[wp-trac] [WordPress Trac] #14888: PHPMailer class uses wrong/no sender for mail envelope

WordPress Trac wp-trac at lists.automattic.com
Mon Oct 1 18:17:44 UTC 2012 

#14888: PHPMailer class uses wrong/no sender for mail envelope
-----------------------------------------+-----------------------------
 Reporter:  gkusardi                     |       Owner:
     Type:  defect (bug)                 |      Status:  new
 Priority:  normal                       |   Milestone:  Future Release
Component:  Mail                         |     Version:  3.0
 Severity:  normal                       |  Resolution:
 Keywords:  reporter-feedback has-patch  |
-----------------------------------------+-----------------------------

Comment (by tigertech):

 Replying to [comment:15 Whissi]:

 > You are concerned (@tigertech) that the average WordPress user would set
 the "wrong" address, if there would be such an option?

 Yes, that's exactly what I'm concerned about.

 The correct envelope from address in this case is
 "vhost123[@]ded4321.fw2.dc7.hosting-company.invalid". It's up to the
 hosting company to make sure that whatever address is used there is an
 address that works. The idea that they have done so is a reasonable
 expectation, since if they hadn't, lots of PHP scripts on their servers
 would be unusable.

 If you let users enter some random thing there, they're going to enter
 "something at gmail.com", for example, and then it quite definitely won't
 work in some cases.


 >Really, we don't have to talk about SPF at this place. SPF is failed by
 design. Forwardings mails is a basic feature, which is broken by SPF. So
 you are really concerned about breaking SPF by WordPress?!

 Yes. SPF is used on the Internet to reject mail by lots of large ISPs,
 including GoDaddy.

 If you're going to argue that it's okay to ignore SPF in this non-
 forwarding case because SPF separately breaks forwarding... well, that's a
 non-starter as an argument, in my opinion.

 You're also ignoring DKIM. Some domain names now publish records telling
 recipients to discard all unsigned mail claiming to be from their domain
 name. That's not widespread, but letting people bung arbitrary from
 addresses into WordPress could also break that.

 More generally, you're focusing on a specific piece of technology, SPF (or
 DKIM, or SMTP callbacks, or whatever else this might break), but that's
 too narrow a focus. What people seem to be missing is that regardless of
 SPF, or DKIM, or anything else, it's just generally a bad idea to send
 mail claiming to be from (say) gmail.com if your mail server isn't
 gmail.com. There are all sorts of possible reasons that some recipients
 will think you're forging headers if you do that (including naive custom
 filters on the receiving end), and the mail won't be delivered. The
 average user isn't going to expect that problem.

 (As background, I run the mail servers for about 100,000 mailboxes, which
 isn't huge but gives me plenty of experience dealing with obscure e-mail
 problems. This kind of thing is a real issue.)

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/14888#comment:17>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list