[wp-trac] [WordPress Trac] #25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names

WordPress Trac noreply at wordpress.org
Fri May 5 22:07:24 UTC 2017 

#25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
-------------------------------------------------+-------------------------
 Reporter:  layotte                              |       Owner:
     Type:  defect (bug)                         |  SergeyBiryukov
 Priority:  normal                               |      Status:  reviewing
Component:  Mail                                 |   Milestone:  Future
 Severity:  normal                               |  Release
 Keywords:  has-patch dev-feedback needs-        |     Version:  3.8
  testing                                        |  Resolution:
                                                 |     Focuses:
-------------------------------------------------+-------------------------

Comment (by DavidAnderson):

 @cloudstek @Ipstenu If the intention of the "wordpress@" address is that
 replies are meant to be as hard/invisible as possible, then there might be
 a case for a no-reply at blackhole.wordpress.org address that is a log-less
 black-hole (and people who don't trust wordpress.org (which makes no
 sense, unless they also turn off all manner of other things) can use a
 plugin or filter to set their own). The number of people with catch-alls
 must be a decent number. So, if this is the case, I'd say that the logical
 conclusion is a universally-the-same address like this.

 @cloudstek Sender verification uses the SMTP envelope From, rather than
 the header From:. i.e. WordPress has been relying on these two being
 different (whether intentionally or not) to get these emails through
 sender validity checks. Which is to say, though, that it's basically just
 ornamental, and we could use "bob-the-giant at throgmorton-cheese.nothing"
 (that's why, despite using an address that often doesn't exist, they still
 get through - though, this is just the norm - I have no stats on how many
 mail servers will also verify the header From: as well as the SMTP
 envelope From). That point is also relevant to @Ipstenu's comment about
 email delivery restrictions on some servers - these are normally looking
 at the SMTP envelope. i.e. To the extent that the admin address can't be
 used because of server restrictions, to the same extent a wordpress@
 address can't be used because of sender verification.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/25239#comment:73>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list