From 3c390c4810136a0fb8b54ba0456ad2a75d2450c1 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Wed, 17 Nov 2021 17:51:19 +0000 Subject: [PATCH] [FIX] tools.mail: ignore original email during encapsulation When the system broadcasts an email response to document followers, if the config parameters `mail.force.smtp.from` or `mail.dynamic.smtp.from` are defined, it will rewrite the `From` address to avoid spoofing the sender's domain. **NOTE**: As of 15.0, this is based on the `from_filter` setting on the corresponding ir.mail_server, rather than the abovementioned config parameters, but the rest of the discussion stands. For example, if the `mail.catchall.domain` is set to `example.com` and an email response comes from: "John D" it will rewrite it to: "John D (john@doe.com)" This will make sure the system never sends outgoing email for an external domain, as it has no authority for doing so, and that could break mail filtering/authentication rules (SPF, DMARC, etc.) During this "encapsulation rewrite step", both the original Sender name and their email are preserved, and put into the quoted "name" field of the rewritten address. It seems sensible to preserve as much information as possible about the original sender. Unfortunately, the inclusion of the Sender email in the final name makes it appear to some inbox providers as if the message is trying to deceptively impersonate another person (as many phishing schemes would). As of November 2021 GMail at least does this, and will hide the name in the UI when it happens. It will keep only the rewritten email, which is not very useful in the case of a notification (even though it's more technically correct, of course). This patch removes the original email from the rewritten notification, keeping only the name, considering that the email is not the most important part, and it's better to have one of the two than none. So after the patch, the rewritten address is now: "John D" When there is no name in the original address, we keep only the local part of the email, to avoid the same display issue. The recipient will have to identify the sender based on the context / past messages. closes odoo/odoo#81807 X-original-commit: 3c65ec5a8191a392980ceb0a8c584767eae405f1 Signed-off-by: Olivier Dony Part-of: odoo/odoo#87261 --- odoo/addons/base/tests/test_mail.py | 10 +++++----- odoo/tools/mail.py | 9 +++++---- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/odoo/addons/base/tests/test_mail.py b/odoo/addons/base/tests/test_mail.py index eb20b0b633918..71a92c23ddcb2 100644 --- a/odoo/addons/base/tests/test_mail.py +++ b/odoo/addons/base/tests/test_mail.py @@ -409,11 +409,11 @@ def test_email_from_rewrite(self): set_param('mail.catchall.domain', 'odoo.example.com') email_from, return_path = get_email_from('admin@test.example.com') - self.assertEqual(email_from, '"admin@test.example.com" ') + self.assertEqual(email_from, 'admin ') self.assertEqual(return_path, 'email_force@domain.com') email_from, return_path = get_email_from('"Admin" ') - self.assertEqual(email_from, '"Admin (admin@test.example.com)" ') + self.assertEqual(email_from, 'Admin ') self.assertEqual(return_path, 'email_force@domain.com') # We always force the email FROM (notification email contains a name part) @@ -422,7 +422,7 @@ def test_email_from_rewrite(self): set_param('mail.catchall.domain', 'odoo.example.com') email_from, return_path = get_email_from('"Admin" ') - self.assertEqual(email_from, '"Admin (admin@test.example.com)" ', + self.assertEqual(email_from, 'Admin ', msg='Should drop the name part of the forced email') self.assertEqual(return_path, 'email_force@domain.com') @@ -432,7 +432,7 @@ def test_email_from_rewrite(self): set_param('mail.catchall.domain', 'odoo.example.com') email_from, return_path = get_email_from('"Admin" ') - self.assertEqual(email_from, '"Admin (admin@test.example.com)" ', + self.assertEqual(email_from, 'Admin ', msg='Domain is not the same as the catchall domain, we should force the email FROM') self.assertEqual(return_path, 'notification@odoo.example.com') @@ -447,7 +447,7 @@ def test_email_from_rewrite(self): set_param('mail.catchall.domain', 'odoo.example.com') email_from, return_path = get_email_from('"Admin" ') - self.assertEqual(email_from, '"Admin (admin@test.example.com)" ', + self.assertEqual(email_from, 'Admin ', msg='Domain is not the same as the catchall domain, we should force the email FROM') self.assertEqual(return_path, 'notification@odoo.example.com') diff --git a/odoo/tools/mail.py b/odoo/tools/mail.py index 93d330c77bf1c..69be2b3f894bb 100644 --- a/odoo/tools/mail.py +++ b/odoo/tools/mail.py @@ -594,7 +594,7 @@ def encapsulate_email(old_email, new_email): e.g. * Old From: "Admin" * New From: notifications@odoo.com - * Output: "Admin (admin@gmail.com)" + * Output: "Admin" """ old_email_split = getaddresses([old_email]) if not old_email_split or not old_email_split[0]: @@ -604,10 +604,11 @@ def encapsulate_email(old_email, new_email): if not new_email_split or not new_email_split[0]: return - if old_email_split[0][0]: - name_part = '%s (%s)' % old_email_split[0] + old_name, old_email = old_email_split[0] + if old_name: + name_part = old_name else: - name_part = old_email_split[0][1] + name_part = old_email.split("@")[0] return formataddr(( name_part,