Defaults: email_from/email_return_path sender still best?

[peter-]

Defaulting to sender cannot work in deployments allowing logins from multiple domains:

filesender/includes/ConfigDefaults.php

Lines 177 to 178 in d4bda80

	'email_from' => 'sender',
	'email_return_path' => 'sender',

Unless, of course, any and all end user email adresses recieved by FileSender during login (to be set as sender values) are limited to DNS domain parts that explicitly allow the MTA running on or used by that FileSender machine to send emails from that domain by

• either supplying a DKIM key pair to use (for signing of any such and only the appropriate emails)
• or by allow-listing the IP address/es used by (the MTA providing outgoing mail services for) FileSender via SPF in their DNS records
• or both.

In other words, the current default only works if you make sure that the only email addresses FileSender recieves during login are from the same DNS domain FileSender runs in.
Or if you're prepared to do a potentitally significant amount of non-FileSender-related work to ensure such emails are actually deliverable these days.

[WebSpider]

Actually, for the installs I'm involved in, this is set to a static no-reply address these days, for reasons Peter lays out.

[monkeyiq]

Perhaps we should have a new configuration variable for the sites static no-reply address. This might even default to something like noreply@{domain from site_url} or just email_reply_to.

and change these email_from and email_return_path defaults to use that address instead?

[peter-]

No new configuration variable needed, people can just supply the email address as value of the aforementioned, existing variables. Like @WebSpider said they do.

My question was whether sender was still a sane default, implying that it was not, with the exceptions spelled out above.

In other words: Should defaults only work for very limited deployment situations (essentially internal to a single institution or contracted out with additional DKIM/SPF configuration to allow spoofing of the users' email addresses) or should they be suitable for federated deployments as well?
The answer to that question will tell you whether those defaults should be kept or changed.

[monkeyiq]

I am happy to update this to a static no reply address. I have raised a governance issue above to allow the FileSender board to make the decision on this matter.

I will update the docs for these items (perhaps linking one to the other and storing the new doc block in only one entry). As folks are likely to want to know more than the current docs offer. Perhaps also in the install guide it should be mentioned so that people are aware of the choice and can make the decision that is best in their environment.