Thanks a lot Ron, I probably didn't explain myself well.
The contact form was fixed before posting this topic here, but I'm currently managing a personal server where I host family websites among many other services and also a Postfix setup where I handle about 8 different domains. As you said, I collect data through a contact form and then send an email to my dad so he can give an answer if he feels so. Obviously, the From headers are not an issue now but I also would like to work on this use case. I hope now it's clear how the form manages the data. On the other hand, if someone knows how to help, I'm still interested on the following matter: * I've found some regexp to validate email addresses strings, and I wonder if would it be ok to run this test on heaer_checks instead of the proposed milter solution? * When a message gets rejected because of multiple From addresses,could I generate a custom bouncing email message? If so, how should I proceed? * Which would be the real use case(s) where it would be useful to use multiple From addresses? Thanks a lot for your time and help, On Fri, Oct 9, 2020 at 2:10 PM Ron Wheeler <rwhee...@artifact-software.com> wrote: > > You need to fix your contact form. > There is no such thing as multiple from addresses. > As Tom said, your contact form is not creating an email. It is collecting > information that it processes to produce some intelligent response or that it > sends to you (or an automated proxy) requesting that you (or your proxy) > respond to a person (or a list of people). > > That information that the user supplies should not be in the headers at all > in any message that you get. It is just data. > As Tom pointed out, the email to you or to the address entered on the form > should be from your website not from e-mail addresses provided by the users. > > In your processing of the data, you could throw away data with multiple > addresses. > > I am not sure why you would want a bounce in the case that users enter > invalid (multiple) addresses. > You contact form should validate the email address field to ensure that only > one email address is provided and tell the user immediately to fix their > input. > > I am not sure why you would care about other e-mail arriving at postfix with > multiple from addresses. > Does it ever happen from anyone else? > > Ron > > On 2020-10-09 4:59 a.m., Pau Peris wrote: > > Thanks a lot for you comments, opinion and help! :) > > As Tom said, before posting this question here, I already noticed the > logic behaviour handling the contact form was wrong because emails > should never be sent on behalf of someone else. When I developed that > website, it's my dad's website, I did it like a spare time favour and > so mistakes were made. > > Before posting here, I already fixed the form contact handling so > emails, now, are sent using legitimate From addresses but I already > wanted to work on the multiple From addresses handling. Running some > tests, I noticed Gmail rejects those kind of messages even they comply > with the RFC. That's why I wondered which would be use cases for using > multiple From addresses. > > Even, the form contact is now fixed (I'm even finishing to integrate > invisible reCaptcha v2 to keep spammers away) and free of bugs, I'm > still curious on how to improve my Postfix setup. > > So I'm wondering, in case anyone could help: > * I've found some regexp to validate email addresses strings, and I > wonder if would it be ok to run this test on heaer_checks instead of > the proposed milter solution? > * When a message gets rejected because of multiple From addresses, > could I generate a custom bouncing email message? If so, how should I > proceed? > * Which would be the real use case(s) where would be useful to use > multiple From addresses? > > Thanks a lot for your time and help, > > On Thu, Oct 8, 2020 at 9:37 AM Tom Hendrikx <t...@whyscream.net> wrote: > > On 07-10-2020 02:27, Pau Peris wrote: > > I'm hosting my dad's webpage which has a contact form (which should be > improved to avoid spam and/or bots) and from time to time someone > types multiple email addresses in the from field of the form so > contact emails with multiple from addresses like "from: > h...@example.com, f...@example.net" are generated. I though that those > kind of messages should get rejected and thought that maybe there was > a builtin restriction for this use case. > > Your basic setup is lacking, and causing you problems. The website > should not send the emails using the email addresses of the person > submitting data on your website in the From: header. > > If the email address has DKIM/SPF/DMARC policies attached, actual > delivery of the message is likely harder, because f.i. the webserver is > not listed in the SPF policy of the sender domain. Essentially, the > email your website is sending, is spoofing the From: header. This might > not be too obvious when all email sent from the website ends up in your > mailbox (being the website administrator), but when you try to deliver > to 3rd parties, you'll find this out very quickly. > > Conceptually, you could even say that ther person entering data in the > form did not send an email: he/she entered data into a form on a > website, and the website sent the email. Hence, the From: header should > contain webs...@example.org. > > Back to your problem: the website controls the From: header so no > multiple email addresses in there. You could configure the website to > put the email address of the person entering data in the form in the > Reply-To: header. > > Kind regards, > > Tom > > > > -- > Ron Wheeler > Artifact Software > 438-345-3369 > rwhee...@artifact-software.com -- Pau Aquest correu electrònic conté informació de caràcter confidencial dirigida exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda prohibida la seva divulgació, copia o distribució a tercers sense prèvia autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut aquesta informació per error, es demana que es notifiqui immediatament d'aquesta circumstancia mitjançant la direcció electrònica del emissor.
