Defect #29028: Redmine generates notification emails that fail DMARC and will therefore often be rejected or quarantined - Redmine

Actions

Copy link

Defect #29028

closed

Redmine generates notification emails that fail DMARC and will therefore often be rejected or quarantined

Added by Jonathan Kamens almost 6 years ago. Updated almost 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

Email notifications

Target version:

Start date:

Due date:

% Done:

Estimated time:

Resolution:

Invalid

Affected version:

Description

I am one of the email administrators for my employer, Quantopian Inc. In particular, I am one of the people responsible for ensuring that all the emails sent from our domain are compliant with DMARC so they won't be quarantined or rejected.

I recently filed an issue about Ruby at https://bugs.ruby-lang.org/. Immediately after doing so, I received several DMARC failure reports resulting from the notifications about my new issue that were emailed out. This is because Redmine put "From: jkamens@quantopian.com" in the header of the notification emails.

That's really not OK in the age of DMARC. That's going to cause notification emails to be quarantined (i.e., put in the user's spam folder) or rejected, whenever the issue author's email domain has as quarantine or reject email policy and the notification recipient's mail server enforces DMARC.

Most of the big email providers nowadays publish and enforce DMARC policies.

Actions

Copy link

Updated by Jonathan Kamens almost 6 years ago

Interesting. In response to filing this issue, I received a notification from redmine.org which did not put "From: jkamens@quantopian.com" in its header. Instead, it had "From: noreply@redmine.org".

I don't know whether this is because the notifications I got DMARC failure reports about earlier were for a different kind of notification, or because the problem here isn't Redmine but rather something specific to bugs.ruby-lang.org, or maybe because bugs.ruby-lang.org is running an older version of Redmine and this issue is already fixed in the current version?

In short, maybe this is something I need to take up with the ruby-lang.org folks?

Can you shed any light? Thanks.

Actions

Copy link

Updated by Bernhard Rohloff almost 6 years ago

I think we can test this by a quick reply on your problem. If everything goes well you should have received an email right after I've clicked on OK. So you can check whether it's compliant or not.

Actions

Copy link

Updated by Jonathan Kamens almost 6 years ago

The email notification I got about your comment correctly comes from noreply@redmine.org.

I guess that means that whatever the problem is, I need to take it up with the folks who maintain bugs.ruby-lang.org?

Actions

Copy link

Updated by Go MAEDA almost 6 years ago

Jonathan Kamens wrote:

I guess that means that whatever the problem is, I need to take it up with the folks who maintain bugs.ruby-lang.org?

I think so. They run the customized Redmine. The following line seems to set the author's e-mail address to the From field.

https://github.com/ruby/redmine_ruby_lang_mailing_list_customization/blob/master/lib/redmine_ruby_lang_mailing_list_customization/redmine_ext/mailer.rb#L4

  def issue_add_with_ruby_lang_mailing_list_customization(*args)
    m = issue_add_without_ruby_lang_mailing_list_customization(*args)
    m.header[:from] = args[0].author.mail # args[0] == issue
    m
  end