Closed localguru closed 4 years ago
This is related to https://github.com/RocketChat/Rocket.Chat/issues/9596
Some code ideas:
const sender = RocketChat.models.Users.findOne({ _id: message.u._id });
// console.log(sender.emails[0].address);
// using user full-name/channel name in from address
if (room.t === 'd') {
email.from = `${ String(message.u.name).replace(/@/g, '%40').replace(/[<>,]/g, '') } <${ sender.emails[0].address }>`;
} else {
email.from = `${ String(message.u.name).replace(/@/g, '%40').replace(/[<>,]/g, '') } <${ sender.emails[0].address }>`;
}
Thanks to @Sing-Li :+1:
There is also the danger that e-mail clients such as Thunderbird, Outlook etc. will automatically collect this incorrect e-mail address consisting of the user's right name and "incorrect"
in their address book.
Siri at MacOS is actually doing this. Even if you don't reply to notification mails the mail client will start suggesting rocket@rompany.tld (or whatever address is set) as peoples mailto address when composing new e-mails.
Similar to: RocketChat/Rocket.Chat#14789 RocketChat/Rocket.Chat#13555 and RocketChat/feature-requests#666 we are in a situation where messages are "poisoning" corporate address books, as messages received while away are being suggested for "User, Name" rocket@chat.tld.
We have read through the issues with concerns about leaking (#12176) but would seek a way to replace the default rocket chat catch-all address with the user's known email address, to prevent poisoning of address books.
For me, Option a) fits best.
Option c) sounds good as well but there are smtp servers that do not allow sending „From“ unknown users/addresses so this won‘t work in many cases. Also option c) has a privacy issue as well: if you write a rocketchat-message you write a message and not implicitely an email. Thus you may not have authorized this E-Mail. Few companies start continuously gpg/smime sign their e-mails. Rocketchat does not... so these Mails might end up in spam recognition. That‘s why I still prefer a)
Is your feature request related to a problem? Please describe.
If
direct email
feature isn't enabled, all replies to notification e-mails are sent to the global set e-mailFrom_Email
address:packages/rocketchat-lib/server/functions/notifications/email.js
Because the real name of the user is placed before the global e-mail address, many of my users reply to these e-mails and think the reply goes back to the sender.
As a result, this is confusing and, in my opinion, also a privacy issue because private e-mails are sent to the global e-mail address.
There is also the danger that e-mail clients such as Thunderbird, Outlook etc. will automatically collect this incorrect e-mail address consisting of the user's right name and "incorrect" in their address book.
Describe the solution you'd like
There are several solutions to this problem:
a) The sender e-mail address for notifications can be configured separately, e.g.
noreply@yourdomain.de
and the real name of the user is not placed in front of the e-mail address, but e.g. No-Reply. As a result:No-Reply <noreply@yourdomain.de>
. For most users it would be clear that the answer will not be sent to the sender. Should a user reply to noreply@ nevertheless, an autoresponder could send an answer with a corresponding hint.b) A Reply-To header is set, which contains the e-mail address of the user. However, this does not solve the automatic collection of incorrect e-mail addresses in the recipient's address book.
c) The sender's real name and the e-mail address corresponds to the e-mail address of the user.
I think option c) would be the best solution to the problem.