on a
website, and the website sent the email. Hence, the From: header should
contain webs...@example.org.
Back to your problem: the website controls the From: header so no
multiple email addresses in there. You could configure the website to
put the email address of the person entering data in the form in the
Reply-To: header.
Kind regards,
Tom
--
Ron Wheeler
Artifact Software
438-345-3369
rwhee...@artifact-software.com
