New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using smtp_host as EHLO argument is not a good idea. #3997

Open
realdigger opened this Issue Apr 3, 2017 · 6 comments

Comments

Projects
None yet
5 participants
@realdigger

realdigger commented Apr 3, 2017

Subs-Post.php have this code

	if (empty($helo))
		$helo = $modSettings['smtp_host'];

But $modSettings['smtp_host'] can be set to something like ssl://smtp.gmail.com which is not hosname or IP as EHLO command should send. I think better use $helo = 'localhost'; here.

@tinoest

This comment has been minimized.

Show comment
Hide comment
@tinoest

tinoest May 6, 2017

Contributor

The parameter after HELO should identify the system sending the email. So a externally addressable domain should be used.

SMF should not use localhost because a lot of spam software does that, and the sending email will likely be marked as spam.

From RFC 2821:

4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO)

These commands are used to identify the SMTP client to the SMTP server. The argument field contains the fully-qualified domain name of the SMTP client if one is available.

Superceded in https://tools.ietf.org/html/rfc5321#section-4.1.1.1 and https://tools.ietf.org/html/rfc5321#section-3.2 but they all say the same thing.

In an ideal world you would quit if the $helo was empty as the other checks before this point should not fail, but I left that check in to ensure backwards compabitibilty with the older SMF 2.0.x codebase.

Contributor

tinoest commented May 6, 2017

The parameter after HELO should identify the system sending the email. So a externally addressable domain should be used.

SMF should not use localhost because a lot of spam software does that, and the sending email will likely be marked as spam.

From RFC 2821:

4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO)

These commands are used to identify the SMTP client to the SMTP server. The argument field contains the fully-qualified domain name of the SMTP client if one is available.

Superceded in https://tools.ietf.org/html/rfc5321#section-4.1.1.1 and https://tools.ietf.org/html/rfc5321#section-3.2 but they all say the same thing.

In an ideal world you would quit if the $helo was empty as the other checks before this point should not fail, but I left that check in to ensure backwards compabitibilty with the older SMF 2.0.x codebase.

@realdigger

This comment has been minimized.

Show comment
Hide comment
@realdigger

realdigger May 6, 2017

Send "localhost" is better then "ssl://gmail.com" which is totally wrong value for this.
SMF 2.0 always use wrong value for HELO but nobody cares for many years.

realdigger commented May 6, 2017

Send "localhost" is better then "ssl://gmail.com" which is totally wrong value for this.
SMF 2.0 always use wrong value for HELO but nobody cares for many years.

@Oldiesmann

This comment has been minimized.

Show comment
Hide comment
@Oldiesmann

Oldiesmann May 23, 2017

Member

So do you recommend we just use the hostname/domain name instead?

Member

Oldiesmann commented May 23, 2017

So do you recommend we just use the hostname/domain name instead?

@realdigger

This comment has been minimized.

Show comment
Hide comment
@realdigger

realdigger May 24, 2017

There is a RFC just follow it.

realdigger commented May 24, 2017

There is a RFC just follow it.

@tinoest

This comment has been minimized.

Show comment
Hide comment
@tinoest

tinoest Aug 24, 2017

Contributor

It should pick up the host name or domain name and never actually get to the if empty check.

Either return a failure, leave as is, or change it to localhost.

Any of those are suitable and this can be closed.

Contributor

tinoest commented Aug 24, 2017

It should pick up the host name or domain name and never actually get to the if empty check.

Either return a failure, leave as is, or change it to localhost.

Any of those are suitable and this can be closed.

@jdarwood007

This comment has been minimized.

Show comment
Hide comment
@jdarwood007

jdarwood007 Sep 8, 2018

Member

Reviewing this code

	// Try and determine the servers name, fall back to the mail servers if not found
	$helo = false;
	if (function_exists('gethostname') && gethostname() !== false)
		$helo = gethostname();
	elseif (function_exists('php_uname'))
		$helo = php_uname('n');
	elseif (array_key_exists('SERVER_NAME', $_SERVER) && !empty($_SERVER['SERVER_NAME']))
		$helo = $_SERVER['SERVER_NAME'];

	if (empty($helo))
		$helo = $modSettings['smtp_host'];

We try with 3 different methods to obtain the server name. If all else fails we fall back to smtp_host specified.

Honestly I don't know how much more we can try to get the server name. About the only other thing we could do is determine if we are being a proxy and if so look for a HTTP_X_FORWARDED_HOST header. After that we have no other way to determine the current hostname.

While there is a RFC, our software is doing its best to determine who it is and at least attempting to prevent sending as localhost. However with SPF records nowadays, I suspect using the smtp_host will fail with major email providers nowadays.

The only other option is to allow user provided input, but that won't solve anything if they are failing SPF checks still because the hostname and IP they are sending as don't match valid SPF records.

Member

jdarwood007 commented Sep 8, 2018

Reviewing this code

	// Try and determine the servers name, fall back to the mail servers if not found
	$helo = false;
	if (function_exists('gethostname') && gethostname() !== false)
		$helo = gethostname();
	elseif (function_exists('php_uname'))
		$helo = php_uname('n');
	elseif (array_key_exists('SERVER_NAME', $_SERVER) && !empty($_SERVER['SERVER_NAME']))
		$helo = $_SERVER['SERVER_NAME'];

	if (empty($helo))
		$helo = $modSettings['smtp_host'];

We try with 3 different methods to obtain the server name. If all else fails we fall back to smtp_host specified.

Honestly I don't know how much more we can try to get the server name. About the only other thing we could do is determine if we are being a proxy and if so look for a HTTP_X_FORWARDED_HOST header. After that we have no other way to determine the current hostname.

While there is a RFC, our software is doing its best to determine who it is and at least attempting to prevent sending as localhost. However with SPF records nowadays, I suspect using the smtp_host will fail with major email providers nowadays.

The only other option is to allow user provided input, but that won't solve anything if they are failing SPF checks still because the hostname and IP they are sending as don't match valid SPF records.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment