Improvements to our bounce emails #649
Comments
|
I dug into this a bit, and I'm not seeing a great way to avoid leaking the member's final address. This report seems to be built in C code, not via a template:
I know enough about Postfix to know that it's a very flexible piece of software, though: perhaps it's possible to override some of these values, or apply some sort of filter/processing on the bounce email. |
|
IMO if we are trying to keep list members secret, maybe bounces should go to a postmaster or list moderator rather than the sender? It is not really the sender's problem if they're sending to a valid mailing list. |
|
That's an excellent point. This is definitely an "us" problem. I also don't know how to configure |
|
One idea I proposed on matrix was to look at |
…alias_maps` This fixes NixOS#649. I've tested this, and it works: mailing list members get emails, but if we get a bounce when forwarding to a mailing list member, we do *not* send the bounce to the original author of the email. A downside of this change is that we all become a bit more blind to bounce issues. Previously, the sender would recieve a bounce email, and then notify us per the instructions in our bounce template. With this change the bounce would instead end up ignored in logfiles on umbriel.
This sees to work! I still had to have an empty entry in |
|
Oooh, https://www.postfix.org/aliases.5.html seems to document @ryantrinkle's suggestion:
But I tried this, and I couldn't get it to work. I wondered if this is possibly related to us using virtual aliases, and then I found this example, which seems to forward virtual addresses to local aliases. I tried that as well and somehow introduced a mail loop. |
We've experienced 2 problems with our bounce emails.
I'm not sure #2 is really solvable. I suspect that postfix's architecture involves enqueuing these forwards as completely isolated tasks that can independently fail and generate bound messages (I'd be happy to be told I'm wrong about this, though). One option would be to turn of bounces entirely, but I beleive that's even worse UX for senders.
Some detail on how emails get leaked
We've put some effort into hiding our mailing list member's email addresses by encrypting them (example).
However, if umbriel.nixos.org (our mailserver) fails to forward an email, we send a bounce back to the sender, and that leaks the bounced email addresses to the original sender. These emails look like this (sensitive and irrelevant information redacted):
What to do?
These bounces must be getting generated and sent by postfix. We should be able to configure postfix to still send a bounce, but with a different template that does not include the mailing list member's final email address. It's important that whatever we do does still include that
X-Postfix-Queue-IDso we can debug reports from users.The text was updated successfully, but these errors were encountered: