Correctly set smtp headers on sending emails #134

Open
opened 8 months ago by albert · 7 comments
albert commented 8 months ago
Owner

After looking through the mailserver logs after the message on the mailling list related to #133, it seems like the EHLO header is set incorrectly when sending mails, the iternal ip is used which is a violation of the rfc.

for ehlo in unauthenticated server communication one should use the hostname in the EHLO (that should idealy resolve to the ip you are connecting from, though this part should be handled by setting our ip ranges to trusted)

After looking through the mailserver logs after the message on the mailling list related to #133, it seems like the EHLO header is set incorrectly when sending mails, the iternal ip is used which is a violation of the rfc. for ehlo in unauthenticated server communication one should use the hostname in the EHLO (that should idealy resolve to the ip you are connecting from, though this part should be handled by setting our ip ranges to trusted)
albert added the
bug
label 8 months ago
Owner

Same issue as fsfe-system-hackers/forms#33 where we just solved it with whitelisting the IP. For various reasons, this is not a good idea.

Same issue as fsfe-system-hackers/forms#33 where we just solved it with whitelisting the IP. For various reasons, this is not a good idea.
max.mehl added the
mail
back
labels 8 months ago
Owner

Can we define the HELO via SMTP.helo()? We could provide a hostname via environment variables.

https://docs.python.org/3/library/smtplib.html#smtplib.SMTP.helo

Can we define the HELO via SMTP.helo()? We could provide a hostname via environment variables. https://docs.python.org/3/library/smtplib.html#smtplib.SMTP.helo
Owner

This is now changed for all emails which are sent out through Person.sendmail(). However, there are some other emails being sent out for which this is not (yet) changed:

  • E-Mail containing supporter welcome letters being sent to OTRS (fsfe-welcome-supporters) - easy.
  • Notifications about unhandled incoming bank payments being sent to OTRS (fsfe-bankpayments) - easy.
  • Automatic reports being sent (fsfe-report-reasons, fsfe-report-weekly, fsfe-report-monthly) - hard, because these are shell scripts sending the email via /usr/lib/sendmail (taken from ssmtp).
  • All E-Mails sent from fsfe-cd-auth and fsfe-cd-front - hard, because they use the flask-email library, which doesn't allow the HELO hostname to be explicitly set.
  • All logging messages sent to OTRS - hard, because Python's logging.handlers.SMTPHandler doesn't allow the HELO hostname to be explicitly set.

Fixing the last 3 items on the application side would require reimplementing the wheel on several levels, and I think it makes much sense to check whether there is a different solution to the actual problem.

This is now changed for all emails which are sent out through `Person.sendmail()`. However, there are some other emails being sent out for which this is not (yet) changed: * E-Mail containing supporter welcome letters being sent to OTRS (`fsfe-welcome-supporters`) - easy. * Notifications about unhandled incoming bank payments being sent to OTRS (`fsfe-bankpayments`) - easy. * Automatic reports being sent (`fsfe-report-reasons`, `fsfe-report-weekly`, `fsfe-report-monthly`) - **hard**, because these are shell scripts sending the email via /usr/lib/sendmail (taken from ssmtp). * All E-Mails sent from fsfe-cd-auth and fsfe-cd-front - **hard**, because they use the flask-email library, which doesn't allow the HELO hostname to be explicitly set. * All logging messages sent to OTRS - **hard**, because Python's `logging.handlers.SMTPHandler` doesn't allow the HELO hostname to be explicitly set. Fixing the last 3 items on the application side would require reimplementing the wheel on several levels, and I think it makes much sense to check whether there is a different solution to the actual problem.
Owner
  • E-Mail containing supporter welcome letters being sent to OTRS (fsfe-welcome-supporters)

  • Notifications about unhandled incoming bank payments being sent to OTRS (fsfe-bankpayments)

  • Automatic reports being sent (fsfe-report-reasons, fsfe-report-weekly, fsfe-report-monthly) -

hard, because these are shell scripts sending the email via /usr/lib/sendmail (taken from ssmtp).

Maybe it's possible... https://serverfault.com/questions/205271/how-to-specify-outgoing-helo-with-sendmail

I will try to tackle the two easy ones and the sendmail one in Q2 2022.

- [ ] E-Mail containing supporter welcome letters being sent to OTRS (fsfe-welcome-supporters) - [ ] Notifications about unhandled incoming bank payments being sent to OTRS (fsfe-bankpayments) - [ ] Automatic reports being sent (fsfe-report-reasons, fsfe-report-weekly, fsfe-report-monthly) - > hard, because these are shell scripts sending the email via /usr/lib/sendmail (taken from ssmtp). Maybe it's possible... https://serverfault.com/questions/205271/how-to-specify-outgoing-helo-with-sendmail I will try to tackle the two easy ones and the `sendmail` one in Q2 2022.
linus added this to the Q2 2022 milestone 3 months ago
Owner

Please note that we currently don't use sendmail, but rather ssmtp. I'm not sure whether switching to a full-blown sendmail install in the container would be a good idea.

Please note that we currently don't use sendmail, but rather ssmtp. I'm not sure whether switching to a full-blown sendmail install in the container would be a good idea.
Owner

Ah, I see... ssmtp seems to be unmaintained at this point: https://wiki.debian.org/sSMTP. I'll have a look into it but if it turns out to difficult, we might have to discuss again.

Ah, I see... `ssmtp` seems to be unmaintained at this point: https://wiki.debian.org/sSMTP. I'll have a look into it but if it turns out to difficult, we might have to discuss again.
Owner

msmtp should also be able to handle HELO, as far as I can see here: https://marlam.de/msmtp/msmtp.html#index-domain

msmtp should also be able to handle HELO, as far as I can see here: https://marlam.de/msmtp/msmtp.html#index-domain
Sign in to join this conversation.
Loading…
There is no content yet.