mystralkk
commented
3 years ago Fixed with change set b77bac6, including the "email story" feature.
Closed eSilverStrike closed 2 years ago
mystralkk
commented
3 years ago Fixed with change set b77bac6, including the "email story" feature.
eSilverStrike
commented
2 years ago So looking at this more closely I think we need to make COM_email handle the "from" variable for emails better
In the configuration site_mail and noreply_mail is defined as:
site_mail | admin@example.com | E-mail address for all admin mail noreply_mail | noreply@example.com | This is the sender's address of emails sent by the system when users register etc. This should be either the same as $_CONF['site_mail'] or a bouncing address to prevent spammers from getting your email address by registering on the site. If this is NOT the same as above, there will be a message in sent messages that replying to those emails is recommended.
By default site_mail will be used if nothing is provided by the mail class.
There is also a lot of this type of code sprinkled around in the code:
if ($_CONF['site_mail'] !== $_CONF['noreply_mail']) {
$mailfrom = $_CONF['noreply_mail'];
$mailtext .= LB . LB . $LANG04[159];
} else {
$mailfrom = $_CONF['site_mail'];
}Which just adds a message about not replying to the noreply email address. If we NEED THIS (not sure if we do) it should probably be moved into the mail class (or at least the check for the noreply existing and not the extra text in the message)
Anyways I think Geeklog COM_Mail should always send emails that the mail settings is setup for (these will have to work for both admin and noreply emails). That should be the noreply and if that does not exist then the admin email. The admin email should only be used if the website possible wants a reply back (like maybe for the Geeklog Admin Mail Users page). This address is also used to send the admin any important messages about the website.
Technically from my limited understanding of how email works using other email addresses from domains not part of the mail settings account is considered spoofing and in most cases now will fail to send (or at least be received by) since the domain has not been verified to be used by that mail server. The proper DNS records like dmarc, spf, and domain key have not been setup to show it is valid.
How does this sound to you @mystralkk? Basically I think we need to ignore the $from field of COM_Mail.
Originally when a user sent another user a email message via the profile page we wanted the user who received the message to be able to hit reply and just continue on the conversation. That is not really possible now with modern security mail procedures in place so maybe an additional message here in the mail explaining that the user will need to send an email to the users email address (we can just list it in the email) and not to reply directly to the actual email since it is for the website.
Another area (are there more???) that will have to be fixed up obviously is the Geeklog Admin Mail Users page since it allows the admin to specify any From Email address.
Thoughts? (I can work on this issue if you want)
mystralkk
commented
2 years ago I just tried replacing SwiftMailer with PHPMailer, and don't have a great knowledge of email system like you. So, if you will work on this issue, please go ahead.
eSilverStrike
commented
2 years ago Once you merge the code for PHP Mailer (if you think it is ready, my tests show it is working) as discussed here #1108
I will finish up this issue.
Reported by OMAL in the Geeklog forum:
https://www.geeklog.net/forum/viewtopic.php?showtopic=97395
The check box which id is contactuserform-cc in profile.php activates sending email to the writer himself, and it is dealt as spam mail if it is gmail.
So when using the "Send mail to Username" form (access it from the user profile), it allows the visitor to check "Send me a copy of this email". When you check this, Geeklog actually uses the "Your Email Address" to send the email. Doing this will trigger spam notifications like above. We should really be using the "No-Reply E-Mail" in the Geeklog config to send the email to the user if he wants a copy.
It also uses the "Your Email Address" to send the user the actual email as well which makes it looks like the visitor sent it but then creates potential spam problems. Using the noreply Geeklog makes more sense but we should maybe indicate that the user receiving the message cannot just reply to it as it was sent by Geeklog.
Should double check that Geeklog doesn't do this elsewhere (ie using other domains an an alias to send emails.