Merge pull request #5162 from rjbs/cyr-1422-private-mdn

Sieve: allow private Final-Recipient in rejects, allow non-Original-Recipient header for original recipient.
cyrusimap · Jan 17, 2025 · ff328f3 · ff328f3
2 parents 861b9dd + 39569ff
commit ff328f3
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 2 deletions.
diff --git a/changes/next/sieve_mdn_original_recipient_header b/changes/next/sieve_mdn_original_recipient_header
@@ -0,0 +1,21 @@
+Description:
+
+The new `sieve_mdn_original_recipient_header` allows an install to get the
+original recipient from a header other than Original-Recipient.
+
+
+Config changes:
+
+This adds `sieve_mdn_original_recipient_header`, a string option which, if set,
+will cause Cyrus to look for the original recipient of Sieve-rejected messages
+somewhere other than the `Original-Recipient` field of the messages.
+
+
+Upgrade instructions:
+
+No action required.
+
+
+GitHub issue:
+
+None.
diff --git a/changes/next/sieve_mdn_private b/changes/next/sieve_mdn_private
@@ -0,0 +1,20 @@
+Description:
+
+The new `sieve_mdn_private` option helps prevent leaking usernames.
+
+
+Config changes:
+
+This adds `sieve_mdn_private`, a yes/no option which, if set, will replace the
+username in the `Final-Recipient` field of Sieve-generated bounces with the
+active Cyrus session id.
+
+
+Upgrade instructions:
+
+No action required.
+
+
+GitHub issue:
+
+None.
diff --git a/imap/lmtp_sieve.c b/imap/lmtp_sieve.c
@@ -492,7 +492,12 @@ static int send_rejection(const char *userid,
             config_servername, CYRUS_VERSION, SIEVE_VERSION);
     if (origreceip)
         buf_printf(&msgbuf, "Original-Recipient: rfc822; %s\r\n", origreceip);
-    buf_printf(&msgbuf, "Final-Recipient: rfc822; %s\r\n", mailreceip);
+
+    if (config_getswitch(IMAPOPT_SIEVE_MDN_PRIVATE))
+        buf_printf(&msgbuf, "Final-Recipient: rfc822; %s\r\n", session_id());
+    else
+        buf_printf(&msgbuf, "Final-Recipient: rfc822; %s\r\n", mailreceip);
+
     if (origid)
         buf_printf(&msgbuf, "Original-Message-ID: %s\r\n", origid);
     buf_printf(&msgbuf, "Disposition: "
@@ -993,7 +998,7 @@ static int sieve_reject(void *ac, void *ic,
         return SIEVE_OK;
     }
 
-    body = msg_getheader(md, "original-recipient");
+    body = msg_getheader(md, config_getstring(IMAPOPT_SIEVE_MDN_ORIGINAL_RECIPIENT_HEADER));
     origreceip = body ? body[0] : NULL;
     if ((res = send_rejection(ctx->userid, md->id, md->return_path,
                               origreceip, mbname_recipient(sd->mbname, ((deliver_data_t *) mc)->ns),

diff --git a/lib/imapoptions b/lib/imapoptions
@@ -2693,6 +2693,15 @@ product version in the capabilities
 /* Maximum number of sieve scripts any user may have, enforced at
    submission by timsieved(8). */
 
+{ "sieve_mdn_original_recipient_header", "original-recipient", STRING, "UNRELEASED" }
+/* The name of the header field in which the Sieve "reject" action can find the
+   original recipient of the message. */
+
+{ "sieve_mdn_private", 0, SWITCH, "UNRELEASED" }
+/* If true, the Final-Recipient header in the MDN generated by Sieve's "reject"
+   action will be replaced with something that does not publicly identify the
+   user. */
+
 { "sieve_utf8fileinto", 0, SWITCH, "2.3.17" }
 /* If enabled, the sieve engine expects folder names for the
    \fIfileinto\fR action in scripts to use UTF8 encoding.  Otherwise,