[ZendTo] RFC5321.MailFrom address in notification emails

Mike Brudenell mike.brudenell at york.ac.uk
Thu Jun 22 16:50:16 BST 2017 

We're noticing that when someone here uploads files into Zendto but
mistypes the recipient's email address they're not learning of their
mistake: they're not seeing the Non-Delivery Report.

Digging around in the mail queues shows the upload notification tried to go
to the invalid address, fails, and then is trying to go back to a username
based on the local username that Zendto is running under. This isn't a
valid mailbox, so the Non Delivery Report gets stuck in our queues until it
times out a few days later. The would-be sender never sees it.

I see in the the file lib/NSSDropbox.php that the deliverEmail() function
includes this:

    return mail(
              $toAddr,
              $subject,
              $content,
              $headers // JKF Commented out for now due to security
concerns ,
              // JKF Commented out for now due to security concerns
              // '-f "'.$fromAddr.'"'
            );

I assume it's to avoid forged sender addresses and/or problems with SPF.

Would it be possible (whilst avoiding such security and email
authentication issues!) to instead:

   - If the person doing the upload is logged in to Zendto (and so it has
   got a confirmed sender email address) *and* that email address matches
   one of your internal domains *then* set the RFC5321.MailFrom to the
   confirmed sender address)

   - Otherwise do as now and not set the sender address.

Actually even this latter isn't ideal, as the local user account Zendto is
running under is quite likely not to be a valid email address. Instead
maybe a setting in the preferences should be used to specify this?

(My apologies: I can just about read PHP but don't know it sufficiently to
try writing anything like this myself!)

Cheers,
Mike B-)

-- 
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20170622/bd41a5b9/attachment.html

More information about the ZendTo mailing list