After looking through the mailserver logs after the message on the mailling list related to #133, it seems like the EHLO header is set incorrectly when sending mails, the iternal ip is used which is a violation of the rfc.
for ehlo in unauthenticated server communication one should use the hostname in the EHLO (that should idealy resolve to the ip you are connecting from, though this part should be handled by setting our ip ranges to trusted)
After looking through the mailserver logs after the message on the mailling list related to #133, it seems like the EHLO header is set incorrectly when sending mails, the iternal ip is used which is a violation of the rfc.
for ehlo in unauthenticated server communication one should use the hostname in the EHLO (that should idealy resolve to the ip you are connecting from, though this part should be handled by setting our ip ranges to trusted)
Can we define the HELO via SMTP.helo()? We could provide a hostname via environment variables.
https://docs.python.org/3/library/smtplib.html#smtplib.SMTP.helo
This is now changed for all emails which are sent out through Person.sendmail(). However, there are some other emails being sent out for which this is not (yet) changed:
E-Mail containing supporter welcome letters being sent to OTRS (fsfe-welcome-supporters) - easy.
Notifications about unhandled incoming bank payments being sent to OTRS (fsfe-bankpayments) - easy.
Automatic reports being sent (fsfe-report-reasons, fsfe-report-weekly, fsfe-report-monthly) - hard, because these are shell scripts sending the email via /usr/lib/sendmail (taken from ssmtp).
All E-Mails sent from fsfe-cd-auth and fsfe-cd-front - hard, because they use the flask-email library, which doesn't allow the HELO hostname to be explicitly set.
All logging messages sent to OTRS - hard, because Python's logging.handlers.SMTPHandler doesn't allow the HELO hostname to be explicitly set.
Fixing the last 3 items on the application side would require reimplementing the wheel on several levels, and I think it makes much sense to check whether there is a different solution to the actual problem.
This is now changed for all emails which are sent out through `Person.sendmail()`. However, there are some other emails being sent out for which this is not (yet) changed:
* E-Mail containing supporter welcome letters being sent to OTRS (`fsfe-welcome-supporters`) - easy.
* Notifications about unhandled incoming bank payments being sent to OTRS (`fsfe-bankpayments`) - easy.
* Automatic reports being sent (`fsfe-report-reasons`, `fsfe-report-weekly`, `fsfe-report-monthly`) - **hard**, because these are shell scripts sending the email via /usr/lib/sendmail (taken from ssmtp).
* All E-Mails sent from fsfe-cd-auth and fsfe-cd-front - **hard**, because they use the flask-email library, which doesn't allow the HELO hostname to be explicitly set.
* All logging messages sent to OTRS - **hard**, because Python's `logging.handlers.SMTPHandler` doesn't allow the HELO hostname to be explicitly set.
Fixing the last 3 items on the application side would require reimplementing the wheel on several levels, and I think it makes much sense to check whether there is a different solution to the actual problem.
I will try to tackle the two easy ones and the sendmail one in Q2 2022.
- [ ] E-Mail containing supporter welcome letters being sent to OTRS (fsfe-welcome-supporters)
- [ ] Notifications about unhandled incoming bank payments being sent to OTRS (fsfe-bankpayments)
- [ ] Automatic reports being sent (fsfe-report-reasons, fsfe-report-weekly, fsfe-report-monthly) -
> hard, because these are shell scripts sending the email via /usr/lib/sendmail (taken from ssmtp).
Maybe it's possible... https://serverfault.com/questions/205271/how-to-specify-outgoing-helo-with-sendmail
I will try to tackle the two easy ones and the `sendmail` one in Q2 2022.
linus
added this to the Q2 2022 milestone 3 months ago
Please note that we currently don't use sendmail, but rather ssmtp. I'm not sure whether switching to a full-blown sendmail install in the container would be a good idea.
Please note that we currently don't use sendmail, but rather ssmtp. I'm not sure whether switching to a full-blown sendmail install in the container would be a good idea.
Ah, I see... ssmtp seems to be unmaintained at this point: https://wiki.debian.org/sSMTP. I'll have a look into it but if it turns out to difficult, we might have to discuss again.
Ah, I see... `ssmtp` seems to be unmaintained at this point: https://wiki.debian.org/sSMTP. I'll have a look into it but if it turns out to difficult, we might have to discuss again.
After looking through the mailserver logs after the message on the mailling list related to #133, it seems like the EHLO header is set incorrectly when sending mails, the iternal ip is used which is a violation of the rfc.
for ehlo in unauthenticated server communication one should use the hostname in the EHLO (that should idealy resolve to the ip you are connecting from, though this part should be handled by setting our ip ranges to trusted)
Same issue as fsfe-system-hackers/forms#33 where we just solved it with whitelisting the IP. For various reasons, this is not a good idea.
Can we define the HELO via SMTP.helo()? We could provide a hostname via environment variables.
https://docs.python.org/3/library/smtplib.html#smtplib.SMTP.helo
This is now changed for all emails which are sent out through
Person.sendmail(). However, there are some other emails being sent out for which this is not (yet) changed:fsfe-welcome-supporters) - easy.fsfe-bankpayments) - easy.fsfe-report-reasons,fsfe-report-weekly,fsfe-report-monthly) - hard, because these are shell scripts sending the email via /usr/lib/sendmail (taken from ssmtp).logging.handlers.SMTPHandlerdoesn't allow the HELO hostname to be explicitly set.Fixing the last 3 items on the application side would require reimplementing the wheel on several levels, and I think it makes much sense to check whether there is a different solution to the actual problem.
E-Mail containing supporter welcome letters being sent to OTRS (fsfe-welcome-supporters)
Notifications about unhandled incoming bank payments being sent to OTRS (fsfe-bankpayments)
Automatic reports being sent (fsfe-report-reasons, fsfe-report-weekly, fsfe-report-monthly) -
Maybe it's possible... https://serverfault.com/questions/205271/how-to-specify-outgoing-helo-with-sendmail
I will try to tackle the two easy ones and the
sendmailone in Q2 2022.Please note that we currently don't use sendmail, but rather ssmtp. I'm not sure whether switching to a full-blown sendmail install in the container would be a good idea.
Ah, I see...
ssmtpseems to be unmaintained at this point: https://wiki.debian.org/sSMTP. I'll have a look into it but if it turns out to difficult, we might have to discuss again.msmtp should also be able to handle HELO, as far as I can see here: https://marlam.de/msmtp/msmtp.html#index-domain