[ZendTo] Using the IMAP auth and e-mails don't show up from users' address

Travis Zimmerman TZimmerman at fsu.edu
Wed Dec 19 17:11:40 GMT 2018 

Yup, that's works. Initially I had a similar test before I switched to 
just checking for my.fsu.edu, I decided to use the explicit test due to 
one of my coworkers pointing out that unauthenticated users using an 
e-mail address from their own fsu.edu subdomain (like physics.fsu.edu) 
may have issues due to SPF records.

Our dropbox server definitely has SPF records for fsu.edu and 
my.fsu.edu, and it may have SPF records for a few of the vanity 
subdomains too as some are hosted on the Exchange servers with the main 
domain; but there are a number of self maintained mail servers on campus 
that may cause issues.

I would say your code is a good fix or have a list of subdomains allowed 
to send e-mails from the ZendTo software. I don't know how much of a 
headache a list of subdomains would be to implement for you, just 
another possible option.

Again I appreciate all the hard work you continue to put into ZendTo, 
every change you've made from the old Dropbox code base has been a major 
improvement over the years.

-------------------------------------------------------------------
Travis Zimmerman    tzimmerman at fsu.edu     850-645-8030
Linux Enterprise Applications & Systems    its-linuxadmins at fsu.edu
Information Technology Services, Florida State University

On 12/19/18 6:29 AM, Jules Field wrote:
> Travis,
>
> I've finally had a chance to take a look at this.
>
> Please can you try a tweak to your code?
> It's in the same "if" condition (in NSSDropbox.php) that you pointed 
> out to me in one of your earlier emails below, where currently you've 
> changed the code to specifically allow my.fsu.edu.
>
>           if ($senderDomain !== '' &&
>               (strcasecmp($senderDomain, $fromDomain) == 0 ||
>                str_ends($fromDomain, $senderDomain))) {
>
> Then at the end of NSSUtils.php (just above the "?>" on the very last 
> line will do), add this:
> // Does a string end with a sub-string?
> function str_ends($haystack,  $needle) {
>   return 0 === substr_compare($haystack, $needle, -strlen($needle));
> }
>
> Does that work?
>
> Thanks!
> Jules.
>
> On 16/11/2018 17:29, Travis Zimmerman wrote:
>> Don't know about Errors-To. I just ran a test to double check that our
>> current version (4.28) used the Reply-To, which it doesn't so it's
>> possible that it may but I'm pretty sure I remember someone telling me
>> the Talisma system didn't use Reply-To.
>>
>> We're going to take ZendTo version 5.15-1 live next week, so we'll see
>> how things go. Sometimes files are dropped off to the Talisma system
>> from external e-mail addresses, so we'll see if those bounce back to the
>> default address or go to external address in the Reply-To.
>>
>> -------------------------------------------------------------------
>> Travis Zimmerman    tzimmerman at fsu.edu     850-645-8030
>> Linux Enterprise Applications & Systems its-linuxadmins at fsu.edu
>> Information Technology Services, Florida State University
>>
>> On 11/16/18 11:58 AM, Jules Field wrote:
>>> Does that system pay attention to "Errors-To:"?
>>>
>>> On 16/11/2018 14:37, Travis Zimmerman wrote:
>>>> For what it's worth my team is pretty happy about the feature, as 
>>>> we get
>>>> a consistent number of auto-replies from a system that doesn't pay
>>>> attention to the Reply-To field.
>>>>
>>>> -------------------------------------------------------------------
>>>> Travis Zimmerman    tzimmerman at fsu.edu     850-645-8030
>>>> Linux Enterprise Applications & Systems its-linuxadmins at fsu.edu
>>>> Information Technology Services, Florida State University
>>>>
>>>> On 11/16/18 4:24 AM, Jules Field wrote:
>>>>> Travis,
>>>>>
>>>>> Okay, thanks for that. I will take a look and see what I can do. I
>>>>> would rather stick with the internaldomains.conf information than add
>>>>> another list of domains, if it can be avoided. Few people have that
>>>>> set to TRUE anyway, and I suspect I shouldn't have implemented it in
>>>>> the first place, as there are other ways of avoiding the problem it
>>>>> aims to solve.
>>>>>
>>>>> Cheers,
>>>>> Jules.
>>>>>
>>>>> On 15/11/2018 18:16, Travis Zimmerman wrote:
>>>>>> It's set to TRUE.
>>>>>> [root at dropboxprd01 ~]# grep SMTPsetFromToSender
>>>>>> /var/www/html/zendto/config/preferences.php
>>>>>>       'SMTPsetFromToSender' => TRUE,
>>>>>>
>>>>>> To fix the problem for my users I just modified the line to below.
>>>>>> if ($senderDomain !== '' &&
>>>>>>                 ( strcasecmp($senderDomain, $fromDomain) == 0 ||
>>>>>> strcasecmp('my.fsu.edu', $fromDomain) == 0)) {
>>>>>>
>>>>>> If other people run into this problem, a possible general fix may
>>>>>> be to
>>>>>> have an array of allowed secondary domains, that match the SPF 
>>>>>> records
>>>>>> for the SMTP server?
>>>>>>
>>>>>> Thanks for the help.
>>>>>>
>>>>>> -------------------------------------------------------------------
>>>>>> Travis Zimmerman    tzimmerman at fsu.edu     850-645-8030
>>>>>> Linux Enterprise Applications & Systems its-linuxadmins at fsu.edu
>>>>>> Information Technology Services, Florida State University
>>>>>>
>>>>>> On 11/15/18 1:04 PM, Jules Field wrote:
>>>>>>> Travis,
>>>>>>>
>>>>>>> That code snippet will only be run if you have
>>>>>>>        'SMTPsetFromToSender' => TRUE,
>>>>>>> in preferences.php.
>>>>>>>
>>>>>>> The default is FALSE. What value are you using?
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Jules.
>>>>>>>
>>>>>>> On 01/11/2018 18:56, Travis Zimmerman wrote:
>>>>>>>> I don't know if I'm reading this correctly but I think maybe the
>>>>>>>> problem
>>>>>>>> is having the two domains and this part of the code.
>>>>>>>>
>>>>>>>>                // If the sender domain and the from domain are the
>>>>>>>> same
>>>>>>>>                // (and not blank, which signifies something went
>>>>>>>> wrong!),
>>>>>>>>                // we can safely overwrite the From we set above,
>>>>>>>> without
>>>>>>>>                // causing SPF/DKIM/DMARC problems.
>>>>>>>>                if ($senderDomain !== '' &&
>>>>>>>>                    strcasecmp($senderDomain, $fromDomain) == 0)
>>>>>>>>
>>>>>>>> Could a possible solution be to switch from a strcasecmp to
>>>>>>>> substring
>>>>>>>> test or maybe a regex testing if the $senderDomain is part of the
>>>>>>>> end of
>>>>>>>> the $fromDomain? Not sure if that would cause a SPF/DKIM/DMARC
>>>>>>>> problem.
>>>>>>>>
>>>>>>>> endswith($fromDomain, $senderDomain);
>>>>>>>>
>>>>>>>> function endswith($from, $sender) {
>>>>>>>>          $fromlen = strlen($from);
>>>>>>>>          $senderlen = strlen($sender);
>>>>>>>>          if ($testlen > $strlen) return false;
>>>>>>>>          return substr_compare($from, $sender, $fromlen - 
>>>>>>>> $senderlen,
>>>>>>>> $senderlen) === 0;
>>>>>>>> }
>>>>>>>>
>>>>>>>> This is just a code snippet I googled up and haven't tested.
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------- 
>>>>>>>>
>>>>>>>> Travis Zimmerman    tzimmerman at fsu.edu 850-645-8030
>>>>>>>> Linux Enterprise Applications & Systems its-linuxadmins at fsu.edu
>>>>>>>> Information Technology Services, Florida State University
>>>>>>>>
>>>>>>>> On 11/1/18 12:33 PM, Travis Zimmerman via ZendTo wrote:
>>>>>>>>> Yup, that's what I have authIMAPDomain set to already.
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------------- 
>>>>>>>>>
>>>>>>>>> Travis Zimmerman    tzimmerman at fsu.edu 850-645-8030
>>>>>>>>> Linux Enterprise Applications & Systems its-linuxadmins at fsu.edu
>>>>>>>>> Information Technology Services, Florida State University
>>>>>>>>>
>>>>>>>>> On 11/1/18 12:29 PM, Jules Field wrote:
>>>>>>>>>> Travis,
>>>>>>>>>>
>>>>>>>>>> If the students enter their entire email address
>>>>>>>>>> (username at my.fsu.edu)
>>>>>>>>>> into the ZendTo login "username" box, then set
>>>>>>>>>>          'authIMAPDomain' => '',
>>>>>>>>>> in preferences.php.
>>>>>>>>>>
>>>>>>>>>> If they just enter their username, then something more subtle is
>>>>>>>>>> happening which I will need to investigate further.
>>>>>>>>>>
>>>>>>>>>> Please let me know if that helps.
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>> Jules.
>>>>>>>>>>
>>>>>>>>>> On 31/10/2018 20:56, Travis Zimmerman via ZendTo wrote:
>>>>>>>>>>> I realized I should mention that we are using e-mail 
>>>>>>>>>>> addresses to
>>>>>>>>>>> login
>>>>>>>>>>> to our ZendTo service to differentiate between our two domains.
>>>>>>>>>>> Don't
>>>>>>>>>>> know if that would effect how e-mails are sent. Doesn't seem to
>>>>>>>>>>> be a
>>>>>>>>>>> problem for our faculty/staff (AD, username at fsu.edu), just the
>>>>>>>>>>> students
>>>>>>>>>>> (IMAP, username at my.fsu.edu).
>>>>>>>>>>>
>>>>>>>>>>> ------------------------------------------------------------------- 
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Travis Zimmerman    tzimmerman at fsu.edu 850-645-8030
>>>>>>>>>>> Linux Enterprise Applications & Systems its-linuxadmins at fsu.edu
>>>>>>>>>>> Information Technology Services, Florida State University
>>>>>>>>>>>
>>>>>>>>>>> On 10/31/18 12:09 PM, Travis Zimmerman via ZendTo wrote:
>>>>>>>>>>>> I tried to use my university's AD for the students (there is a
>>>>>>>>>>>> previous
>>>>>>>>>>>> e-mail I sent to the ZendTo mailing list about a week ago), 
>>>>>>>>>>>> but
>>>>>>>>>>>> due to
>>>>>>>>>>>> how our Microsoft Admins configured it they needed to use an
>>>>>>>>>>>> alternate
>>>>>>>>>>>> attribute.
>>>>>>>>>>>>
>>>>>>>>>>>> Yes. When I login to LDAP or AD and drop off a file, the 
>>>>>>>>>>>> e-mail
>>>>>>>>>>>> sent to
>>>>>>>>>>>> the recipient will show my e-mail address in the From field.
>>>>>>>>>>>> If I
>>>>>>>>>>>> login
>>>>>>>>>>>> using the IMAP auth the From field lists the servers default
>>>>>>>>>>>> e-mail
>>>>>>>>>>>> from
>>>>>>>>>>>> zendto.conf and the Reply-To field has the IMAP account's 
>>>>>>>>>>>> e-mail
>>>>>>>>>>>> address.
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------------- 
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Travis Zimmerman    tzimmerman at fsu.edu 850-645-8030
>>>>>>>>>>>> Linux Enterprise Applications & Systems 
>>>>>>>>>>>> its-linuxadmins at fsu.edu
>>>>>>>>>>>> Information Technology Services, Florida State University
>>>>>>>>>>>>
>>>>>>>>>>>> On 10/31/18 11:33 AM, Jules Field via ZendTo wrote:
>>>>>>>>>>>>> Travis,
>>>>>>>>>>>>>
>>>>>>>>>>>>> If you are authenticating users against Office365, then why
>>>>>>>>>>>>> not do
>>>>>>>>>>>>> that with AD?
>>>>>>>>>>>>> I don't quite see why you need to use the IMAP 
>>>>>>>>>>>>> authenticator at
>>>>>>>>>>>>> all.
>>>>>>>>>>>>> If it's a separate AD forest for some reason, then that's 
>>>>>>>>>>>>> okay,
>>>>>>>>>>>>> ZendTo
>>>>>>>>>>>>> will happily do 3 different AD forests with independent 
>>>>>>>>>>>>> setups.
>>>>>>>>>>>>>
>>>>>>>>>>>>> So "SMTPsetFromToSender'=>TRUE" works as expected if they
>>>>>>>>>>>>> login via
>>>>>>>>>>>>> LDAP or AD, but doesn't if they login via IMAP?
>>>>>>>>>>>>>
>>>>>>>>>>>>> What we do here for the "From" address is use an address 
>>>>>>>>>>>>> whose
>>>>>>>>>>>>> email
>>>>>>>>>>>>> is just automatically trashed, ie. a "no-reply" address. Then
>>>>>>>>>>>>> automated stuff that is replying (incorrectly) to the
>>>>>>>>>>>>> "From:" or
>>>>>>>>>>>>> (validly/correctly) to the envelope sender will just be 
>>>>>>>>>>>>> thrown
>>>>>>>>>>>>> away.
>>>>>>>>>>>>> Any human-generated replies will go to the right user.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for the info about the option you need to pass to
>>>>>>>>>>>>> O365. I
>>>>>>>>>>>>> guess
>>>>>>>>>>>>> that's going to need yet another preferences.php setting.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>> Jules.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 31/10/2018 14:49, Travis Zimmerman via ZendTo wrote:
>>>>>>>>>>>>>> I configured the IMAP authentication to allow my 
>>>>>>>>>>>>>> university's
>>>>>>>>>>>>>> students
>>>>>>>>>>>>>> to login to our ZendTo server, but when they drop off files
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> From
>>>>>>>>>>>>>> field is showing the e-mail address configured in 
>>>>>>>>>>>>>> zendto.conf
>>>>>>>>>>>>>> instead of
>>>>>>>>>>>>>> the student's address. The student's address ends up in the
>>>>>>>>>>>>>> Reply-To
>>>>>>>>>>>>>> field, which normally wouldn't be a problem except sometimes
>>>>>>>>>>>>>> automated
>>>>>>>>>>>>>> systems reply back to the drop off e-mails and they 
>>>>>>>>>>>>>> ignore the
>>>>>>>>>>>>>> Reply-To.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have SMTPsetFromToSender => TRUE, users that login via 
>>>>>>>>>>>>>> LDAP
>>>>>>>>>>>>>> or AD
>>>>>>>>>>>>>> appear to work as expected.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> BTW I am using the IMAP authentication with Office365 and in
>>>>>>>>>>>>>> order to
>>>>>>>>>>>>>> get it to login correctly I had to change the imap_open 
>>>>>>>>>>>>>> line.
>>>>>>>>>>>>>> $mbox = @imap_open('{'.$this->_imapServer.'}INBOX', $uname,
>>>>>>>>>>>>>> $password,
>>>>>>>>>>>>>> OP_READONLY,1,array('DISABLE_AUTHENTICATOR' => 'PLAIN'));
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So don't know if you want to add this to the documentation
>>>>>>>>>>>>>> somewhere or
>>>>>>>>>>>>>> incorporate into the NSSIMAPAuthenticator code.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------------------------------------------------------------------- 
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Travis Zimmerman    tzimmerman at fsu.edu 850-645-8030
>>>>>>>>>>>>>> Linux Enterprise Applications & Systems
>>>>>>>>>>>>>> its-linuxadmins at fsu.edu
>>>>>>>>>>>>>> Information Technology Services, Florida State University
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> ZendTo mailing list
>>>>>>>>>>>>>> ZendTo at zend.to
>>>>>>>>>>>>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__jul.es_mailman_listinfo_zendto&d=DwICAg&c=HPMtquzZjKY31rtkyGRFnQ&r=TZ3x4Nnv5Pp03uwRWF9UlLOaC296m8a1MGVEkWJljsg&m=5u9mHQwWyo_tYTeW__SOzvefpnCjf4YQxPsJSnNZ3t0&s=2lT413dnsMw6bu9-9TLNGGhRMyhC3YK11szRGuK1xtw&e= 
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Jules
>>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> ZendTo mailing list
>>>>>>>>>>>> ZendTo at zend.to
>>>>>>>>>>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__jul.es_mailman_listinfo_zendto&d=DwIGaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=TZ3x4Nnv5Pp03uwRWF9UlLOaC296m8a1MGVEkWJljsg&m=nldSAFYLL3YRHIJw6WEEK5gmzqlolpYwjz642dolMxk&s=YAnfXHzTncnerKooAJbUFFL3V98t9jArpAfFUJ5gayo&e= 
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> ZendTo mailing list
>>>>>>>>>>> ZendTo at zend.to
>>>>>>>>>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__jul.es_mailman_listinfo_zendto&d=DwIDaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=TZ3x4Nnv5Pp03uwRWF9UlLOaC296m8a1MGVEkWJljsg&m=EiTV262ezFwuAy6LGUFPUno8qF0iVenx_KHgRL1WHtY&s=0aGdNoswD33mWO4qa5w4pK81g2LF4T9cIta1vV5sc4c&e= 
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Jules
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> ZendTo mailing list
>>>>>>>>> ZendTo at zend.to
>>>>>>>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__jul.es_mailman_listinfo_zendto&d=DwIGaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=TZ3x4Nnv5Pp03uwRWF9UlLOaC296m8a1MGVEkWJljsg&m=ld_nfLvQazOI2Hz4g6p83F5PAuKFj1vbMR6469-svR4&s=G0UK4iFGrD_R80gfAF6IOhT77OtJbOoEg9rFALMy70M&e= 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>> Jules
>>>>>>>
>>>>> Jules
>>>>>
>>> Jules
>>>
>
> Jules
>

More information about the ZendTo mailing list