[ZendTo] Re: Why is sendmail -f option disabled?

Jules Jules at Zend.To
Wed Feb 20 14:27:11 GMT 2013


I removed that as it forces the envelope sender address to be the person 
who sent the drop-off. Which may well not be an address within the 
site's own domain.

So a lot of mail systems (particularly Exchange) will then reject the 
message as a bad relay attempt, as they relay based on the envelope 
sender and not the source IP address (which most sendmail-based mail 
systems will use to control relaying).

Also, if the message ends up leaving the site, the SPF for the message 
will be screwed as it originated from totally the wrong place, causing a 
lot of sites to drop the message (including big guys like Gmail).

That's most of what I can remember about why I stopped faking the 
envelope sender, it looked better initially but caused all sorts of 
problems for people as the messages often wouldn't get through due to 
email security controls.

Hope that helps,

P.S. Of course, you have the source, so if you want to re-enable it and 
know it will work fine for your site/company/institution, then feel free 
to edit the code! :-)

On 20/02/2013 13:55, tibz wrote:
> Hello,
> We are currently evaluating zendto and have deployed the CentOS Virtual
> Appliance for ESXi, running zendto 4.11-9
> We noticed that the return-path was set to "apache at domain.tld"
> After looking at the code, I noticed that the option to set the
> return-path is disabled in NSSDropbox.php:
>       return mail(
>                 $toAddr,
>                 $subject,
>                 $content,
>                 $headers // JKF Commented out for now due to security
> concerns ,
>                 // JKF Commented out for now due to security concerns
>                 // '-f "'.$fromAddr.'"'
>               );
> Can you explain why is it commented? (what are the security concerns you
> are referring to)
> Thanks
> tibz
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> Jules
> -- 
> Julian Field MEng MBCS CITP CEng
> 'We face neither East nor West: we face forward.' - Kwame Nkrumah
> www.Zend.To
> Twitter: @JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the ZendTo mailing list