[ZendTo] Re: Why is sendmail -f option disabled?

tibz tibir at tibir.net
Thu Feb 21 08:29:32 GMT 2013 

Ok understood. In our case no problem to enable it then.

Yes we have the code and can change it, but such a change are subject to 
be deleted during an upgrade.

Suggestion: make it a switch on/off (off by default) in zendto.conf or 
preferences.php? :-)
It could even be "on" or "off" or "an email adresse of your choice".

Thanks

On 20/2/2013 3:27 PM, Jules wrote:
> tibz,
>
> I removed that as it forces the envelope sender address to be the person
> who sent the drop-off. Which may well not be an address within the
> site's own domain.
>
> So a lot of mail systems (particularly Exchange) will then reject the
> message as a bad relay attempt, as they relay based on the envelope
> sender and not the source IP address (which most sendmail-based mail
> systems will use to control relaying).
>
> Also, if the message ends up leaving the site, the SPF for the message
> will be screwed as it originated from totally the wrong place, causing a
> lot of sites to drop the message (including big guys like Gmail).
>
> That's most of what I can remember about why I stopped faking the
> envelope sender, it looked better initially but caused all sorts of
> problems for people as the messages often wouldn't get through due to
> email security controls.
>
> Hope that helps,
> Jules.
>
> P.S. Of course, you have the source, so if you want to re-enable it and
> know it will work fine for your site/company/institution, then feel free
> to edit the code! :-)
>
>
> On 20/02/2013 13:55, tibz wrote:
>> Hello,
>>
>> We are currently evaluating zendto and have deployed the CentOS Virtual
>> Appliance for ESXi, running zendto 4.11-9
>>
>> We noticed that the return-path was set to "apache at domain.tld"
>> After looking at the code, I noticed that the option to set the
>> return-path is disabled in NSSDropbox.php:
>>
>>        return mail(
>>                  $toAddr,
>>                  $subject,
>>                  $content,
>>                  $headers // JKF Commented out for now due to security
>> concerns ,
>>                  // JKF Commented out for now due to security concerns
>>                  // '-f "'.$fromAddr.'"'
>>                );
>>
>> Can you explain why is it commented? (what are the security concerns you
>> are referring to)
>>
>> Thanks
>> tibz
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>> Jules
>>
>> -- 
>> Julian Field MEng MBCS CITP CEng
>>
>> 'We face neither East nor West: we face forward.' - Kwame Nkrumah
>>
>> www.Zend.To
>> Twitter: @JulesFM
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

More information about the ZendTo mailing list