Defect #19599

Redmine does not honnor RFC822 4.4.3 reply-to field in incoming emails

Added by Mark Solly over 7 years ago. Updated over 7 years ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:


Category:Email receiving
Target version:-
Resolution: Affected version:


Many modern (or just well-configured) SMTP servers will block a user from impersonating another email address by re-writing the 'from' header into the 'reply-to' header and setting 'from' as the actual sending account name. This caused a problem for me when creating tickets from the email issued by a website contact form. The notifications would go to the wrong address and the user account would not be created.

I'm not clear on weather the responsibility for this should lie with Redmine or Mail::Message but I've patched my Redmine installation with the following code at the start of the receive(email) method in app/models/mail_handler.rb.

If I knew more about Redmine I'd try to make a plugin that solved the issue, perhaps someone else can.

I've verified this problem exists in trunk and 2.6.3.stable.

This is my fix:

  # Processes incoming emails
  # Returns the created object (eg. an issue, a message) or false
  def receive(email)
    @email = email
    sender_email = email.from.to_a.first.to_s.strip

    #RFC822 Sections 4.4.3 and 4.4.4 say that if the reply-to field exists, mail should not be sent to the address in the 'from' field.
    #Correct handling of 'reply-to' is required for SMTP servers that do not allow senders to fake the 'from' field.
    #Website contact forms transmitted through a gmail SMTP server are a good example.
    if email['reply-to'].present?
        replyto_email = email['reply_to'].to_s.strip "Email contains a reply-to field. Will attempt to use '" + replyto_email + "' instead of '" + sender_email + "'" 
        sender_email = replyto_email


#1 Updated by Toshi MARUYAMA over 7 years ago

  • Description updated (diff)

Also available in: Atom PDF