Difference between Envelope commands and Header fields

Hi

I have been trying to find an answer for a query I had, and was hoping
someone could help.

Let's say I have the following scenario;

ApplicationA on Server1 > SMTP Relay (Sendmail) > Other mail systems

My understanding is (and please correct me if/where I am wrong)

The MUA on ApplicationA generates a list of SMTP commands to Sendmail
derived from the Header information given in the mail the application
constructs. This list of commands (MAIL FROM:. RCPT TO:, DATA) is
known as the SMTP Envelope; it is responsible for routing the mail to
its destination.

The Header information contains fields such as TO:, FROM:. SUBJECT,
DATE: etc.

When the message gets to Sendmail, it will examine the Envelope
information and relay it onto the appropriate mail system. A

My main query is, supposing that between Server1 and Sendmail there
was an intermediate server;

Server1 > Server2 > Sendmail > Other mail systems

Server2 contains an application that can re-write Header information.

So, when the mail leaves Server1, the Envelope and Header information
is as below;

MAIL FROM: user1@domain.com
RCPT TO: user2@domain.com

FROM: user1@domain.com
TO: user2@domain.com

But the application on Server2 changes the Header so that it is now;

MAIL FROM: user1@domain.com
RCPT TO: user2@domain.com

FROM: user1@domain.com
TO: user2@domain.net

i.e, the RPCT TO: in the Envelope is different from the TO: in the
header.

Where would the email be sent to?

My understanding so far is that it is the Envelope that is responsible
for mail routing, therefore the mail will still be sent to
user2@domain.com. The Header information is more for viewing.

I suppose you could compare it to a normal letter. The SMTP Envelope
is what is written on the envelope and therefore what the postal
system sees to post the letter to the destination. The Header
information is part of the message body and has no effect on the
route.

This is where SPAMmers could take advantage, since an application that
re-writes FROM: headers would be quite useful. Once the letter is
recieved, the user is tricked into reading the FROM: header in the
letter whereas it actually came from the MAIL FROM:

(Simplistic explanation I know)

Also - if the MAIL FROM: and FROM: addresses were different, and the
user replied, am I correct in thinking the mail would be sent back to
the MAIL FROM:? Or does the user's MUA not have any knowledge of the
MAIL FROM: (since this is removed when it gets to the email client)
and therefore the MUA tries to send the mail to the FROM: address in
the header?

Hope someone can help!

On 08/27/08 18:38, kammy_boy186@hotmail.co.uk wrote:
You are correct in the fact that email routing (at least on the SMTP
level) is done by the SMTP envelope. (At least unless someone changes
things.)

> Also - if the MAIL FROM: and FROM: addresses were different, and the
> user replied, am I correct in thinking the mail would be sent back to
> the MAIL FROM:? Or does the user's MUA not have any knowledge of the
> MAIL FROM: (since this is removed when it gets to the email client)
> and therefore the MUA tries to send the mail to the FROM: address in
> the header?

You are also correct in that the MUA has no knowledge of the SMTP
envelope sender or recipient. Thus the MUA is reliant on the headers
inside of the message.



Grant. . . .

In article
<f6ffb5f0-41ed-40c9-b852-cd4574505ab8@e53g2000hsa.googlegroups.com>,
kammy_boy186@hotmail.co.uk wrote:

> My main query is, supposing that between Server1 and Sendmail there
> was an intermediate server;
>
> Server1 > Server2 > Sendmail > Other mail systems
>
> Server2 contains an application that can re-write Header information.
>
> So, when the mail leaves Server1, the Envelope and Header information
> is as below;
>
> MAIL FROM: user1@domain.com
> RCPT TO: user2@domain.com
>
> FROM: user1@domain.com
> TO: user2@domain.com
>
> But the application on Server2 changes the Header so that it is now;
>
> MAIL FROM: user1@domain.com
> RCPT TO: user2@domain.com
>
> FROM: user1@domain.com
> TO: user2@domain.net
>
> i.e, the RPCT TO: in the Envelope is different from the TO: in the
> header.
>
> Where would the email be sent to?

user2@domain.com

> My understanding so far is that it is the Envelope that is responsible
> for mail routing, therefore the mail will still be sent to
> user2@domain.com. The Header information is more for viewing.

The headers are for the MUA. The MUA determines what the user sees based
on headers.

> I suppose you could compare it to a normal letter. The SMTP Envelope
> is what is written on the envelope and therefore what the postal
> system sees to post the letter to the destination. The Header
> information is part of the message body and has no effect on the
> route.

Generally correct. There are some tricks used by MTA's to look for loop
indications in headers, but nothing in the headers is normally used to
route mail. There is always the caveat that an MTA like Sendmail can
look at headers and rewrite them and do all sorts of oddball things
based on them if configured to do so, but that is not normally done.


> This is where SPAMmers could take advantage, since an application that
> re-writes FROM: headers would be quite useful. Once the letter is
> recieved, the user is tricked into reading the FROM: header in the
> letter whereas it actually came from the MAIL FROM:

I invite you to visit groups.google.com and read discussions of this
sort of thing being done in spam. Look in the news.admin.* groups in the
mid-90's as a start, and news.admin.net-abuse.email from its start...

Simply put: spammers (and others, for perfectly good reasons) have been
using mismatched envelope and header senders for a very long time.
There's nothing fundamentally hard about using any arbitrary address for
either the envelope or the headers. Any competent mail admin knows how
to manually use telnet or its equivalent in a terminal connection to
talk SMTP to a mailserver and offer it a message with any addressses he
can type.

> (Simplistic explanation I know)

Not overly simplistic.

> Also - if the MAIL FROM: and FROM: addresses were different, and the
> user replied, am I correct in thinking the mail would be sent back to
> the MAIL FROM:?

No. That would be Very Wrong. In principle a MUA should be able to
figure out the MAIL FROM address because delivery agents are supposed to
put it in a Return-Path header during delivery, but in practice that is
not always done and a MUA should never use the Return-Path header for
replying to a message.

> Or does the user's MUA not have any knowledge of the
> MAIL FROM: (since this is removed when it gets to the email client)
> and therefore the MUA tries to send the mail to the FROM: address in
> the header?

There are actually a bunch of edge cases involving other possible
sender-related headers in a message and types of response, but if you
don't feel like reading RFC2822 and other detailed descriptions of the
edge cases, it is generally safe to say that the From: header is what a
MUA will use to address replies, and the most common exception is when
there is a Reply-To header (common in discussion lists.) The envelope
sender address should only ever be used for mail system error messages.

--
Now where did I hide that website...

Thanks for the comprehensive reply, much appreciated! Both of you!